[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX 2.0 Specification Questions
Hi Bret, Allan,
In Cisco we’ve used the following terminology for high level actions
Investigate – obtain more information about a threat
Mitigate – block, but not eliminate, a threat
Remediate – fix or eliminate a threat
OpenC2 calls these as effects-based actions. OpenC2 also defines other categories of actions such as
Looking at STIX2.0 relationships, I think the high-level effects-based actions could be used as relationships of course-of-actions to the other objects.
course-of-action
mitigates attack-pattern
course-of-action
mitigates incident
course-of-action
mitigates infrastructure
course-of-action
mitigates malware
course-of-action
mitigates tool
course-of-action
investigates indicator
course-of-action
investigates attack-pattern
course-of-action
investigates incident
course-of-action
investigates malware
course-of-action
remediates incident
More details about OpenC2 are being formulated as a proposal which will be submitted soon.
Thanks,
Jyoti
From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Tuesday, August 9, 2016 at 9:09 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] STIX 2.0 Specification Questions
The terms I have heard in the past are:
1. Mitigate - This is a tune to a temporary fix through a compensating control.
2. Containment - This act can prevent the spread of the malware or stop it from progressing. Some use mitigate and containment interchangeably, others view them as very different things.
3. Remediate - This is the real / permanent fix. For example, removal of the malware from the machine. For mitigation would be just preventing the malware from spreading by denying it at the firewall or proxy
4. Prevent - This is kind of a proactive step
5. Investigate - The course of action is to investigate this thing.
I know the OpenC2 has a series of Actions that they have assigned to a lot of different things.. It will be really interesting to see their proposal.
Thanks,
Bret
Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Aug 9, 2016, at 17:53, Allan Thomson <athomson@lookingglasscyber.com> wrote:
Hi John –
Re: “Should we add “remediate” in as a distinct option from “mitigate”? Is the difference between those two terms well-understood, clean, and relevant for cyber threat intelligence sharing?”
I would say that remediate and mitigate are different terms and often are confused as the same thing when they are *not* the same thing.
Therefore, we should not use mitigate to mean both.
If the COA proposal has capability to do both then we should make it clear by using both terms. And therefore avoid ambiguity around these terms.
allan
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]