[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FireEye input on the topic of Event-Incident-Investigation
The attached document represents the position of FireEye on the topic of how best to represent information pertaining to cyber investigations (events, alerts, incidents, etc).
The domain of cyber investigation and the information required to support it are of critical importance to FireEye given the nature and breadth of FireEye products, services and capabilities in this area:
sensors and instrumentation, SOC operations, incident response, digital forensics, malware analysis, threat intelligence, reporting, etc. FireEye, along with numerous other members of the cyber investigation community, is actively involved in an ongoing open community effort to standardize representation of cyber investigation information called
the Cyber-investigation Analysis Standard _expression_ (CASE). CASE is defined as a profile on the underlying Unified Cyber Ontology (UCO), an effort currently in development alongside CASE but with an intended scope beyond only cyber investigation. The initial
development focus of CASE was on supporting digital forensic use cases but it is now in the process of extending to include the full cyber investigation scope. While still nascent (v0.1.0 & v0.2.0), it has already been adopted by several parties including the US Document and Media Exploitation (DOMEX) community, the EU Evidence Project, the European Cybercrime Center
(EC3). It is also in the process of adoption by NIST and numerous vendors including current operational availability in some widely used commercial products (e.g. NetworkMiner Pro). Information on CASE and UCO can be found at: https://ucoproject.github.io/uco/ https://github.com/ucoProject/uco https://casework.github.io/case/ For a detailed overview, see the attached “Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language” paper being published in Volume 23 of the
Journal of Digital Investigation. All opinions, assertions and suggestions offered in the attached document proposing an approach for the CTI TC to address the topic of investigations are based in the practical reality of extensive experience
operating these capabilities, integrating across all these areas, integrating across numerous systems and tools supporting these areas, sharing and integrating with an extensive partner network, and extensive collaboration with our customer base. Based on FireEye’s extensive experience as the industry’s leading provider of incident response as well as our experience in providing remote incident response as a service, we are proposing the approach outlined
in the attached document. The following are a few assertions to help establish context for the FireEye perspective: Assertion: Cyber investigation is a closely aligned but fundamentally separate domain to cyber threat intelligence. Information coming out of cyber investigation
is the fuel that feeds CTI development and CTI provides important context for interpretation in cyber investigation but the domains and their practices are distinct. While development of threat intelligence may at times follow the investigation lifecycle,
cyber investigation is not simply a component of CTI. It is a separate but aligned domain with its own processes, roles, and activities. Assertion: While cyber investigations may take various forms in various contexts they typically tend to follow a common and consistent lifecycle. Assertion: Open standards should always strive to be appropriately scoped and to avoid conflicting duplication of concepts addressed by separate, valid
and practical standards efforts focused on those concepts. In other words, avoid reinventing wheels and instead leverage domain-specific efforts and experts. We look forward to the active consideration, discussion and if indicated, adoption of the proposed approach. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com |
Attachment:
Investigation proposal - FireEye.pdf
Description: Investigation proposal - FireEye.pdf
Attachment:
CASE-FoundationalPaper-JDI-2017.pdf
Description: CASE-FoundationalPaper-JDI-2017.pdf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]