OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] COA's (was: On TTPs and specifications)


I have talked with a lot of vendors, part of my day-job, and when the topic of STIX comes up, everyone is interested (wish a level of caution) about automated course of actions.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On May 5, 2016, at 07:08, Thompson, Dean <Dean.Thompson@anz.com> wrote:


Hi!,

I just thought that it would be a good idea to see what is out there and then build up a list of COA's that could be used and hopefully with enough support get vendors to be able to understand and process.  It would be pretty good to build up a STIX document that provided some COA's for more detailed monitoring or alerting or automatically build a firewall rule.

Regards,

Dean

-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Paul Patrick
Sent: Thursday, 5 May 2016 11:00 PM
To: Crawford, David; Thompson, Dean; 'cti@lists.oasis-open.org'
Subject: Re: [cti] RE: On TTPs and specifications

We’re a member of OpenC2 and I’ve reached out to colleagues that are members to get some input.


Regards,

Paul Patrick



On 5/5/16, 8:53 AM, "cti@lists.oasis-open.org on behalf of Crawford, David" <cti@lists.oasis-open.org on behalf of David.Crawford@aetna.com> wrote:

The OpenC2 project (http://openc2.org/) recently came to my attention and their roadmap lists STIX COA's.

-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On
Behalf Of Thompson, Dean
Sent: Thursday, May 05, 2016 8:38 AM
To: 'cti@lists.oasis-open.org'
Subject: RE: [cti] RE: On TTPs and specifications


Hi!,

Just out of interest (based on the conversations going on with TTP's), is anyone looking at structuring COA's as well, especially with an end-game of looking to potentially automate activities based on the contents of a STIX package ?

I know this is something that we are pushing with vendors at the moment.  Of course the trick is coming up with a unified set of tasks/actions that vendors will want to support in their products.

Regards,

Dean

-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On
Behalf Of JG on CTI-TC
Sent: Thursday, 5 May 2016 8:57 AM
To: Casey, Eoghan CIV DC3/DCCI
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] RE: On TTPs and specifications

Eoghan & All:

I'm taking some of these suggestions and incorporating them into a Mind Map.  I'm embedding the URL links Kyle sent us right into the Mind Map objects.  To your point, there are other models, as well. At this point I'm just trying to be as inclusive as possible.. so we can begin to harmonize across the models.

https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.tt_695976249-3F
t-3DVfINUnftUs&d=BQIFAg&c=wluqKIiwffOpZ6k5sqMWMBOn0vyYnlulRJmmvOXCFpM&r
=VSdOgLriLD7HpoeFtC90d5igPc9V9xdARzW62mA9sSU&m=-Jx9TMSuJP6BXdqROk2h-AjA
Ndf5t7dmPQZKYpJQJ9s&s=l2at0E2uIpXogOep1m7ZDiBoJqgk6GecUoVHpBRYalM&e=

I've embedded your suggestions, given below, on the Modus Operandi Object in the Mind Map... Not sure if that is the right place... but, now there is a placeholder for these thoughts moving forward.

TTP playground document on Google:

https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_do
cument_d_1ei7poJMigVasVkoKeEhe0sBa-2DBS59WU0xJwtBDwpmv0_edit&d=BQIFAg&c
=wluqKIiwffOpZ6k5sqMWMBOn0vyYnlulRJmmvOXCFpM&r=VSdOgLriLD7HpoeFtC90d5ig
Pc9V9xdARzW62mA9sSU&m=-Jx9TMSuJP6BXdqROk2h-AjANdf5t7dmPQZKYpJQJ9s&s=CCh
uRgpBkB8nVrwfQdCs6-fnZAtf3JZMhlVg3TPCoV4&e=

We will use the process described by John Wunder (for STIX) and confirmed by Trey and Ivan (for CybOX) for working these through to resolution among the entire TC.

For those that are not yet on Slack, there is a very active conversation going in the #ttps channel, the analysts are beginning to weigh in... on what they need and really want to see for STIX 2.x & CybOX 3.x.....all CTI-TC Members are welcome.


Jane Ginn
CTIN


On 5/4/2016 12:30 PM, Casey, Eoghan CIV DC3/DCCI wrote:
For the sake of learning from past experience, let's consider this topic in the broader context of criminal investigation. The terminology is different (MO and signature) but the concepts are the same.

These definitions are taken in part from "Criminal Profiling: An Introduction to Behavioral Evidence Analysis" by Brent Turvey. Examples of from my joint work with Brent Turvey.

1) Modus operandi (MO) is Latin for "a method of operating." It refers to the behaviors that are committed by an offender for the purpose of successfully completing an offense. An offender's modus operandi reflects how an offender committed their crimes. It is separate from the offender's motives, or signature aspects. MO most often serves one or more of three purposes:

    a) protects the offender's identity
    b) ensures the successful completion of the crime
    c) facilitates the offender's escape

Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to:

     - Amount of planning before a crime, evidenced by behavior and materials (i.e. notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer).

     - Materials used by the offender in the commission of the specific offense (i.e. system type, connection type, software involved, etc.).

     - Presurveillance of a crime scene or victim (i.e. monitoring a potential victim's posting habits on a discussion list, learning about a potential victim's lifestyle or occupation on their personal website, contacting a potential victim directly using a friendly alias or a pretense, etc.).

     - Offense location selection (i.e. a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.).

     - Use of a weapon during a crime (i.e. a harmful virus sent to a victim's PC as an e-mail attachment, etc.).

     - Offender precautionary acts (i.e. the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.).

2) Offender Signature (comprised of two parts):

    a) Signature Behaviors: Signature behaviors are those acts committed by an offender that are not necessary to complete the offense. Their convergence can be used to suggest an offender's psychological or emotional needs (signature aspect). They are best understood as a reflection of the underlying personality, lifestyle, and developmental experiences of an offender.
    b) Signature Aspects: The emotional or psychological themes or needs that an offender satisfies when they commit offense behaviors.

Let's not limit TTP to a small subset of this valuable information. The details of an offender's MO and signature can be useful for case linkage - the general process of demonstrating discrete connections between two or more previously unrelated cases. A connection between one or more cases can be sufficiently distinctive as to support the inference that the same person is responsible.

Eoghan Casey


---------------------------------------------------------------------

--
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oasis-2Dopen.o
rg_apps_org_workgroup_portal_my-5Fworkgroups.php&d=BQIFAg&c=wluqKIiwffO
pZ6k5sqMWMBOn0vyYnlulRJmmvOXCFpM&r=VSdOgLriLD7HpoeFtC90d5igPc9V9xdARzW6
2mA9sSU&m=-Jx9TMSuJP6BXdqROk2h-AjANdf5t7dmPQZKYpJQJ9s&s=EUYNTgY4sBlevhO
kTzPYjR_jxn6lM5uQDUjFVm2KfDw&e=



This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oasis-2Dopen.o
rg_apps_org_workgroup_portal_my-5Fworkgroups.php&d=BQIFAg&c=wluqKIiwffO
pZ6k5sqMWMBOn0vyYnlulRJmmvOXCFpM&r=VSdOgLriLD7HpoeFtC90d5igPc9V9xdARzW6
2mA9sSU&m=-Jx9TMSuJP6BXdqROk2h-AjANdf5t7dmPQZKYpJQJ9s&s=EUYNTgY4sBlevhO
kTzPYjR_jxn6lM5uQDUjFVm2KfDw&e=

This e-mail may contain confidential or privileged information. If you
think you have received this e-mail in error, please advise the sender
by reply e-mail and then delete this e-mail immediately. Thank you.
Aetna

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]