OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: FireEye input on the topic of Event-Incident-Investigation


The attached document represents the position of FireEye on the topic of how best to represent information pertaining to cyber investigations (events, alerts, incidents, etc).

 

The domain of cyber investigation and the information required to support it are of critical importance to FireEye given the nature and breadth of FireEye products, services and capabilities in this area: sensors and instrumentation, SOC operations, incident response, digital forensics, malware analysis, threat intelligence, reporting, etc.

 

FireEye, along with numerous other members of the cyber investigation community, is actively involved in an ongoing open community effort to standardize representation of cyber investigation information called the Cyber-investigation Analysis Standard _expression_ (CASE). CASE is defined as a profile on the underlying Unified Cyber Ontology (UCO), an effort currently in development alongside CASE but with an intended scope beyond only cyber investigation. The initial development focus of CASE was on supporting digital forensic use cases but it is now in the process of extending to include the full cyber investigation scope.

 

While still nascent (v0.1.0 & v0.2.0), it has already been adopted by several parties including the US Document and Media Exploitation (DOMEX) community, the EU Evidence Project, the European Cybercrime Center (EC3). It is also in the process of adoption by NIST and numerous vendors including current operational availability in some widely used commercial products (e.g. NetworkMiner Pro).

 

Information on CASE and UCO can be found at:

 

https://ucoproject.github.io/uco/

https://github.com/ucoProject/uco

https://casework.github.io/case/

https://github.com/casework

 

For a detailed overview, see the attached “Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language” paper being published in Volume 23 of the Journal of Digital Investigation.

 

 

All opinions, assertions and suggestions offered in the attached document proposing an approach for the CTI TC to address the topic of investigations are based in the practical reality of extensive experience operating these capabilities, integrating across all these areas, integrating across numerous systems and tools supporting these areas, sharing and integrating with an extensive partner network, and extensive collaboration with our customer base.

 

Based on FireEye’s extensive experience as the industry’s leading provider of incident response as well as our experience in providing remote incident response as a service, we are proposing the approach outlined in the attached document.

 

The following are a few assertions to help establish context for the FireEye perspective:

 

Assertion: Cyber investigation is a closely aligned but fundamentally separate domain to cyber threat intelligence. Information coming out of cyber investigation is the fuel that feeds CTI development and CTI provides important context for interpretation in cyber investigation but the domains and their practices are distinct. While development of threat intelligence may at times follow the investigation lifecycle, cyber investigation is not simply a component of CTI. It is a separate but aligned domain with its own processes, roles, and activities.

 

Assertion: While cyber investigations may take various forms in various contexts they typically tend to follow a common and consistent lifecycle.

 

Assertion: Open standards should always strive to be appropriately scoped and to avoid conflicting duplication of concepts addressed by separate, valid and practical standards efforts focused on those concepts. In other words, avoid reinventing wheels and instead leverage domain-specific efforts and experts.

 

 

We look forward to the active consideration, discussion and if indicated, adoption of the proposed approach.

 

 

Sean Barnum

Principal Architect

FireEye

M: 703.473.8262

E: sean.barnum@fireeye.com

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

Attachment: Investigation proposal - FireEye.pdf
Description: Investigation proposal - FireEye.pdf

Attachment: CASE-FoundationalPaper-JDI-2017.pdf
Description: CASE-FoundationalPaper-JDI-2017.pdf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]