Re: [cti] Threat Actor Sophistication Levels

["Jordan, Bret" <bret.jordan@bluecoat.com>]

I would rather make tweaks to what we have extensively worked on instead of opening a new month long debate about doing something different.  After working on this for a month and half I think we are close.  

Bret 

Sent from my Commodore 64

On Aug 8, 2016, at 7:02 AM, Wunder, John A. <jwunder@mitre.org> wrote:

I also like using something that already exists.

 

Our current sophistication levels come from STIX 1.x, which originally came from iSight several years ago. The Intel work also has levels. The DSB paper that Mark linked has the levels that Pat pasted below. I would prefer we use one of these rather than come up with a superset…the danger in combining several taxonomies is that you risk muddying the waters when they overlap.

 

As to which one…if both Pat and Mark like the DSB one (it’s on page 22 here: http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf) and we’re free to use it (it’s public and USG work so I believe the answer is yes) I’m happy with that. The breakdown between using/creating tools and using/finding/creating vulnerabilities makes a lot of sense to me.

 

John

 

From: <cti@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Sunday, August 7, 2016 at 1:56 PM
To: Bret Jordan <bret.jordan@bluecoat.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Threat Actor Sophistication Levels

 

Disregard my comments- [+1] to Mark's suggestion.  Anytime we can adopt an existing well vetted taxonomy, we should.

 

Tier Description

 

I Practitioners who rely on others to develop the malicious code, delivery mechanisms, and execution strategy (use known exploits).

 

II Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).

 

III Practitioners who focus on the discovery and use of unknown malicious code, are adept at installing user and kernel mode root kits10, frequently use data mining tools, target corporate executives and key users (government and industry) for the purpose of stealing personal and corporate data with the expressed purpose of selling the information to other criminal elements.

 

IV Criminal or state actors who are organized, highly technical, proficient, well funded professionals working in teams to discover new vulnerabilities and develop exploits.

 

V State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.             

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

 

On Sun, Aug 7, 2016 at 1:45 PM -0400, "Patrick Maroney" <Pmaroney@Specere.org> wrote:

Comments inline:

Patrick Maroney
Email: pmaroney@specere.org
Cell: (609)841-5104

 

_____________________________
From: Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Saturday, August 6, 2016 9:28 PM
Subject: [cti] Threat Actor Sophistication Levels
To: <cti@lists.oasis-open.org>

These may be too granular for what are ultimately subjective assertions an analyst will make. Can we establish non-subjective criteria for each category?

 

1. Unspecified
2. Novice (script kiddie)
3. operator

1. Focuses on specific tasks within a campaign
2. Can operate systems for an attack
3. Can run tool kits designed by others
4. Is a contributor to a larger organization <<<remove-not a discriminator >>>

4. technician

1. Focuses on specific mission objectives and goals
2. Can troubleshoot and fix systems used in an attack
3. Can execute attack plans and campaigns

5. professional

1. Focuses on broad tactical and mission goals
2. Can identify targets and build attack plans
3. Can use and <<<tailor>> advanced toolkits

6. architect

1. Focuses on broad organizational goals
2. Can design the attack infrastructure 

7. specialist

1. Has very specialized skills but is not planning on running the show
2. Reverse Engineers
3. 1-day Malware Author. <<<what is 1-day?>>>
4. Botnet infrastructure architect

8. expert

1. Focuses on strategic goals
2. Able to plan very elaborate and advanced attacks
3. Is a specialist in more than one area
4. 0-day Malware Author

9. innovator

1. Thinks and plans for the future
2. Designs new malware toolkits
3. Innovates and move the attacker community forward
4. Is an expert in more than one area

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."