[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Product capability mapping in STIX with Mitre ?
Hi Jerome,
Â
Thanks for the answer, interesting insights.
Â
I am focusing currently on that first one: EDR/IDS/IPS type of capabilities mapped into Mitre techqniques and STIX indicators
(that is product based focus).
And i find STIX not flexible enough (but maybe I am missing something?)
Â
For example I can add custom attribute inside indicator (or attack-pattern):
âx-vendor-mappingsâ
âx-cisco-mappingsâ
âx-cisco-productX-mappingsâ
That approach would force me to add more and more specific attributes under specific indicators (most of the time), also under attack-patterns - pretty unmanageable.
Â
What is we could have additional STIX domain called product ?
And we could built relations between product and indicators/attack-patterns. That would be much more manageable, I would be able to create relations like this:
- Product_GenericFirewall Ââis able to detect and blockâ Attack-pattern7
- Product_Cisco_Product3 Ââis able to detectâ Indicator7
- Product_Cisco_Product4_FeatureX âis able to detect and blockâ Indicator9
Â
Reasonable ? Or maybe there is a better alternative ?
Â
Thanks,
Michal
Â
Â
From: <cti-users@lists.oasis-open.org> on behalf of Jerome Athias <jeromeathias2018@gmail.com>
Date: Monday, 7 October 2019 at 08:35
To: "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Product capability mapping in STIX with Mitre ?Â
Hi,
Â
Sounds like you could look at:
for EDR, SOC/Detection, IDS/IPS [1], SOAR kind of products with focus onÂhttps://attack.mitre.org/ from a technique/attack-(sub)patterns (TIDs/CAPEC)/TTPs (Use Cases) point of view
Â
==> From SOC/Detection (Blue Team) perspective, I would recommend focusing on logging capabilities (data sources) and settings, for mappings.
Note here that work would have to be done for mapping between MITRE (ATT&CK) data sources categories and real world class of products categories (eg: Firewall, Antivirus, Proxy, CASB, Sysmon, EDR...) and then products names/versions (CPE/SWID) with their specific capabilities/settings (ie. CCE).
DeTT&CT approach
While direct 1-for-1 mappings are not always possible/effective, I recommend mappings (with vendors specific categories of alerts/threats/malwares, etc.)
Â
For malware analysis, that would focus on MAEC support (eg: cuckoo)
Â
So a schemas-based approach/mappings is also interesting (but efforts needed)
Â
Â
My 2c
/JA
Â
Â
Â
Â
On Mon, Oct 7, 2019 at 8:01 AM Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:
Hello Team,
Â
What would be your recommendation to use STIX for product capabilities mapping to present the coverage against malware+intrusion set/campaigns.
Â
I would like to use Mitre techniques + Mitre and LM kill-chains to map those techniques (attack-patterns) to right kill-chain phase.
Also indicators to map those to attack-patters positioned in the right phase of kill-chain.
And now provide additional information about product coverage for each attack-pattern and correlated indicator.
Â
Obviously product coverage for attack-patterns will be generic: product_class + maybe a bit more specific vendor_product
(some of those shared by Mitre).
Â
But product coverage for specific indicator might be very specific: vendor_product + vendor_product_features(list of features which needs to be enabled on product to detect or block)
Â
Are there any similar works within STIX community ?
Any recommendations / hints ?
Â
Thanks,
Michal
Â
----
Michal GarcarzÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂ| Managed Security Services ArchitectÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|
Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|
Krakow SOC, PolandÂÂÂÂÂ | tel. +48123211296 email:Âmgarcarz@cisco.comÂÂÂÂÂÂÂÂ|
GPG FingerprintÂÂÂÂ ÂÂÂÂÂÂÂÂ| 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |
Working HoursÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂ| M-F 8-17 EMEA/CET,Âata-soc-ext@cisco.comÂÂ ÂÂÂÂÂÂÂÂÂÂÂ|Â
Â
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]