Open jmgnc opened 9 years ago
JasonKeirstead
commented
9 years ago This was my internal list so far - thoughts?
Anomalous Activity Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation **
jmgnc
commented
9 years ago I do like your list, and agree w/ spelling out Command and Control.
I would remove Host/Process as that is creating an artificial distinction that isn't needed.
Maybe change Quantified Risk to Known Vulnerability? Quantified Risk sounds too abstract.
There is still a slight distinction which I'm not sure we should make, being an activity and a state. The Observables have Action and Event to take this on, so specifying Activity is extra. With this said, what is the difference between Malicious and Compromise(d)?
I don't like Privilege Escalation. I feels too similar to some of the others. Is this an attempt to elevate privilege (Malicious), or is it that a privilege escalation happened (Compromise), or is that it enables privilege escalation (Known Vulnerability)?
Policy Violation should maybe be a subtype, or located else where, because even if it's a policy violation, doesn't override any of the other vocab.
JasonKeirstead
commented
9 years ago Host/Process Compromise - The emphasis should probably be more on the "compromise" part. I am trying to call out the difference between an indicator communicating an actual compromise, vs. an indicator simply communicating activity. These are quite different events.
"Quantified Risk to Known Vulnerability? " - I am actually not referring to simply a vulnerability, but anything that indicates a risk. For example, a port that has been suspiciously opened in the host-based firewall would be a risk indicating APT activity.
Privilege Escalation is a specific phase of the kill chain - I really think it should be in there...
jmgnc
commented
9 years ago Compromise - I agree a difference between simple activity vs compromise. We don't have a normal activity vocab, and I think that is fine, since why would you want to alert on that.
For Quantified Risk: in the case of a port opened, why isn't that Anomalous Activity instead? Pretty much anything in an Indicator is a Risk, otherwise we wouldn't be looking for it.
I'd still like to know how Privilege Escalation differs from Compromise or Known Vulnerability in your midset, though we should probably take this part of the discussion to something like slack.
JasonKeirstead
commented
9 years ago "In the case of a port opened, why isn't that Anomalous Activity instead?" A port being open is not activity in and of itself.. it is simply a state of a host.
"how Privilege Escalation differs from Compromise or Known Vulnerability" - It's a phase of the kill chain that happens after a host compromise. Also, you don't necessarily need a known vulnerability to perform a privilege escalation.
jmgnc
commented
8 years ago But you were the one that said an open port is a risk indicating APT activity. If it's a risk of APT activity, then it should be Anomalous Activity or another one.
jmgnc
commented
8 years ago My proposal for the vocab is: Anomalous Activity - Indicator describes unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. Anonymization - Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.). Command and Control - Indicator describes suspected command and control activity or static indications. Compromised - Indicator describes a compromised object, e.g., key, login, password. Data Exfiltration - Indicator describes suspected exfiltration techniques or behavior. Malicious Activity - Indicator describes suspected malicious objects and/or activity. Watchlist - Indicator describes a set of suspected malicious objects.
There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab.
I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved.
First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator.
For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something.
Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration
The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable.
Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type.