Re: [cti-stix] STIX 2.0 Specification Questions

["Jyoti Verma (jyoverma)" <jyoverma@cisco.com>]

Hi Bret, Allan,

In Cisco we’ve used the following terminology for high level actions

Investigate – obtain more information about a threat

Mitigate – block, but not eliminate, a threat

Remediate – fix or eliminate a threat

OpenC2 calls these as effects-based actions. OpenC2 also defines other categories of actions such as 

• Actions that Gather and Convey Information, 
• Actions that Control Permissions, 
• Actions that Control Activities/Devices, 
• Sensor-Related Actions, 
• Response and Alert Actions

Looking at STIX2.0 relationships, I think the high-level effects-based actions could be used as relationships of course-of-actions to the other objects.

course-of-action mitigates attack-pattern

course-of-action mitigates incident

course-of-action mitigates infrastructure

course-of-action mitigates malware

course-of-action mitigates tool

course-of-action investigates indicator

course-of-action investigates attack-pattern

course-of-action investigates incident

course-of-action investigates malware

course-of-action remediates incident

More details about OpenC2 are being formulated as a proposal which will be submitted soon.

Thanks,

Jyoti

  

From:  <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>

Date:  Tuesday, August 9, 2016 at 9:09 PM

To:  Allan Thomson <athomson@lookingglasscyber.com>

Cc:  "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>

Subject:  Re: [cti-stix] STIX 2.0 Specification Questions

The terms I have heard in the past are:

1. Mitigate - This is a tune to a temporary fix through a compensating control.  

2. Containment - This act can prevent the spread of the malware or stop it from progressing.  Some use mitigate and containment interchangeably, others view them as very different things.

3. Remediate - This is the real / permanent fix.  For example, removal of the malware from the machine.  For mitigation would be just preventing the malware from spreading by denying it at the firewall or proxy

4. Prevent - This is kind of a proactive step

5. Investigate - The course of action is to investigate this thing.  

I know the OpenC2 has a series of Actions that they have assigned to a lot of different things..  It will be really interesting to see their proposal.  

Thanks,

Bret

Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Aug 9, 2016, at 17:53, Allan Thomson <athomson@lookingglasscyber.com> wrote:

Hi John –

Re: “Should we add “remediate” in as a distinct option from “mitigate”? Is the difference between those two terms well-understood, clean, and relevant for cyber threat intelligence sharing?”

I would say that remediate and mitigate are different terms and often are confused as the same thing when they are *not* the same thing.

Therefore, we should not use mitigate to mean both.

If the COA proposal has capability to do both then we should make it clear by using both terms. And therefore avoid ambiguity around these terms.

allan