Re: [openc2] Descriptive Language for Cyber Threat Hunting

[duncan sfractal.com <duncan@sfractal.com>]

Jane,

This is great work! As we discussed at today’s meeting, we should find a way to preserve it in a CN or FAQ or both.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: openc2@lists.oasis-open.org <openc2@lists.oasis-open.org> on behalf of JG @ OASIS <jg@ctin.us>
Date: Monday, January 9, 2023 at 11:32 PM
To: openc2@lists.oasis-open.org <openc2@lists.oasis-open.org>
Subject: [openc2] Descriptive Language for Cyber Threat Hunting

Mike, Duncan, Dave & All:

During our last meeting Toby suggested that we develop some descriptive language about what Cyber Threat Hunting best practices would be.  This is a follow-on to the Repo just opened for an Actuator Profile for Cyber Threat Hunting. 

I took the action item of doing a first cut based on the event-based CTI we conduct during Sports-ISAO pop-up SOCs. 

Importantly, in the sports domain, we have to hunt on both technical telemetry and social media disseminated influence operations threats.  Therefore, our methodology uses what we call 'Deep Source Checking' to triangulate on threats as they emerge with close collaboration between the two different teams. 

See attached draft language. I tried to keep it concise.   

-- 

**********************************

R. Jane Ginn, MSIA, MRP

OASIS, TAC TC Secretary

jg@ctin.us

**********************************