RE: [cti] Attack Motivations

[Iain Brown <IBrown@cert.gov.uk>]

As it happens, two messages entitled “Taxonomies & Sharing mechanism” landed in my inbox this morning, from the IntelMQ dev mailing list (http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev). One of the people attending an ENISA/EC3 workshop in The Hague this autumn alerted the IntelMQ list that ENISA/EC3 is surveying participants about taxonomies and formats to be used in CERT-to-CERT and CERT-to-Law Enforcement information sharing.

 

Otmar Lendl (CERT.at) wrote “IntelMQ is based on eCSIRT II, which some working-group in the ENISA/EC3/EMPACT universe has declared to be obsolete. See this monster of a report: https://www.enisa.europa.eu/publications/information-sharing-and-common-taxonomies-between-csirts-and-law-enforcement ”

 

The survey questions include:

 

·         Do you believe that the Common Taxonomy for the national network of CSIRT/LEA (formerly known as CERT.PT Taxonomy) is suitable for CSIRT/LEA communication?

                Yes / No / Other

 

·         Have you ever used one of the following?

                STIX / CybOX / Other sharing Mechanism

 

·         What do you think could be a suitable sharing mechanism for the Common Taxonomy for the national network of CSIRT/LEA?

                STIX / CybOX / Other sharing Mechanism

 

 

Extract from 'Report on Information Sharing and Common Taxonomies between CSIRTs and Law Enforcement Agencies'

 

A clear distinction should be made between a taxonomy, a sharing mechanism and a sharing platform to avoid any possible confusion. While a taxonomy is a way of describing information through classification, a sharing mechanism structures the way the information is encoded. For example, a sharing mechanism might provide rules for names and positions of XML tags to allow a file to be treated automatically. Finally, a sharing platform is a tool allowing to share information. It is not mandatory to have such a platform – files containing information structured according to a standard and classified according to a taxonomy could simply be sent by e-mail, for example. Nevertheless, the use of a sharing platform allows users to easily share information in a structured way.

 

 

Another list member, Andrew Clark from CERT-AU, replied with information about MISP:

 

… take a look at how many taxonomies [MISP] tried to accommodate: https://github.com/MISP/misp-taxonomies/

 

If I'm reading the correct things, I suspect we might be lucky because the CERT.pt taxonomy looks very similar to the eCSIRT taxonomy used by IntelMQ (and supported by MISP).

 

The CERT.pt taxonomy (from this site: http://www.cncs.gov.pt/cert-pt-2/documents-2/) includes 18 "incident types" and 10 "incident classes". The ClassificationType class from IntelMQ supports 20 values, including the 18 from the CERT.pt taxonomy, plus "unknown" and "blocklist". Based on this, I don't think there is a good reason to change what IntelMQ uses now.

 

Regarding STIX and Cybox (and TAXII), here at CERT Australia we are using them heavily. STIX includes a 'TTP' object which can be associated with Indicators. TTPs include 'behaviours' and while STIX supports the CAPEC (capec.mitre.org) taxonomy natively, it would be easy to extend to support arbitrary taxonomies.

 

My intention in highlighting these taxonomies is to simply draw readers’ attention to the taxonomy a lot of counterpart CERTs in Europe may be adopting.

 

Best wishes,

 

Iain.

 

--

Iain D. Brown

Incident Response Team

CERT-UK

ibrown@cert.gov.uk | 07990 567 644

 

Duty Officer: 0207 147 4411 | incidents@cert.gov.uk

 

 

 

 

From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: 08 August 2016 09:34
To: Patrick Maroney <Pmaroney@specere.org>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>; cti@lists.oasis-open.org
Subject: Re: [cti] Attack Motivations

 

I concur strongly

Some common taxonomies and enumerations were captured here

http://www.frhack.org/research/Information_Security_Vocabularies.xlsx

 

My experience of developing softwares (for 15+ years) using enumerations in combo lists, etc. in a domain like cybersecurity let me think here that exhaustive "cover them all and please everybody" enumerations can't be found. 

