OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Draft Threat model for IMDDOS COAs


I think this is just me not understanding where the COA minigroup is headed, not that what you put together is confusing.

 

Anyway, when you say “the COA should apply to the host identified by the sighting” do you mean:

 

  • This is a COA that was actually taken and the producer is telling others about that
  • This is a COA that could be taken and the producer is telling the owner of the host either as a recommendation or a command

 

The Damballa report had both (talked about what they did, and had some recommendations for what others could do).

 

On your latter scenario, I’d have the same question...are you recommending the COA, directing it as part of like an orchestration capability, or reporting on it? I think the answer might be different in the different scenarios. Separately, I don’t think Identity really captures the concept of a “host”. Identity is really an organization or an individual, STIX deferred having an “asset” SDO to capture the concept of a host.

 

John

 

From: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Date: Thursday, September 14, 2017 at 6:12 PM
To: John Wunder <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Draft Threat model for IMDDOS COAs

 

Hi John,

 

I cooked this up late last night and there is no particular reason for calling it ‘applies-to’ vs. anything else. The idea was that the COA should apply to the host identified by the sighting. In the example shown here the COAs are atomic (delete registry key, block the process that is reaching out to the C2 domains, block the process that is reaching out to the TLD domain) and there is a higher level COA (IMDDOS malware removal) that is using these atomic COAs (I called this relationship parent-of for lack of a better term).

 

We discussed this example during the mini group call today and will be updating the model for a more real use case – ie. When a sighting is made, the identified host needs to be quarantined and then a series of steps to remove the malware need to be done. This can be captured by 2 COAs – “Quarantine host” and “Malware cleanup”. What I’m struggling with is if these COAs should be related to the Sighting or directly to the Identity (identified host). Thoughts?

 

Thanks,

Jyoti

Technical Leader,

CTO office Security Business Group,

Cisco Systems Inc.

 

 

 

From: "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, September 14, 2017 at 12:40 PM
To: Jyoti Verma <jyoverma@cisco.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Draft Threat model for IMDDOS COAs

 

Hey Jyoti,

 

This is super comprehensive, thanks! I had a question for you…right now you have COA tied to Sightings as “applies-to”. What data does that indicate? That the COA was actually applied to the case described in that sighting, or that it COULD apply? We’ve done some explorations of that concept and I was curious what you were thinking.

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Date: Thursday, September 14, 2017 at 5:27 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Draft Threat model for IMDDOS COAs

 

Hi,

 

Based on the discussions in the COA mini group, I extended Rich’s threat model for IMDDOS with some COAs and relationships. We can work through this in the COA mini group call later today.

 

 

 

Thanks,

Jyoti

Technical Leader,

CTO office Security Business Group,

Cisco Systems Inc.

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]