_____________________________
From: Jordan, Bret <
bret.jordan@bluecoat.com>
Sent: Saturday, August 6, 2016 9:28 PM
Subject: [cti] Threat Actor Sophistication Levels
To: <
cti@lists.oasis-open.org>
These may be too granular for what are ultimately subjective assertions an analyst will make. Can we establish non-subjective criteria for each category?
- Unspecified
- Novice (script kiddie)
- operator
- Focuses on specific tasks within a campaign
- Can operate systems for an attack
- Can run tool kits designed by others
- Is a contributor to a larger organization <<<remove-not a discriminator >>>
- technician
- Focuses on specific mission objectives and goals
- Can troubleshoot and fix systems used in an attack
- Can execute attack plans and campaigns
- professional
- Focuses on broad tactical and mission goals
- Can identify targets and build attack plans
- Can use and <<<tailor>> advanced toolkits
- architect
- Focuses on broad organizational goals
- Can design the attack infrastructure
- specialist
- Has very specialized skills but is not planning on running the show
- Reverse Engineers
- 1-day Malware Author. <<<what is 1-day?>>>
- Botnet infrastructure architect
- expert
- Focuses on strategic goals
- Able to plan very elaborate and advanced attacks
- Is a specialist in more than one area
- 0-day Malware Author
- innovator
- Thinks and plans for the future
- Designs new malware toolkits
- Innovates and move the attacker community forward
- Is an expert in more than one area
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."