Re: [cti] Threat Actor Sophistication Levels

[Patrick Maroney <Pmaroney@Specere.org>]

Disregard my comments- [+1] to Mark's suggestion.  Anytime we can adopt an existing well vetted taxonomy, we should.

Tier Description

I Practitioners who rely on others to develop the malicious code, delivery mechanisms, and execution strategy (use known exploits).

II Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).

III Practitioners who focus on the discovery and use of unknown malicious code, are adept at installing user and kernel mode root kits10, frequently use data mining tools, target corporate executives and key users (government and industry) for the purpose of stealing personal and corporate data with the expressed purpose of selling the information to other criminal elements.

IV Criminal or state actors who are organized, highly technical, proficient, well funded professionals working in teams to discover new vulnerabilities and develop exploits.

V State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.             

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Sun, Aug 7, 2016 at 1:45 PM -0400, "Patrick Maroney" <Pmaroney@Specere.org> wrote:

Comments inline:

Patrick Maroney
Email: pmaroney@specere.org
Cell: (609)841-5104

_____________________________
From: Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Saturday, August 6, 2016 9:28 PM
Subject: [cti] Threat Actor Sophistication Levels
To: <cti@lists.oasis-open.org>

These may be too granular for what are ultimately subjective assertions an analyst will make. Can we establish non-subjective criteria for each category?

1. Unspecified
2. Novice (script kiddie)
3. operator
   1. Focuses on specific tasks within a campaign
   2. Can operate systems for an attack
   3. Can run tool kits designed by others
   4. Is a contributor to a larger organization <<<remove-not a discriminator >>>
4. technician
   1. Focuses on specific mission objectives and goals
   2. Can troubleshoot and fix systems used in an attack
   3. Can execute attack plans and campaigns
5. professional
   1. Focuses on broad tactical and mission goals
   2. Can identify targets and build attack plans
   3. Can use and <<<tailor>> advanced toolkits
6. architect
   1. Focuses on broad organizational goals
   2. Can design the attack infrastructure 
7. specialist
   1. Has very specialized skills but is not planning on running the show
   2. Reverse Engineers
   3. 1-day Malware Author. <<<what is 1-day?>>>
   4. Botnet infrastructure architect
8. expert
   1. Focuses on strategic goals
   2. Able to plan very elaborate and advanced attacks
   3. Is a specialist in more than one area
   4. 0-day Malware Author
9. innovator
   1. Thinks and plans for the future
   2. Designs new malware toolkits
   3. Innovates and move the attacker community forward
   4. Is an expert in more than one area

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."