[STIX] Victim Targeting and Incident Victim

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[STIX] Victim Targeting and Incident Victim

Townsend, Ryan

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Collie, Byron S.

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech]
Sent: Thursday, September 04, 2014 2:10 PM
To: '[hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Barnum, Sean D.
In reply to this post by Townsend, Ryan
Yeah, this is a proposed change that has been talked about a bit and is likely on the table for discussion/consideration for the next major release. It is obviously a major architecture change so would be out of the question for a minor release.

To Ryan’s original question, the Victim structure in Incident is intended to capture characterization of specific victims (“who”) targeted/affected within the context of a specific Incident. The Victim_Targetting structure within TTP is intended to capture more abstract characterization of victims (“who” and/or “what”) being targeted but not limited in scope to just a single incident. The content of TTP/Victim_Targetting instances are typically derived from Victim characterizations in Incidents. They provide value in enabling characterization of victim targeting outside the bounds of a single Incident (e.g. Victim targeting by a given threat actor, or in a given campaign or by a particular TTP/Behavior). It should be noted that the Incident/Victim structure is focused purely on Identity while the more abstract TTP/Victim_Targeting can also characterize targeting behaviors against particular types of systems, types of information, or specific technical contexts in addition to Identity. These dimensions are typically derived from a range of non-identity-centric technical details/constructs within an Incident not just the “who” that was targeted.
So, there is an intentional difference between the two constructs and they are currently located in different places based on that difference in intended context. That being said, the reality is that the actual type structures for each may not need to be separate. As Byron proposes and has been discussed for a while, there may be an opportunity to define a single structure for Victim and just have the differing contexts for specific characterization ( in Incidents) and abstract characterization (currently in TTP) simply have elements referencing the common type.

Does the above explanation help or confuse things further? :-)

sean

From: <Collie>, Byron Collie <[hidden email]>
Reply-To: Byron Collie <[hidden email]>
Date: Thursday, September 4, 2014 at 3:24 PM
To: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech]
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Gerald Beuchelt (Work)
To be honest, I cannot see how a more detailed victim characterization in the context of STIX is useful, since it is pretty much focused on modeling the information security and related domain. To capture a more comprehensive victim characterization you will need something like e.g. NIEM that has the respective SME background in place. It would be more helpful to allow clean mappings than trying to re-architect the content in STIX. 

Best, 
Gerald Beuchelt



On Sep 4, 2014, at 3:45 PM, Barnum, Sean D. <[hidden email]> wrote:

Yeah, this is a proposed change that has been talked about a bit and is likely on the table for discussion/consideration for the next major release. It is obviously a major architecture change so would be out of the question for a minor release.

To Ryan’s original question, the Victim structure in Incident is intended to capture characterization of specific victims (“who”) targeted/affected within the context of a specific Incident. The Victim_Targetting structure within TTP is intended to capture more abstract characterization of victims (“who” and/or “what”) being targeted but not limited in scope to just a single incident. The content of TTP/Victim_Targetting instances are typically derived from Victim characterizations in Incidents. They provide value in enabling characterization of victim targeting outside the bounds of a single Incident (e.g. Victim targeting by a given threat actor, or in a given campaign or by a particular TTP/Behavior). It should be noted that the Incident/Victim structure is focused purely on Identity while the more abstract TTP/Victim_Targeting can also characterize targeting behaviors against particular types of systems, types of information, or specific technical contexts in addition to Identity. These dimensions are typically derived from a range of non-identity-centric technical details/constructs within an Incident not just the “who” that was targeted.
So, there is an intentional difference between the two constructs and they are currently located in different places based on that difference in intended context. That being said, the reality is that the actual type structures for each may not need to be separate. As Byron proposes and has been discussed for a while, there may be an opportunity to define a single structure for Victim and just have the differing contexts for specific characterization ( in Incidents) and abstract characterization (currently in TTP) simply have elements referencing the common type.

Does the above explanation help or confuse things further? :-)

sean

From: <Collie>, Byron Collie <[hidden email]>
Reply-To: Byron Collie <[hidden email]>
Date: Thursday, September 4, 2014 at 3:24 PM
To: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.
 
My 0.02c.
Byron
 
From: Townsend, Ryan [Tech] 
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim
 
STIX Community:
 
There appear to be two pathways to Victim:
-          TTP > Victim_Targeting > Identity
-          Incident > Victim > Identity
 
Presumably the first represents intended targets, and the latter represents actual targets.
 
However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:
-          Incident > Leveraged_TTPs > Victim_Targeting > Identity
 
For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.
Are both valid routes? Is there any meaning difference between the two?
 
