[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Product capability mapping in STIX with Mitre ?
Hi Jerome, Thanks for the answer, interesting insights. I am focusing currently on that first one: EDR/IDS/IPS type of capabilities mapped into Mitre techqniques and STIX indicators (that is product based focus). And i find STIX not flexible enough (but maybe I am missing something?) For example I can add custom attribute inside indicator (or attack-pattern): âx-vendor-mappingsâ âx-cisco-mappingsâ âx-cisco-productX-mappingsâ That approach would force me to add more and more specific attributes under specific indicators (most of the time), also under attack-patterns - pretty unmanageable. What is we could have additional STIX domain called product ? And we could built relations between product and indicators/attack-patterns. That would be much more manageable, I would be able to create relations like this:
Reasonable ? Or maybe there is a better alternative ? Thanks, Michal From: <cti-users@lists.oasis-open.org> on behalf of Jerome Athias <jeromeathias2018@gmail.com> Hi, Sounds like you could look at: for EDR, SOC/Detection, IDS/IPS [1], SOAR kind of products with focus on https://attack.mitre.org/ from a technique/attack-(sub)patterns (TIDs/CAPEC)/TTPs (Use Cases) point of view ==> From SOC/Detection (Blue Team) perspective, I would recommend focusing on logging capabilities (data sources) and settings, for mappings. Note here that work would have to be done for mapping between MITRE (ATT&CK) data sources categories and real world class of products categories (eg: Firewall, Antivirus, Proxy, CASB, Sysmon, EDR...) and then products names/versions (CPE/SWID) with their specific capabilities/settings (ie. CCE). DeTT&CT approach While direct 1-for-1 mappings are not always possible/effective, I recommend mappings (with vendors specific categories of alerts/threats/malwares, etc.) For malware analysis, that would focus on MAEC support (eg: cuckoo) So a schemas-based approach/mappings is also interesting (but efforts needed) My 2c /JA On Mon, Oct 7, 2019 at 8:01 AM Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]