An approach using a hierarchical categorization/classification (I.e. Multi steps for 1) select a general category - mandatory 2) select a more detailed category between the ones of 1) - optional) helps ensuring a minimum of coherence without "giving headaches" to those who hate (being specific) spending more than 5s finding The value in a list.

E.g.: views in CWE, CAPEC

On Sunday, 7 August 2016, Patrick Maroney <Pmaroney@specere.org> wrote:

I know we are on a tight timelime and want to close on these enumerations.  However, I want to add a strategically focused comment here: The overarching point is to advocate for common adoption of taxonomies across standards (formal and de facto).  By taking the time to identify and adopt "best of breed" taxonomies, we can then srategically do outreach and advocate for homogenization and drive convergence.  So presuming we will always have a variety of CTI schemas and ontologies (e.g., VERIS, OpenIOC, CIF), the convergence and adoption of shared Taxonomies will empower easier transformations between different formats and internal data representations.

 

If we could get all CTI TC members to submit their existing taxonomies for the categories in question, maybe we could quickly reach concurrence and homogenization.  Thoughts?

 

 I know I've seen some very good Motivation Taxonomies with good descriptions.  Have not found "the" one yet...@Jerome Athias: Your thoughts?

 

Alternatively, here's some of the better ones I've found today. 

 

 

(1) The IBM X-Force taxonomy

 

Since this is copyrighted material I can't provide the spacifics. One can register for the paper here: https://www-01.ibm.com/marketing/iwm/iwm/web/signup.do?source=ibm-WW_Security_Services&S_PKG=ov47531&S_TACT=C405001W&dynform=21982&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=42640253661614409439900&cm_mc_sid_50200000=1470597188

 

 (We would have to normalize their "Outrage Trolls" Class).  

 

 

(2) VERIS Taxonomy

 

ACTOR.X.MOTIVE

NA: Not Applicable (unintentional action)

Espionage: Espionage or competitive advantage

Fear: Fear or duress

Financial: Financial or personal gain

Fun: Fun, curiosity, or pride

Grudge: Grudge or personal offense

Ideology: Ideology or protest

Convenience: Convenience of expediency

Unknown: Unknown

Other: Other

 

 

 

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

 

(4) NIST

 

Couldn't find one but believe a taxonomy exists

On Sun, Aug 7, 2016 at 4:13 PM -0400, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

This Taxonomy did come from an existing well vetted solution. aka the Intel Threat Agent work.  But given that work applies to general threat actors, we are trying I tailor it more specifically to the cyber space.

 

The reason I am looking to add a few values is I have been reviewing every taxonomy I can find and make sure our terms and definitions cover everything that cerebrally exists.  

 

Bret 

Sent from my Commodore 64

On Aug 7, 2016, at 12:42 PM, Patrick Maroney <Pmaroney@Specere.org> wrote:

.02:  Like Sophistication, we should directly adopt  an existing, well vetted, Taxonomy.  

 

@Patrick/ISightPartners or @EclecticIQ:  Can you provide reference?

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

 

On Sun, Aug 7, 2016 at 12:15 AM -0400, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

All,

 

Intrusion Sets and Threat Actors both use the Attack Motivations vocabulary.  Right now we have the following terms in that vocab:

 

1. accidental
2. coercion
3. dominance
4. ideology
5. notoriety
6. organizational-gain
7. personal-gain
8. personal-satisfaction
9. revenge
10. unpredictable

 

 

I propose that we add the following thee terms to this list, I missed them when I was putting this list together.  

 

1. amusement
2. advantage (competitive, political, economic)
3. anarchy

 

 

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

**********************************************************************
This email and any files transmitted with it are intended solely for the use of the individual(s) to whom they are addressed. If you are not the intended recipient and have received this email in error, please notify the sender and delete the email.

This footnote also confirms that our email communications may be monitored to ensure the secure and effective operation of our systems and for other lawful purposes, and that this email has been swept for malware and viruses.

The original of this email was scanned for viruses by the scanning service supplied by Symantec. On leaving us this email was certified virus free. Communications from and to us may be automatically logged, monitored and/or recorded for legal purposes.