OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] RE: On TTPs and specifications

Some of this has been discussed on the slack subgroup, but since not everyone is on slack I will duplicate here.

There are always trade-offs between flexibility and rigidness.

If TTPs are too flexible, we will end up in a STIX 1.X scenario, where we can allow people to specify anything under the sun, but no one can actually use it in practice for anything useful (it's essentially just a bunch of text blobs inside JSON).

Conversely, if we make them too rigid, then we can have awesomely powerful software that is amazingly reactive to TTPs, but we won't be able to properly represent any data in it because nothing will ever perfectly align.

We need the middle ground. Somewhere between a bunch of free-form text and a series of fixed enumerations.

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for "Casey, Eoghan CIV DC3---05/04/2016 04:30:40 PM---For the sake of learning from past experience, let'"Casey, Eoghan CIV DC3---05/04/2016 04:30:40 PM---For the sake of learning from past experience, let's consider this topic in the broader context of c

From: "Casey, Eoghan CIV DC3/DCCI" <Eoghan.Casey@dc3.mil>
To: "'Maxwell, Kyle'" <kmaxwell@verisign.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 05/04/2016 04:30 PM
Subject: [cti] RE: On TTPs and specifications
Sent by: <cti@lists.oasis-open.org>

For the sake of learning from past experience, let's consider this topic in the broader context of criminal investigation. The terminology is different (MO and signature) but the concepts are the same.

These definitions are taken in part from "Criminal Profiling: An Introduction to Behavioral Evidence Analysis" by Brent Turvey. Examples of from my joint work with Brent Turvey.

1) Modus operandi (MO) is Latin for "a method of operating." It refers to the behaviors that are committed by an offender for the purpose of successfully completing an offense. An offender's modus operandi reflects how an offender committed their crimes. It is separate from the offender's motives, or signature aspects. MO most often serves one or more of three purposes:

   a) protects the offender's identity
   b) ensures the successful completion of the crime
   c) facilitates the offender's escape

Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to:

    - Amount of planning before a crime, evidenced by behavior and materials (i.e. notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer).

    - Materials used by the offender in the commission of the specific offense (i.e. system type, connection type, software involved, etc.).

    - Presurveillance of a crime scene or victim (i.e. monitoring a potential victim's posting habits on a discussion list, learning about a potential victim's lifestyle or occupation on their personal website, contacting a potential victim directly using a friendly alias or a pretense, etc.).

    - Offense location selection (i.e. a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.).

    - Use of a weapon during a crime (i.e. a harmful virus sent to a victim's PC as an e-mail attachment, etc.).

    - Offender precautionary acts (i.e. the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.).

2) Offender Signature (comprised of two parts):

   a) Signature Behaviors: Signature behaviors are those acts committed by an offender that are not necessary to complete the offense. Their convergence can be used to suggest an offender's psychological or emotional needs (signature aspect). They are best understood as a reflection of the underlying personality, lifestyle, and developmental experiences of an offender.
   b) Signature Aspects: The emotional or psychological themes or needs that an offender satisfies when they commit offense behaviors.

Let's not limit TTP to a small subset of this valuable information. The details of an offender's MO and signature can be useful for case linkage - the general process of demonstrating discrete connections between two or more previously unrelated cases. A connection between one or more cases can be sufficiently distinctive as to support the inference that the same person is responsible.

Eoghan Casey

-----Original Message-----
From: cti@lists.oasis-open.org [
mailto:cti@lists.oasis-open.org] On Behalf Of Maxwell, Kyle
Sent: Wednesday, May 04, 2016 11:44 AM
To: cti@lists.oasis-open.org
Subject: [Non-DoD Source] [cti] On TTPs and specifications

Let's talk TTPs: Tactics, Techniques, and Procedures. Relevant background reading and other links are at the end, including to the playground space that Bret Jordan set up.

What is a TTP anyway?

Basically, how an actor carries out their intent. It's not a tool. It's a set of methods, effectively, specified to varying levels of detail. In general, when an actor deploys a capability against a target to accomplish some goal, the way the actor does so can be represented as a set of TTPs. For a non-cyber example, and because it's May 4th when I write this:

Goal: Destroy the Death Star
TTP: X-wing fighter-bombers provide close space support to Y-wing bombers against TIE fighters until equatorial trench is reached, at which point all craft proceed linearly until ordnance is successfully delivered to the reactor.
Tools: Proton Torpedoes

This can further be broken down between the specific tactics, techniques, and procedures, but for illustrative purposes this suffices. Additionally, given the lack of consensus among practitioners, it might not be useful to go to a level of detail where we differentiate between the three. Whether STIX should support those distinctions is an open question.

STIX Representations

I envision four different ways that STIX could represent TTPs, listed here in order of desirability (according to my personal estimation, of course):

1. Use the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework from MITRE. This is not desirable right now because the framework currently limits itself to Windows post-exploitation activity.

2. Maintain the existing TTP definition from STIX v1.2. This might provide a good starting point, but lacks clarity because it includes other information and suffers from the general over-engineering common in v1.2.
3. Simply adopt the VERIS framework, in particular the Actions section. While useful, this does not contain enough information.
4. Allow users to specify TTPs in their own way, possibly including a field to note which existing standard they choose to use.

As an example, we could include the following fields within TTP:

1. Goal (string)
2. Action sequence (list of strings)
3. Reference framework ("ATT&CK", "CAPEC", "VERIS", or other user-supplied)

We should strip out mentions of targeting as listed in v1.2 because those should be listed as separate objects and a relationship created. There are other metadata fields that will be important, of course, like IDs and whatnot, but here I have been focusing on the TTP-specific things.

Next steps

In my mind, we need to first figure out a general approach: do we marry ourselves to a particular framework? Do we try to maintain some level of connection to the previous format?

Relevant Links

* Google Doc Playground (
* On TTPs - Blog post by Ryan Stillions (
http://ryanstillions.blogspot.com/2014/04/on-ttps.html <http://ryanstillions.blogspot.com/2014/04/on-ttps.html)> )

* VERIS Actions (
* STIX 1.2 (

* ATT&CK (

Kyle Maxwell [kmaxwell@verisign.com]
iDefense Senior Analyst

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]