johnwunder
commented
9 years ago This might also be related to #235
Open johnwunder opened 10 years ago
johnwunder
commented
9 years ago This might also be related to #235
athiasjerome
commented
8 years ago I would suggest to have this abstracted as Asset (Ref. https://github.com/STIXProject/schemas/issues/234 )
In short, Asset could be: Organisation, Person (Ref CIQ), or IT-Asset Ref. http://csrc.nist.gov/publications/nistir/ir7693/NISTIR-7693.pdf
A Threat Actor or Victim are basically Assets
(Note that for going behind Asset Identification NISTIR-7693, could be considered inclusion of Physical Assets. e.g. https://nccoe.nist.gov/publication/draft/1800-5b/#t=ITAMvB%2F5Architecture%2F5Architecture.htm ) ((Note also that another abstraction layer, would lead to a decomposition of Components))
packet-rat
commented
8 years ago We can tie some dimensions of Victims/Targets/Assets in via Incidents, but these seem to narrow definitions and Stove Pipe the relations into "a series of Incidents" vs. a holistic view of the entire Red Team <==> Blue Team Cyber-Battlespace dynamics and relationships.
There are of course many scenarios where organizations will never share any Victim/Target specifics. However, there are also valid CTI Inter-Exchange Use Cases where it not clear how to map these relationships effectively today.
Would appreciate any thoughts/insights on how to effectively model/manage these (4) Use Cases (including victim notification and coordination in (4) using the existing CTI Model
Sharing Tokenized Victim Targeting Intelligence (for those Communities of Trust with Capability Maturity Models to perform Sector Wide Targeting Analysis for attack detection/mitigation and attribution).
(Jim Smith, Senior VP, Naval Systems Business Development , Big Corporation, Jim.Smith@bigcorp.com) ==> [Tokenization] ==> (Employee138, Executive, Business Development, DIBCORP-44, Employee138@DIBCORP-44)
There are real-world Cyber Battle-Space use cases that require substantive tracking of details on public facing assets across many dozens of organizations. For example, there is a specific APT Group that successfully compromises a common set of NGO, Media, Content Delivery Web Sites in recurring Fall and Spring Campaigns. They prepare the Battle-space by establishing admin control of these public facing websites, testing Exploiting/Delivery Methods (i.e., iFrame Insertion), removing same, and verifying they still control the assets ~ every 30 Days. When they prepare to launch their actual semi-annual campaigns, they pre-position new Zero Days, Exploit delivery mechanisms, and then in a coordinated process simultaneously change 100's of NGO, Media Web Site Home pages to deliver the 0-Day exploit).
4.1 In all cases the primary assets used in delivering initial/secondary attack phases are legitimate public facing assets. The real world CTI requirement is to track details on all of these public assets, their compromises, their organizations (Actual Content Owners, Web Services providers, ISPs), and their victims (through often complicated engagement with Content Owners, Web Services providers, ISPs, Agencies, and Law Enforcement). Since these attack patterns have continued since 2009, there is a much broader life-cycle management to Public Asset Monitoring, victim notification, and repeated remediation of root causes for what have historically been repeated web site compromises.
Victim information is represented in two places:
These are very similar constructs, does it make sense to create a top-level "Victim" construct and use references from Incident and TTP?