RE: [cti-stix] Threat actor classification info for today's meeting

["Casey, Timothy P" <timothy.p.casey@intel.com>]

Hi Jerome,

You are correct, this is related to TARA (Threat Agent Risk Analysis), TARA is derived from the Threat Agent Library (TAL) analysis system and the author, Matthew Rosenquist, is part of my team.  There are a number of organizations (interestingly, particularly in the Finance sector) that are using the Threat Agent Library and TARA.  The TAL is also the foundation for DHS's CARMA methodology for national critical infrastructure risk analysis, and is listed as a "Best Practice" by ENISA.  I've been very pleased to see it also show up in an increasing number of graduate research projects.

That said, you are also correct that there is not a whole lot other than what's in our white papers on how to adapt and use them.  I would be happy to support any effort to add to that documentation.

We use "agent" to refer to attacker types as a class, and use "actor" as an instantiation, i.e. an actual person or group.


In answer to your last questions, this mostly applies to both the TAL and the derived TARA:

- Is TAL available as an XML, or Excel file? (I mean something directly machine-usable other than PDF)
	> TAL yes as a DRAFT, TARA no.

- Is there a "License" around it?
	> No license required.  While Intel retains the copyright, the material is public and free use and adaptation is allowed and encouraged.  Bret Jordan's use in the Threat Actor proposal is a great example of the type of adaptive use we were hoping for.

- Would it be envisioned to make it available, for example, as a IANA registry?
(- Did you do any mapping with other taxonomies, for example VERIS?)
	> Yes we would happy to support its use in registries and external vocabularies as appropriate, but we have not done so yet.  We have not formally mapped to any other taxonomies.

Hope that helps.

Tim



-----Original Message-----
From: Jerome Athias [mailto:athiasjerome@gmail.com] 
Sent: Sunday, July 10, 2016 11:02 PM
To: Casey, Timothy P <timothy.p.casey@intel.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Threat actor classification info for today's meeting

FYI, this Taxonomy (used in TARA from what I know) was highlighted (by
Jane) some time ago in 'this' working group.

http://making-security-measurable.1364806.n2.nabble.com/STIX-Report-Template-for-Threat-Intelligence-and-Incident-Response-td7587454.html

(and there http://fr.slideshare.net/jeromeathias/threat-modeling-capecwebapplication
)

While I reviewed and used these documents as part of a personal research project, I can tell that I found interesting elements in it.
Moreover, while I used quite a lot of resources regarding the discussed domain, I would argue that the interesting identified elements have been validated and consolidated against other researches.
With that said, I have to say that I tried to highlight concepts like "Threat Agents" (vs "Threat Actor" in STIX, or just "Actor" in, i.e.
OMG) while more commonly used as a term for this concept in the
(numerous) documents (including international standards...)/researches I've reviewed.
The same for "Assets" or "IT Assets".
Facts are that I have the feeling that due to the different background, experience of focus/objectives of our members today, these "abstracted concepts" are still not commonly understood, or the benefits (such as an easier mapping of the information/data exchanged in "CTI objects" with other domains' formats, international standards/frameworks concepts and terminology) of using these terms, as abstracted terms/concepts/objects is not currently understood by the majority of our members.

My current feeling is that an effort of "simplification" through a visual representation of the Cyber Information Model would help to save time for the community, for common understanding and consensus.
A small group of us are currently (or in a near future) working on it using a conceptual modeling (mind map) methodology approach...
Another small group initiated (and tried to promote) an Ontology approach...

But some questions, regarding this specific topic:
- Is TAL available as an XML, or Excel file? (I mean something directly machine-usable other than PDF)
- Is there a "License" around it?
- Would it be envisioned to make it available, for example, as a IANA registry?
(- Did you do any mapping with other taxonomies, for example VERIS?)

- Same questions for TARA...

