[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Threat Actor Sophistication Levels
I also like using something that already exists. Our current sophistication levels come from STIX 1.x, which originally came from iSight several years ago. The Intel work also has levels. The DSB paper that Mark linked has the levels
that Pat pasted below. I would prefer we use one of these rather than come up with a superset…the danger in combining several taxonomies is that you risk muddying the waters when they overlap. As to which one…if both Pat and Mark like the DSB one (it’s on page 22 here:
http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf) and we’re free to use it (it’s public and USG work so I believe the answer is yes) I’m happy with that. The breakdown between using/creating tools and using/finding/creating vulnerabilities
makes a lot of sense to me. John From:
<cti@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org> Disregard my comments- [+1] to Mark's suggestion. Anytime we can adopt an existing well vetted taxonomy, we should. Tier Description I Practitioners who rely on others to develop the malicious code, delivery mechanisms, and execution strategy (use known exploits).
II Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).
III Practitioners who focus on the discovery and use of unknown malicious code, are adept at installing user and kernel mode root kits10, frequently use data mining tools, target corporate executives and key users (government and industry)
for the purpose of stealing personal and corporate data with the expressed purpose of selling the information to other criminal elements.
IV Criminal or state actors who are organized, highly technical, proficient, well funded professionals working in teams to discover new vulnerabilities and develop exploits.
V State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in
the supply chain to enable exploitation of networks and systems of interest. Patrick Maroney
On Sun, Aug 7, 2016 at 1:45 PM -0400, "Patrick Maroney" <Pmaroney@Specere.org> wrote: _____________________________
Thanks, Bret Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]