Thanks Phillip,
I’d seen the earlier study by Char Sample that this was based on, but not seen the follow up. Thanks for sending!
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From: Phillip Cutforth [mailto:Phillip.Cutforth@dia.govt.nz]
Sent: Friday, 15 January 2016 11:32 AM
To: Terry MacDonald <terry@soltra.com>; Mark Clancy <mclancy@soltra.com>; cti@lists.oasis-open.org
Subject: RE: Face to Face - RM4 - Prop 9 relationships
Gents,
Noting I have trouble posting to CTI mail lists, I’ll leave this with yourselves to consider if useful for wider audience…. Concerning profiling threat actors…
I’ve just read an interesting report by SEI CMU on “Cyber + Culture Early Warning Study”. It is a special report that examines the linkage between culture(s)
and cyber behaviours, with a view to profiling cyber (threat) actors and the timelines involved between cyber and kinetic events.
Details:
SEI CMU – CERT Division
Title: Cyber + Culture Early Warning Study
Author: Char Sample
Ref/ID: CMU/SEI-2015-SR-025
Dated: Nov 2015
http://resources.sei.cmu.edu/library/
http://resources.sei.cmu.edu/asset_files/specialreport/2015_003_001_449739.pdf
Kind Regards,
Phil C
Phil Cutforth MBE MSc | AoG Enterprise Architect | Service and System
Transformation
The Office of New Zealand Government Chief Information Officer, Department of Internal Affairs - Te Tari Taiwhenua
Tel (DDI): +64 4 495 7277| Extn: 5277 | Mobile: +64 21 901 752 | email: phillip.cutforth@dia.govt.nz
| web:
www.dia.govt.nz
| c: long black + hot milk
Address: 46 Waring Taylor St, PO Box 805, Wellington 6140, New Zealand
From:
cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Terry MacDonald
Sent: Friday, 15 January 2016 12:39 p.m.
To: Mark Clancy; cti@lists.oasis-open.org
Subject: [cti] RE: Face to Face - RM4 - Prop 9 relationships
This is
exactly the idea behind the ID format that we proposed in the TWIGS specification. Organizations would be able to produce easy to remember objects that would be used as ‘library objects’ that others would be able to use and reference. In this way, we
could create a list of common Attack-Pattern objects based on CAPEC, and they would just be available for use by anyone.
We could then over time build up a picture of which threat actors use which attack patterns in a way that allows us to easily traverse
the graph relationships between them thanks to the ‘shared’ library objects that link them.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From:
cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Mark Clancy
Sent: Friday, 15 January 2016 7:45 AM
To: cti@lists.oasis-open.org
Subject: [cti] Face to Face - RM4 - Prop 9 relationships
So one thought I want to inject which is hard to do on the phone. We should also talk about the use of Reference Data as binding glue when dealing with relationships. For
example why does everyone on the planet need to create their own STIX object in their own namespace for a "spear phishing" TTP. So that Org1 and Org2 "Spear phishing" TTPs are different things as they are unique STIX objects when in fact they really should
have been the same. Yes there are variants of Spear Phishing which may also be generic TTP like say Whaling and others that are specific to a Threat Actor which will related to Spear Phishing are really more unique.
-Mark
Mark Clancy
Chief Executive Officer
SOLTRA
|
An FS-ISAC and DTCC Company
+1.813.470.2400
office
|
+1.610.659.6671 US mobile
| +44 7823
626 535 UK mobile
mclancy@soltra.com
| soltra.com
One organization's incident becomes everyone's defense.
From:
cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Alexander Foley <alexander.foley@bankofamerica.com>
Sent: Thursday, January 14, 2016 3:03 PM
To: cti@lists.oasis-open.org
Subject: [cti] Groups - OASIS CTI TC F2F - STIX 1b.pdf uploaded
|
Document Name:
OASIS CTI TC F2F - STIX 1b.pdf
Description
Submitter: Alexander Foley |