Thanks
Ryan
 
 
---
Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Barnum, Sean D.
Gerald, I don’t think anyone is arguing for a more detailed victim characterization here. Rather Ryan is just looking for clarity on the two forms of Victim characterization currently in STIX and Byron is just proposing potentially abstracting both to a single Victim structure and referencing it where appropriate.
That being said, victim identity in STIX is more than just the "information security and related domain” aspects of it. While the added dimensions under TTP/Victim_Targeting may be technology centric, Identity goes beyond that. The community has had extensive discussions in the past about what level of detail would be appropriate for characterizing Identity within a cyber threat context and identified key properties needed. These discussions led to the choice of OASIS:CIQ as the current default identity extension. CIQ is one of the richest structures available for characterizing identity, it covers the identified needs for STIX and it has a large base of use across the commercial landscape and internationally. To date, I can’t think of any requests for more detail than CIQ currently provides.
I think the issues being discussed here from Ryan’s initial post and Byron’s reply are more about abstraction than specialization.

Does that make sense?

sean

From: "Gerald Beuchelt (Work)" <[hidden email]>
Date: Thursday, September 4, 2014 at 3:49 PM
To: "Barnum, Sean D." <[hidden email]>
Cc: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

To be honest, I cannot see how a more detailed victim characterization in the context of STIX is useful, since it is pretty much focused on modeling the information security and related domain. To capture a more comprehensive victim characterization you will need something like e.g. NIEM that has the respective SME background in place. It would be more helpful to allow clean mappings than trying to re-architect the content in STIX. 

Best, 
Gerald Beuchelt



On Sep 4, 2014, at 3:45 PM, Barnum, Sean D. <[hidden email]> wrote:

Yeah, this is a proposed change that has been talked about a bit and is likely on the table for discussion/consideration for the next major release. It is obviously a major architecture change so would be out of the question for a minor release.

To Ryan’s original question, the Victim structure in Incident is intended to capture characterization of specific victims (“who”) targeted/affected within the context of a specific Incident. The Victim_Targetting structure within TTP is intended to capture more abstract characterization of victims (“who” and/or “what”) being targeted but not limited in scope to just a single incident. The content of TTP/Victim_Targetting instances are typically derived from Victim characterizations in Incidents. They provide value in enabling characterization of victim targeting outside the bounds of a single Incident (e.g. Victim targeting by a given threat actor, or in a given campaign or by a particular TTP/Behavior). It should be noted that the Incident/Victim structure is focused purely on Identity while the more abstract TTP/Victim_Targeting can also characterize targeting behaviors against particular types of systems, types of information, or specific technical contexts in addition to Identity. These dimensions are typically derived from a range of non-identity-centric technical details/constructs within an Incident not just the “who” that was targeted.
So, there is an intentional difference between the two constructs and they are currently located in different places based on that difference in intended context. That being said, the reality is that the actual type structures for each may not need to be separate. As Byron proposes and has been discussed for a while, there may be an opportunity to define a single structure for Victim and just have the differing contexts for specific characterization ( in Incidents) and abstract characterization (currently in TTP) simply have elements referencing the common type.

Does the above explanation help or confuse things further? :-)

sean

From: <Collie>, Byron Collie <[hidden email]>
Reply-To: Byron Collie <[hidden email]>
Date: Thursday, September 4, 2014 at 3:24 PM
To: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.
 
My 0.02c.
Byron
 
From: Townsend, Ryan [Tech] 
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim
 
STIX Community:
 
There appear to be two pathways to Victim:
-          TTP > Victim_Targeting > Identity
-          Incident > Victim > Identity
 
Presumably the first represents intended targets, and the latter represents actual targets.
 
However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:
-          Incident > Leveraged_TTPs > Victim_Targeting > Identity
 
For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.
Are both valid routes? Is there any meaning difference between the two?
 
Thanks
Ryan
 
 
---
Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Aharon
In reply to this post by Gerald Beuchelt (Work)

Mentioning NIEM in this context is irrelevant. The original question is asking about the best pathways for linking objects within STIX, not how to create a more detailed victim characterization in some other format.

 

Aharon

 

DTCC Non-Confidential (White)
---------------------------------------------------
Michael “Aharon” Chernin

Security Automation

DTCC Tampa

813-470-2173 | [hidden email]

 

cid:image002.jpg@01CF111C.3642D5E0

 

From: Gerald Beuchelt (Work) [mailto:[hidden email]]
Sent: Thursday, September 04, 2014 3:50 PM
To: [hidden email]
Subject: Re: [STIX] Victim Targeting and Incident Victim

 

To be honest, I cannot see how a more detailed victim characterization in the context of STIX is useful, since it is pretty much focused on modeling the information security and related domain. To capture a more comprehensive victim characterization you will need something like e.g. NIEM that has the respective SME background in place. It would be more helpful to allow clean mappings than trying to re-architect the content in STIX. 

 

Best, 

Gerald Beuchelt

 

 

 

On Sep 4, 2014, at 3:45 PM, Barnum, Sean D. <[hidden email]> wrote:



Yeah, this is a proposed change that has been talked about a bit and is likely on the table for discussion/consideration for the next major release. It is obviously a major architecture change so would be out of the question for a minor release.