Best regards












2016-07-07 20:40 GMT+03:00 Casey, Timothy P <timothy.p.casey@intel.com>:
> Jerome, thanks for the insights.  I hope that the Working Group can 
> utilize the taxonomy, possibly even just dropping it (mostly) in place 
> for some of the parameters in the Threat Actor object.  The advantages 
> are that the TA taxonomy has been used in many places so it would have 
> some continuity with existing systems, especially in the US DHS.  This 
> taxonomy also has been developed and tested over time, and the 
> feedback has been very strong that this is more comprehensive and 
> unbiased than many other approaches.  Many such descriptors are 
> focused mostly on hacktivism or terrorism, but there are far more 
> types of attackers than just those two that corporations have to deal with.
>
>
>
> While any one particular threat actor report may not have a great deal 
> of value for a responding to a particular incident, the data we 
> collect over time could be very valuable.  Just as we all spend a 
> great deal on business competitive analysis, we need security 
> competitive analysis as well, helping to understand our adversaries in 
> security every bit as well as our business competitors.  And do it for 
> the same reasons as business CI – to strategize a better defense and 
> react quickly when changes occur.  Well-formatted, detailed 
> information about the adversary can help provide some of that intelligence to help us better identify and defend our targeted assets.
>
>
>
> By carefully defining Threat Actor object, I believe we have the 
> opportunity to further elevate its usefulness as an essential part of 
> our collective intelligence network for both reactive and proactive security.
>
>
>
> Tim
>
>
>
> From: Jerome Athias [mailto:athiasjerome@gmail.com]
> Sent: Thursday, July 07, 2016 9:19 AM
> To: Casey, Timothy P <timothy.p.casey@intel.com>
> Cc: cti-stix@lists.oasis-open.org
> Subject: Re: [cti-stix] Threat actor classification info for today's 
> meeting
>
>
>
> Tim,
>
>
>
> Thanks for sharing
>
> A small group of us pushed for a long time for both the use of proper 
> classifications/categorizations (aka Taxonomies/Controlled 
> Vocabularies) and Cybersecurity Ontology approach.
>
> I personally highlighted some time ago that the concept of Threat 
> Agent (as used in OWASP for example, and Business Continuity or Threat 
> Modeling), more general than Threat Actor (basically Person/Person 
> Group(s) so Organisation
> - see Asset Identification in the SCAP family), including, for 
> example, Acts of God, is a really interesting concept for the use of 
> CTI (STIX
> concepts/subjects/objects) based interchange format, for a broader 
> audience (understand sectors) for fast, efficient at scale automated 
> (M2M) exchange of information (such as Incident data)
>
> So again, thanks for sharing.
>
> PS: if interested, we collected a list of various taxonomies applying 
> to the domain (e.g. Cybercrime)
>
>
>
> Best regards
>
> On Thursday, 7 July 2016, Casey, Timothy P <timothy.p.casey@intel.com>
> wrote:
>
> Everyone,
>
>
>
> Here is the research I mentioned in the CTI meeting today regarding 
> threat actor characterization.  As I mentioned, for some time my team 
> has been studying human threats as a class.  We could not find a 
> system that characterized threat actors objectively and orthogonally, 
> so drawing on available research we developed our own taxonomy to describe human threat.
> It describes threat at the strategic level, so we do not need 
> attributes for every low-level activity such as “Steals designs for 
> new products” and “Copies secret recipe,” instead we use the more 
> inclusive “Gain technical advantage.”
>
>
>
> From the taxonomy we created a library of 23 threat actor classes, 
> which we call "threat agents" to differentiate from actual people.  
> The Library is intended to be universal in application without bias 
> towards terrorism, hacktivism, etc., or to organization such as LEOs or government agencies.
> It contains well-defined characters such as Government Spy, Data 
> Miner, Disgruntled Employee, Radical Activist, Cyber Vandal, etc.  We 
> also couldn't find a fully orthogonal and comprehensive classification 
> for motivation, so drawing on LEO and psychology research we developed 
> a 10-point Motivation
> classification: Accidental, Coercion, Disgruntlement, Dominance, 
> Ideology, Notoriety, Organizational Gain, Personal Financial Gain, 
> Personal Satisfaction, and Unpredictable.
>
>
> A number of organizations are now using the Library and the supporting 
> taxonomy and motivation parameters for their risk assessment and 
> management systems, including the U.S. Dept. of Homeland Security.  
> The papers defining those are attached, as well as our Field Guide to 
> Insider Threat as one example of how this methodology can be used.
>
>
> I propose the working group consider drawing on our research and 
> application of human threat analysis in updating the Threat Actor 
> object for clearer and more actionable attributes.  This is public 
> info, there is no licensing or fee involved.
>
>
>
> Respectfully,
>
>
>
> Tim
>
>
>
>
>
>
>
> Tim Casey
>
> Senior Strategic Risk Analyst
>
> Threat Intelligence & Infrastructure Protection
>
> Intel Corporation
>
> Chandler, AZ  USA
>
> 480-552-0222
>
> tim.casey@intel.com
>
> @timcaseycyber
>
>
>
>
>
>
>
>
>
>