Closed jim-thomson closed 8 years ago
jimfenton
commented
8 years ago The usage of threat (vs. attack) in -63C seems to be consistent with its use in the other volumes. Was this comment meant to be specific to -63C or is it a general comment?
We have used threat in a way that is consistent with other usage I'm familiar with. Can you provide proposed definitions for threat and attack and citations to other publications that use them in this way?
jim-thomson
commented
8 years ago Sure, Jim. Here are some other references:
· NIST SP 800-12 describes an attack signature as a specific sequence of events indicative of an unauthorized access attempt.
· NIST SP 800-36 states: “ … which processes and user accounts are involved in a particular attack on the Operating System. … IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes usually targeted by attacks.” And “IDSs which detect attacks by capturing and analyzing network packets.”
· NIST SP 800-44 talks about how a proxies “… making it more difficult for an attacker to obtain internal addresses …”
· NIST SP 800-39 defines an advanced persistent threat (APT) as “an adversary with sophisticated levels of expertise and significant resources …”
· In addition, CNSS 4009 defines 20-30 terms using the terms attack and attacker. When it uses threat, it uses it largely in the context of potential attackers, such as insider threats. Unfortunately, CNSS 4009 quotes NIST 800-30 for its definition, which it doesn’t apply, which says a threat is a circumstance or event.
· NIST 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems, which should be the definitive guide for this, cites CNSS 4009 for its definition which cites 800-30. 800-37 uses threat agent and threat source.
Why does this matter to me? Because I once had to model the risks, impacts, vulnerabilities, countermeasures, and yes, attacks, and threats for a system that was being developed. An important piece was distinguishing between the threat [actors] and the attacks they could initiate because different actors had differing desires and capabilities to initiate attacks that had to be estimated.
Thanks for your time and consideration. Jim Thomson MITRE
paul-grassi
commented
8 years ago We prefer the term threat in 800-63 as we want to be complete in what we are covering.
Organization: 3
Type: 63C
Document (63-3, 63A, 63B, or 63C):
Reference (Include section and paragraph number): Section 8.1
Comment (Include rationale for comment): Recommend changing "Threat Mitigation Strategies" to "Attack Mitigation Strategies" and using the word "attack" consistently throughout the document, rather than the mixed use of "attack" and "threat".
NIST is inconsistent in its terminology for distinguishing "attacks", sometimes called incidents, events, or threat events, from threats themselves, sometimes called threat actors, adversaries, or threat sources. The blurring of these terms complicates threat and attack modeling and the ties to risk management.
Suggested Change: Change "threat" to "attack" in most or all locations, depending on meaning.
Organization: 1 = Federal, 2 = Industry, 3 = Other