Should have a field in the Threat Actor to characterize the sophistication of that actor

STIXProject / schemas

STIX Schema Development

http://stixproject.github.io/

76 stars 21 forks source link

Should have a field in the Threat Actor to characterize the sophistication of that actor #68

Closed johnwunder closed 10 years ago

johnwunder commented 11 years ago

Likely this would be a controlled vocab through StatementType to allow for controlled vocab values, confidence, and a prose description.

This was suggested by iSight.

bauman commented 11 years ago

Similar to #75 adding a layer of subjectivity is useful for a quick judgement call if needed, but evidence backed by CybOX objects, or MAEC samples, or CVEs leveraged by an actor supposedly behind a group of STIX indicators would be more useful for analysis.

If implemented, could there be a requirement, or at least a "should" that suggests adding the CyBOX/MAEC/CVEs so that the STIX report could speak for itself?

johnwunder commented 10 years ago

This issue is now open for community review. Please see the associated proposal: https://github.com/STIXProject/schemas/wiki/Proposal:-Add-Sophistication-field-to-Threat-Actor

johnwunder commented 10 years ago

The proposal was accepted as-is and this issue is now ready to be implemented.

@bauman, I think much of what you're requesting can be done through relationships to TTPs that describe the infrastructure, tools, tactics, etc. that the threat actor leverages. We probably don't want to require this, because it would prevent people from a simple description, but individual communities could encourage or require it based on their needs.

johnwunder commented 10 years ago

This was closed by @JWParlee in #107, commit d190b8a.