RE: [cti] RE: On TTPs and specifications

["Thompson, Dean" <Dean.Thompson@anz.com>]

Hi!,

Just out of interest (based on the conversations going on with TTP's), is anyone looking at structuring COA's as well, especially with an end-game of looking to potentially automate activities based on the contents of a STIX package ?

I know this is something that we are pushing with vendors at the moment.  Of course the trick is coming up with a unified set of tasks/actions that vendors will want to support in their products.

Regards,

Dean

-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of JG on CTI-TC
Sent: Thursday, 5 May 2016 8:57 AM
To: Casey, Eoghan CIV DC3/DCCI
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] RE: On TTPs and specifications

Eoghan & All:

I'm taking some of these suggestions and incorporating them into a Mind Map.  I'm embedding the URL links Kyle sent us right into the Mind Map objects.  To your point, there are other models, as well. At this point I'm just trying to be as inclusive as possible.. so we can begin to harmonize across the models.

https://mm.tt/695976249?t=VfINUnftUs

I've embedded your suggestions, given below, on the Modus Operandi Object in the Mind Map... Not sure if that is the right place... but, now there is a placeholder for these thoughts moving forward.

  TTP playground document on Google:

https://docs.google.com/document/d/1ei7poJMigVasVkoKeEhe0sBa-BS59WU0xJwtBDwpmv0/edit

We will use the process described by John Wunder (for STIX) and confirmed by Trey and Ivan (for CybOX) for working these through to resolution among the entire TC.

For those that are not yet on Slack, there is a very active conversation going in the #ttps channel, the analysts are beginning to weigh in... on what they need and really want to see for STIX 2.x & CybOX 3.x.....all CTI-TC Members are welcome.


Jane Ginn
CTIN


On 5/4/2016 12:30 PM, Casey, Eoghan CIV DC3/DCCI wrote:
> For the sake of learning from past experience, let's consider this topic in the broader context of criminal investigation. The terminology is different (MO and signature) but the concepts are the same.
>
> These definitions are taken in part from "Criminal Profiling: An Introduction to Behavioral Evidence Analysis" by Brent Turvey. Examples of from my joint work with Brent Turvey.
>
> 1) Modus operandi (MO) is Latin for "a method of operating." It refers to the behaviors that are committed by an offender for the purpose of successfully completing an offense. An offender's modus operandi reflects how an offender committed their crimes. It is separate from the offender's motives, or signature aspects. MO most often serves one or more of three purposes:
>
>      a) protects the offender's identity
>      b) ensures the successful completion of the crime
>      c) facilitates the offender's escape
>
> Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to:
>
>       - Amount of planning before a crime, evidenced by behavior and materials (i.e. notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer).
>
>       - Materials used by the offender in the commission of the specific offense (i.e. system type, connection type, software involved, etc.).
>
>       - Presurveillance of a crime scene or victim (i.e. monitoring a potential victim's posting habits on a discussion list, learning about a potential victim's lifestyle or occupation on their personal website, contacting a potential victim directly using a friendly alias or a pretense, etc.).
>
>       - Offense location selection (i.e. a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.).
>
>       - Use of a weapon during a crime (i.e. a harmful virus sent to a victim's PC as an e-mail attachment, etc.).
>
>       - Offender precautionary acts (i.e. the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.).
>
> 2) Offender Signature (comprised of two parts):
>
>      a) Signature Behaviors: Signature behaviors are those acts committed by an offender that are not necessary to complete the offense. Their convergence can be used to suggest an offender's psychological or emotional needs (signature aspect). They are best understood as a reflection of the underlying personality, lifestyle, and developmental experiences of an offender.
>      b) Signature Aspects: The emotional or psychological themes or needs that an offender satisfies when they commit offense behaviors.
>
> Let's not limit TTP to a small subset of this valuable information. The details of an offender's MO and signature can be useful for case linkage - the general process of demonstrating discrete connections between two or more previously unrelated cases. A connection between one or more cases can be sufficiently distinctive as to support the inference that the same person is responsible.
>
> Eoghan Casey
>
>
> ---------------------------------------------------------------------

--
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.