From the human user/analyst/scientist using the CTI data
being exchanged using RDF has a significant advantage over XML or JSON because
is the meaning of the data is encoded in the RDF so instead of just reading the
data the technology can understand the meaning of the data. If the technology can
understand what the data means it can put the pieces of data together like a
jigsaw puzzle grand master essentially organizing and “connecting the dots” for
the human users. This supports technology enabled analytic tradecraft
modernization of both individual users/analysts/scientists as well as overall
organizational cyber defense analytic tradecraft improvement. If the meaning of
the data is encoded with it then the data is easier for scientist, analysts,
and increasingly non-expert users to understand and do something with it.
Below is some of the typical cybersecurity data and information
users/analysts/scientists have to organize into some type of body of knowledge
so they understand their cybersecurity ecosystem. If the technology can’t understanding
the meaning of the data then it’s the humans who have to understand it and “connect
the dots”.
Configuration/Anomaly Reporting - Infrastructure Information
- Risk Posture - Anomalies
Knowledge of Threat Actors - Threat Actor Infrastructure -
Threat Actor Personas - Collected Threat Actor Indicators - Threat Actor
Attribution - Trend Analysis - Victim Information
Incident Awareness - Incident Information - Incident Data -
Infrastructure Impact and Effects - Investigations/cases - Alerting Indicators
- Victim Information
Indications and Warnings - Events and Alerts - Tipping and
Cueing - Warnings - Impact assessments - Potential Indicators
Vulnerability Knowledge - Vulnerabilities - Exploits -
Potential Victim Information
Mitigation Strategies - Coordinated Action Plans - Courses
of Action - Understanding of Achievable Mitigation Effects
Mitigation Actions and Responses - Computer Network Defense
Situational Awareness - Action Tasking and Status - Effectiveness Reporting -
After Action Reporting and Lessons Learned
Sadly, analytic tradecraft to understand the CTI and wider cybersecurity data,
operationalize the CTI data, connect-the-dots between malicious activities, etc varies
widely with some organizations having greater than 15 years of CTI analytic
tradecraft experience and other organizations are just starting out who have basically no analytic tradecraft.
The Semantic eScience research paper I shared with the list
discussed a Semantic eScience technology stack to collect all that
cybersecurity data and information in order to apply object-based production
using RDF. This research was investigation how to advance and modernize
analytic tradecraft with science and big data technology.
Object-based production allows the technology stack to
systematically organize a body of cybersecurity knowledge for the operational
ecosystem so it can enable the human cyber defenders to be more efficient and
effective in the intellectual and practical activity encompassing the
systematic study of the structure and behavior of the cybersecurity in the
operational ecosystem.
I thought perhaps understanding a use case for STIX RDF data
might help others to see another point of view.
Shawn