Re: [cti-users] Product capability mapping in STIX with Mitre ?

["Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>]

Thanks Jerome,

 

Really good stuff, mapping to datasources is the first step and definitively a good direction.

Let me review this and get back to you in a few weeks.

 

Thanks,

Michal

 

From: Jerome Athias <jeromeathias2018@gmail.com>
Date: Monday, 7 October 2019 at 15:03
To: "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Product capability mapping in STIX with Mitre ?

 

1) At first I would suggest an evolution/revision* in MITRE Att&CK currently defined data sources.

https://public.tableau.com/profile/cyb3rpanda#!/vizhome/MITREATTCKMatrixforEnterpriseV2/ATTCK

* or additional mappings to security tools (categories/products) and their capabilities/functions (a la MAEC but for blue security tools) - see 2)

 

eg:

API monitoring - EDR, Sandbox (meaning nor Proxy nor Firewall-NG nor Web server logs)

Here you could later on classify your products under categories (ie: Firewall-NG: Palo Alto 123, Cisco 234, ...)

 

Sysmon

...

 

2) Due to data model (schemas) reduction/simplification in STIX v2 (against CybOX), you don't have native objects for that (due to MVP/MTI), ProductObjectType/DeviceObjectType

 

Meantime I could see it would be used for OpenC2 support evaluation in the future...

 

 

 

 

 

On Mon, Oct 7, 2019 at 11:08 AM Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:

Hi Jerome,

 

Thanks for the answer, interesting insights.

 

I am focusing currently on that first one: EDR/IDS/IPS type of capabilities mapped into Mitre techqniques and STIX indicators

(that is product based focus).

And i find STIX not flexible enough (but maybe I am missing something?)

 

For example I can add custom attribute inside indicator (or attack-pattern):

âx-vendor-mappingsâ

âx-cisco-mappingsâ

âx-cisco-productX-mappingsâ

That approach would force me to add more and more specific attributes under specific indicators (most of the time), also under attack-patterns - pretty unmanageable.

 

What is we could have additional STIX domain called product ?

And we could built relations between product and indicators/attack-patterns. That would be much more manageable, I would be able to create relations like this:

• Product_GenericFirewall  âis able to detect and blockâ Attack-pattern7
• Product_Cisco_Product3  âis able to detectâ Indicator7
• Product_Cisco_Product4_FeatureX âis able to detect and blockâ Indicator9

 

Reasonable ? Or maybe there is a better alternative ?

 

Thanks,

Michal

 

 

From: <cti-users@lists.oasis-open.org> on behalf of Jerome Athias <jeromeathias2018@gmail.com>
Date: Monday, 7 October 2019 at 08:35
To: "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Product capability mapping in STIX with Mitre ?

 

Hi,

 

Sounds like you could look at:

https://attackevals.mitre.org/methodology/

for EDR, SOC/Detection, IDS/IPS [1], SOAR kind of products with focus on https://attack.mitre.org/ from a technique/attack-(sub)patterns (TIDs/CAPEC)/TTPs (Use Cases) point of view

 

==> From SOC/Detection (Blue Team) perspective, I would recommend focusing on logging capabilities (data sources) and settings, for mappings.

Note here that work would have to be done for mapping between MITRE (ATT&CK) data sources categories and real world class of products categories (eg: Firewall, Antivirus, Proxy, CASB, Sysmon, EDR...) and then products names/versions (CPE/SWID) with their specific capabilities/settings (ie. CCE).

DeTT&CT approach

While direct 1-for-1 mappings are not always possible/effective, I recommend mappings (with vendors specific categories of alerts/threats/malwares, etc.)

 

For malware analysis, that would focus on MAEC support (eg: cuckoo)

 

So a schemas-based approach/mappings is also interesting (but efforts needed)

 

[1] https://github.com/mitre-attack/bzar

 

My 2c

/JA

 

 

 

 

On Mon, Oct 7, 2019 at 8:01 AM Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:

Hello Team,

 

What would be your recommendation to use STIX for product capabilities mapping to present the coverage against malware+intrusion set/campaigns.

 

I would like to use Mitre techniques + Mitre and LM kill-chains to map those techniques (attack-patterns) to right kill-chain phase.

Also indicators to map those to attack-patters positioned in the right phase of kill-chain.

And now provide additional information about product coverage for each attack-pattern and correlated indicator.

 

Obviously product coverage for attack-patterns will be generic: product_class + maybe a bit more specific vendor_product

(some of those shared by Mitre).

 

But product coverage for specific indicator might be very specific: vendor_product + vendor_product_features(list of features which needs to be enabled on product to detect or block)

 

Are there any similar works within STIX community ?

Any recommendations / hints ?

 

Thanks,

Michal

 

----

Michal Garcarz               | Managed Security Services Architect                            |

Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH                |

Krakow SOC, Poland      | tel. +48123211296 email: mgarcarz@cisco.com        |

GPG Fingerprint             | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |

Working Hours               | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com              | 

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature