[STIX] Report Template for Threat Intelligence and Incident Response

classic Classic list List threaded Threaded
8 messages Options
JA
Reply | Threaded
Open this post in threaded view
|

[STIX] Report Template for Threat Intelligence and Incident Response

JA
Hi,

I just want to share this with you.
https://zeltser.com/cyber-threat-intel-and-ir-report-template/

An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
(good candidates for the OASIS STIX SC)

Best regards
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Report Template for Threat Intelligence and Incident Response

Jon Baker
Administrator
Thanks for sharing.

It would interesting to see a lightweight transform that could take the template and transform it to a STIX representation. From a quick look at their template, it seems like it would map well into STIX.  

With permission from LMCO, we posted a STIX representation of their Kill Chain:
http://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml

Our intent was to provide one XML representation of the kill chain for the community to reference or use.

In the same vein, we could also post a set COAs to reflect the Courses of Action matrix in the LMCO paper. Would people use these as a reference? Are other higher level CoAs also worth representing in STIX in one central location for reference?

Thanks,

Jon

============================================
Jonathan O. Baker
J83D - Cyber Security Partnerships, Sharing, and Automation
The MITRE Corporation
Email: [hidden email]

>-----Original Message-----
>From: Jerome Athias [mailto:[hidden email]]
>Sent: Friday, June 26, 2015 1:00 AM
>To: stix-discussion-list Structured Threat Information Expression/ST
>Subject: [STIX] Report Template for Threat Intelligence and Incident Response
>
>Hi,
>
>I just want to share this with you.
>https://zeltser.com/cyber-threat-intel-and-ir-report-template/
>
>An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
>(good candidates for the OASIS STIX SC)
>
>Best regards
JA
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Report Template for Threat Intelligence and Incident Response

JA
I would be interested by the MAE Catalog, with use of the
Countermeasures (CMs) as COAs (while the CMs are linked to the CAPEC
TTPs by the TARA Threat Matrix)
Ref. https://www.mitre.org/publications/technical-papers/threat-assessment--remediation-analysis-tara


2015-06-26 14:40 GMT+03:00 Baker, Jon <[hidden email]>:

> Thanks for sharing.
>
> It would interesting to see a lightweight transform that could take the template and transform it to a STIX representation. From a quick look at their template, it seems like it would map well into STIX.
>
> With permission from LMCO, we posted a STIX representation of their Kill Chain:
> http://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
>
> Our intent was to provide one XML representation of the kill chain for the community to reference or use.
>
> In the same vein, we could also post a set COAs to reflect the Courses of Action matrix in the LMCO paper. Would people use these as a reference? Are other higher level CoAs also worth representing in STIX in one central location for reference?
>
> Thanks,
>
> Jon
>
> ============================================
> Jonathan O. Baker
> J83D - Cyber Security Partnerships, Sharing, and Automation
> The MITRE Corporation
> Email: [hidden email]
>
>>-----Original Message-----
>>From: Jerome Athias [mailto:[hidden email]]
>>Sent: Friday, June 26, 2015 1:00 AM
>>To: stix-discussion-list Structured Threat Information Expression/ST
>>Subject: [STIX] Report Template for Threat Intelligence and Incident Response
>>
>>Hi,
>>
>>I just want to share this with you.
>>https://zeltser.com/cyber-threat-intel-and-ir-report-template/
>>
>>An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
>>(good candidates for the OASIS STIX SC)
>>
>>Best regards
JA
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Report Template for Threat Intelligence and Incident Response

JA
- while the CMs are linked to the CAPEC TTPs by the TARA Threat Matrix
+ while the CMs are linked to the CAPECTTPs by the TARA TTP/CM Mapping Table


2015-06-26 15:24 GMT+03:00 Jerome Athias <[hidden email]>:

> I would be interested by the MAE Catalog, with use of the
> Countermeasures (CMs) as COAs (while the CMs are linked to the CAPEC
> TTPs by the TARA Threat Matrix)
> Ref. https://www.mitre.org/publications/technical-papers/threat-assessment--remediation-analysis-tara
>
>
> 2015-06-26 14:40 GMT+03:00 Baker, Jon <[hidden email]>:
>> Thanks for sharing.
>>
>> It would interesting to see a lightweight transform that could take the template and transform it to a STIX representation. From a quick look at their template, it seems like it would map well into STIX.
>>
>> With permission from LMCO, we posted a STIX representation of their Kill Chain:
>> http://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
>>
>> Our intent was to provide one XML representation of the kill chain for the community to reference or use.
>>
>> In the same vein, we could also post a set COAs to reflect the Courses of Action matrix in the LMCO paper. Would people use these as a reference? Are other higher level CoAs also worth representing in STIX in one central location for reference?
>>
>> Thanks,
>>
>> Jon
>>
>> ============================================
>> Jonathan O. Baker
>> J83D - Cyber Security Partnerships, Sharing, and Automation
>> The MITRE Corporation
>> Email: [hidden email]
>>
>>>-----Original Message-----
>>>From: Jerome Athias [mailto:[hidden email]]
>>>Sent: Friday, June 26, 2015 1:00 AM
>>>To: stix-discussion-list Structured Threat Information Expression/ST
>>>Subject: [STIX] Report Template for Threat Intelligence and Incident Response
>>>
>>>Hi,
>>>
>>>I just want to share this with you.
>>>https://zeltser.com/cyber-threat-intel-and-ir-report-template/
>>>
>>>An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
>>>(good candidates for the OASIS STIX SC)
>>>
>>>Best regards
JA
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Report Template for Threat Intelligence and Incident Response

JA
In reply to this post by Jon Baker
Note also that in terms of TTPs, potentially, some could be interested
by "ADVERSARIAL THREAT EVENTS" like the ones in NIST SP 800-30, Table
E-2.


2015-06-26 14:40 GMT+03:00 Baker, Jon <[hidden email]>:

> Thanks for sharing.
>
> It would interesting to see a lightweight transform that could take the template and transform it to a STIX representation. From a quick look at their template, it seems like it would map well into STIX.
>
> With permission from LMCO, we posted a STIX representation of their Kill Chain:
> http://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
>
> Our intent was to provide one XML representation of the kill chain for the community to reference or use.
>
> In the same vein, we could also post a set COAs to reflect the Courses of Action matrix in the LMCO paper. Would people use these as a reference? Are other higher level CoAs also worth representing in STIX in one central location for reference?
>
> Thanks,
>
> Jon
>
> ============================================
> Jonathan O. Baker
> J83D - Cyber Security Partnerships, Sharing, and Automation
> The MITRE Corporation
> Email: [hidden email]
>
>>-----Original Message-----
>>From: Jerome Athias [mailto:[hidden email]]
>>Sent: Friday, June 26, 2015 1:00 AM
>>To: stix-discussion-list Structured Threat Information Expression/ST
>>Subject: [STIX] Report Template for Threat Intelligence and Incident Response
>>
>>Hi,
>>
>>I just want to share this with you.
>>https://zeltser.com/cyber-threat-intel-and-ir-report-template/
>>
>>An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
>>(good candidates for the OASIS STIX SC)
>>
>>Best regards
JA
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Report Template for Threat Intelligence and Incident Response

JA
The ASD/Defence Signals Directorate (DSD) Top 35 Strategies to
Mitigate Targeted Cyber Intrusions, could be also a candidate.
http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm


2015-06-28 15:39 GMT+03:00 Jerome Athias <[hidden email]>:

> Note also that in terms of TTPs, potentially, some could be interested
> by "ADVERSARIAL THREAT EVENTS" like the ones in NIST SP 800-30, Table
> E-2.
>
>
> 2015-06-26 14:40 GMT+03:00 Baker, Jon <[hidden email]>:
>> Thanks for sharing.
>>
>> It would interesting to see a lightweight transform that could take the template and transform it to a STIX representation. From a quick look at their template, it seems like it would map well into STIX.
>>
>> With permission from LMCO, we posted a STIX representation of their Kill Chain:
>> http://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
>>
>> Our intent was to provide one XML representation of the kill chain for the community to reference or use.
>>
>> In the same vein, we could also post a set COAs to reflect the Courses of Action matrix in the LMCO paper. Would people use these as a reference? Are other higher level CoAs also worth representing in STIX in one central location for reference?
>>
>> Thanks,
>>
>> Jon
>>
>> ============================================
>> Jonathan O. Baker
>> J83D - Cyber Security Partnerships, Sharing, and Automation
>> The MITRE Corporation
>> Email: [hidden email]
>>
>>>-----Original Message-----
>>>From: Jerome Athias [mailto:[hidden email]]
>>>Sent: Friday, June 26, 2015 1:00 AM
>>>To: stix-discussion-list Structured Threat Information Expression/ST
>>>Subject: [STIX] Report Template for Threat Intelligence and Incident Response
>>>
>>>Hi,
>>>
>>>I just want to share this with you.
>>>https://zeltser.com/cyber-threat-intel-and-ir-report-template/
>>>
>>>An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
>>>(good candidates for the OASIS STIX SC)
>>>
>>>Best regards
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Report Template for Threat Intelligence and Incident Response

JaneGinn
Jerome/Jon & All:

There is also the very comprehensive typology developed by Intel.  I've attached the PDF article outlining the typology of the original library, plus a more recent article that gives more granularity to the issue of threat actor motivation.


Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network (CTIN)
+1 (928) 399-0509




On Sun, Jun 28, 2015 at 10:04 PM, Jerome Athias <[hidden email]> wrote:
The ASD/Defence Signals Directorate (DSD) Top 35 Strategies to
Mitigate Targeted Cyber Intrusions, could be also a candidate.
http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm


2015-06-28 15:39 GMT+03:00 Jerome Athias <[hidden email]>:
> Note also that in terms of TTPs, potentially, some could be interested
> by "ADVERSARIAL THREAT EVENTS" like the ones in NIST SP 800-30, Table
> E-2.
>
>
> 2015-06-26 14:40 GMT+03:00 Baker, Jon <[hidden email]>:
>> Thanks for sharing.
>>
>> It would interesting to see a lightweight transform that could take the template and transform it to a STIX representation. From a quick look at their template, it seems like it would map well into STIX.
>>
>> With permission from LMCO, we posted a STIX representation of their Kill Chain:
>> http://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
>>
>> Our intent was to provide one XML representation of the kill chain for the community to reference or use.
>>
>> In the same vein, we could also post a set COAs to reflect the Courses of Action matrix in the LMCO paper. Would people use these as a reference? Are other higher level CoAs also worth representing in STIX in one central location for reference?
>>
>> Thanks,
>>
>> Jon
>>
>> ============================================
>> Jonathan O. Baker
>> J83D - Cyber Security Partnerships, Sharing, and Automation
>> The MITRE Corporation
>> Email: [hidden email]
>>
>>>-----Original Message-----
>>>From: Jerome Athias [mailto:[hidden email]]
>>>Sent: Friday, June 26, 2015 1:00 AM
>>>To: stix-discussion-list Structured Threat Information Expression/ST
>>>Subject: [STIX] Report Template for Threat Intelligence and Incident Response
>>>
>>>Hi,
>>>
>>>I just want to share this with you.
>>>https://zeltser.com/cyber-threat-intel-and-ir-report-template/
>>>
>>>An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
>>>(good candidates for the OASIS STIX SC)
>>>
>>>Best regards


Intel Corp_Threat Agent Library_07-2202w.pdf (230K) Download Attachment
Intel Corp_Threat Agent Motivations_Feb2015.pdf (467K) Download Attachment
JA
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Report Template for Threat Intelligence and Incident Response

JA
And also
https://attack.mitre.org/wiki/Main_Page

On Tuesday, June 30, 2015, Jane Ginn <[hidden email]> wrote:
Jerome/Jon & All:

There is also the very comprehensive typology developed by Intel.  I've attached the PDF article outlining the typology of the original library, plus a more recent article that gives more granularity to the issue of threat actor motivation.


Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network (CTIN)
+1 (928) 399-0509




On Sun, Jun 28, 2015 at 10:04 PM, Jerome Athias <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;athiasjerome@gmail.com&#39;);" target="_blank">athiasjerome@...> wrote:
The ASD/Defence Signals Directorate (DSD) Top 35 Strategies to
Mitigate Targeted Cyber Intrusions, could be also a candidate.
http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm


2015-06-28 15:39 GMT+03:00 Jerome Athias <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;athiasjerome@gmail.com&#39;);" target="_blank">athiasjerome@...>:
> Note also that in terms of TTPs, potentially, some could be interested
> by "ADVERSARIAL THREAT EVENTS" like the ones in NIST SP 800-30, Table
> E-2.
>
>
> 2015-06-26 14:40 GMT+03:00 Baker, Jon <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;bakerj@mitre.org&#39;);" target="_blank">bakerj@...>:
>> Thanks for sharing.
>>
>> It would interesting to see a lightweight transform that could take the template and transform it to a STIX representation. From a quick look at their template, it seems like it would map well into STIX.
>>
>> With permission from LMCO, we posted a STIX representation of their Kill Chain:
>> http://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
>>
>> Our intent was to provide one XML representation of the kill chain for the community to reference or use.
>>
>> In the same vein, we could also post a set COAs to reflect the Courses of Action matrix in the LMCO paper. Would people use these as a reference? Are other higher level CoAs also worth representing in STIX in one central location for reference?
>>
>> Thanks,
>>
>> Jon
>>
>> ============================================
>> Jonathan O. Baker
>> J83D - Cyber Security Partnerships, Sharing, and Automation
>> The MITRE Corporation
>> Email: <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;bakerj@mitre.org&#39;);" target="_blank">bakerj@...
>>
>>>-----Original Message-----
>>>From: Jerome Athias [mailto:<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;athiasjerome@GMAIL.COM&#39;);" target="_blank">athiasjerome@...]
>>>Sent: Friday, June 26, 2015 1:00 AM
>>>To: stix-discussion-list Structured Threat Information Expression/ST
>>>Subject: [STIX] Report Template for Threat Intelligence and Incident Response
>>>
>>>Hi,
>>>
>>>I just want to share this with you.
>>>https://zeltser.com/cyber-threat-intel-and-ir-report-template/
>>>
>>>An interesting Guidance Document, coming with a Conceptual Map. (CC BY 4.0)
>>>(good candidates for the OASIS STIX SC)
>>>
>>>Best regards