OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] CTI TC Proposal - Promoting Targets to Top Level Objects

Good topic, Pat, thanks for bringing it up. I agree, they should be separate.

Bret, Rich P, and I we were just going through the documents to prep for the F2F and this is one of the topics that came up there too. We have identity information in a bunch of places:
  • The source of STIX content (created_by_ref)
  • Targets for TTPs (often more general, i.e. Finance sector)
  • Victims of incidents (usually specific, i.e. ACME Bank)
  • Threat actors (Shady Octopus)
  • Personas used by threat actors (Shady Octopus pretending to be ACME Bank)
How are all of these represented? It would be nice to whiteboard this at the F2F. We have similar issues with:
  • asset: asset can be a general target for TTPs, affected in an incident, and also serve as malicious infrastructure
  • tool: tools can be used to provide analysis, leveraged from external machines to perform attacks (e.g. LOIC), installed malicious to target machines (malware), and also create STIX content

From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, April 15, 2016 at 12:55 PM
To: Patrick Maroney <Pmaroney@Specere.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] CTI TC Proposal - Promoting Targets to Top Level Objects

I don't have a problem with this; in fact I kind of already assumed we would have to do it when we got into the TTP object. You would have a relationship from the TTP to the Victim. Simmilarly you would have a relationship to the Exploit.

It wouldn't make sense to do it any other way IMO.

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for Patrick Maroney ---04/15/2016 01:32:46 PM---Promoting Targets to Top Level Objects AbstractPatrick Maroney ---04/15/2016 01:32:46 PM---Promoting Targets to Top Level Objects Abstract

From: Patrick Maroney <Pmaroney@Specere.org>
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 04/15/2016 01:32 PM
Subject: [cti] CTI TC Proposal - Promoting Targets to Top Level Objects
Sent by: <cti@lists.oasis-open.org>

Promoting Targets to Top Level Objects


      The Target Organization, and entities that comprise it, are the primary focus of all Threat-Actor activity, objectives, and motivations.
      This paper presents an argument for promoting Victims/Targets to the same representational level as our Adversaries/Attackers in our CTI ModelAbstract,

      It includes the first draft of a notional Target Top Level Object specification and initial properties.

      There was broad consensus amongst the early adopters of STIX in the operational domain that we needed to promote Target Entities and Organizations to Top Level Objects.
      This action was delayed initially to complete the UML Models and use these as the basis for restructuring. As this work was completing we began the process of transition our Community to OASIS, and again to focus on completion and ratification of the Committee Specifications for the current version baselines.
      As these key milestones approach in the coming weeks, it is now time to submit this proposal to the CTI TC for the promotion of Targets to Top Level Objects/First Class Citizens

      The objective of the attached paper is to provide the basis of the proposal, solicit community discourse and CTI TC support from those (1) in a Threat Intelligence CI and Operational Role and (2) those engaged in 2012/2013/2014 discussions around making this change.
      Note: I've attached a slightly revised copy of the Tokenization Concepts Paper published to the CTI TC on March 26th. It contains concepts related to the Target proposal.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104

Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053[attachment "Proposal - Promoting Targets to Top Level Objects.pdf" deleted by Jason Keirstead/CanEast/IBM] [attachment "CTI Tokenization Concepts 160408B.pdf" deleted by Jason Keirstead/CanEast/IBM]
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]