OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Draft Threat model for IMDDOS COAs


Hi John,

 

I cooked this up late last night and there is no particular reason for calling it ‘applies-to’ vs. anything else. The idea was that the COA should apply to the host identified by the sighting. In the example shown here the COAs are atomic (delete registry key, block the process that is reaching out to the C2 domains, block the process that is reaching out to the TLD domain) and there is a higher level COA (IMDDOS malware removal) that is using these atomic COAs (I called this relationship parent-of for lack of a better term).

 

We discussed this example during the mini group call today and will be updating the model for a more real use case – ie. When a sighting is made, the identified host needs to be quarantined and then a series of steps to remove the malware need to be done. This can be captured by 2 COAs – “Quarantine host” and “Malware cleanup”. What I’m struggling with is if these COAs should be related to the Sighting or directly to the Identity (identified host). Thoughts?

 

Thanks,

Jyoti

Technical Leader,

CTO office Security Business Group,

Cisco Systems Inc.

 

 

 

From: "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, September 14, 2017 at 12:40 PM
To: Jyoti Verma <jyoverma@cisco.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Draft Threat model for IMDDOS COAs

 

Hey Jyoti,

 

This is super comprehensive, thanks! I had a question for you…right now you have COA tied to Sightings as “applies-to”. What data does that indicate? That the COA was actually applied to the case described in that sighting, or that it COULD apply? We’ve done some explorations of that concept and I was curious what you were thinking.

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Date: Thursday, September 14, 2017 at 5:27 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Draft Threat model for IMDDOS COAs

 

Hi,

 

Based on the discussions in the COA mini group, I extended Rich’s threat model for IMDDOS with some COAs and relationships. We can work through this in the COA mini group call later today.

 

 

 

Thanks,

Jyoti

Technical Leader,

CTO office Security Business Group,

Cisco Systems Inc.

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]