 

To Ryan’s original question, the Victim structure in Incident is intended to capture characterization of specific victims (“who”) targeted/affected within the context of a specific Incident. The Victim_Targetting structure within TTP is intended to capture more abstract characterization of victims (“who” and/or “what”) being targeted but not limited in scope to just a single incident. The content of TTP/Victim_Targetting instances are typically derived from Victim characterizations in Incidents. They provide value in enabling characterization of victim targeting outside the bounds of a single Incident (e.g. Victim targeting by a given threat actor, or in a given campaign or by a particular TTP/Behavior). It should be noted that the Incident/Victim structure is focused purely on Identity while the more abstract TTP/Victim_Targeting can also characterize targeting behaviors against particular types of systems, types of information, or specific technical contexts in addition to Identity. These dimensions are typically derived from a range of non-identity-centric technical details/constructs within an Incident not just the “who” that was targeted.

So, there is an intentional difference between the two constructs and they are currently located in different places based on that difference in intended context. That being said, the reality is that the actual type structures for each may not need to be separate. As Byron proposes and has been discussed for a while, there may be an opportunity to define a single structure for Victim and just have the differing contexts for specific characterization ( in Incidents) and abstract characterization (currently in TTP) simply have elements referencing the common type.

 

Does the above explanation help or confuse things further? :-)

 

sean

 

From: <Collie>, Byron Collie <[hidden email]>
Reply-To: Byron Collie <[hidden email]>
Date: Thursday, September 4, 2014 at 3:24 PM
To: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

 

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech] 
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 


DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Collie, Byron S.
In reply to this post by Barnum, Sean D.

Actually our use of STIX is going far beyond the information security and related domain. Tactical, technical cyber defense is only one key component of the overall use of STIX in our, and the FS-ISACs, environment.  To GS, STIX is the data construct for building out a complete cyber intelligence capability that will allow analysis from strategic to tactical levels and eventually modeling not only the logical elements but also the underlying physical infrastructure (think modeling the undersea cable infrastructure supporting an organization). Not everyone is going to need nor want to use all of the possible components but if you think of STIX as the core schema behind a collaborative cyber risk management platform, driven by intelligence at all levels possible and from all possible and available sources, you will pretty much be on track for at least our view. I wouldn’t try and speak for others.

 

Byron                                                                                                                                                                                       

 

From: Barnum, Sean D. [mailto:[hidden email]]
Sent: Thursday, September 04, 2014 4:07 PM
To: [hidden email]
Subject: Re: [STIX] Victim Targeting and Incident Victim

 

Gerald, I don’t think anyone is arguing for a more detailed victim characterization here. Rather Ryan is just looking for clarity on the two forms of Victim characterization currently in STIX and Byron is just proposing potentially abstracting both to a single Victim structure and referencing it where appropriate.

That being said, victim identity in STIX is more than just the "information security and related domain” aspects of it. While the added dimensions under TTP/Victim_Targeting may be technology centric, Identity goes beyond that. The community has had extensive discussions in the past about what level of detail would be appropriate for characterizing Identity within a cyber threat context and identified key properties needed. These discussions led to the choice of OASIS:CIQ as the current default identity extension. CIQ is one of the richest structures available for characterizing identity, it covers the identified needs for STIX and it has a large base of use across the commercial landscape and internationally. To date, I can’t think of any requests for more detail than CIQ currently provides.

I think the issues being discussed here from Ryan’s initial post and Byron’s reply are more about abstraction than specialization.

 

Does that make sense?

 

sean

 

From: "Gerald Beuchelt (Work)" <[hidden email]>
Date: Thursday, September 4, 2014 at 3:49 PM
To: "Barnum, Sean D." <[hidden email]>
Cc: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

 

To be honest, I cannot see how a more detailed victim characterization in the context of STIX is useful, since it is pretty much focused on modeling the information security and related domain. To capture a more comprehensive victim characterization you will need something like e.g. NIEM that has the respective SME background in place. It would be more helpful to allow clean mappings than trying to re-architect the content in STIX. 

 

Best, 

Gerald Beuchelt

 

 

 

On Sep 4, 2014, at 3:45 PM, Barnum, Sean D. <[hidden email]> wrote:



Yeah, this is a proposed change that has been talked about a bit and is likely on the table for discussion/consideration for the next major release. It is obviously a major architecture change so would be out of the question for a minor release.

 

To Ryan’s original question, the Victim structure in Incident is intended to capture characterization of specific victims (“who”) targeted/affected within the context of a specific Incident. The Victim_Targetting structure within TTP is intended to capture more abstract characterization of victims (“who” and/or “what”) being targeted but not limited in scope to just a single incident. The content of TTP/Victim_Targetting instances are typically derived from Victim characterizations in Incidents. They provide value in enabling characterization of victim targeting outside the bounds of a single Incident (e.g. Victim targeting by a given threat actor, or in a given campaign or by a particular TTP/Behavior). It should be noted that the Incident/Victim structure is focused purely on Identity while the more abstract TTP/Victim_Targeting can also characterize targeting behaviors against particular types of systems, types of information, or specific technical contexts in addition to Identity. These dimensions are typically derived from a range of non-identity-centric technical details/constructs within an Incident not just the “who” that was targeted.

So, there is an intentional difference between the two constructs and they are currently located in different places based on that difference in intended context. That being said, the reality is that the actual type structures for each may not need to be separate. As Byron proposes and has been discussed for a while, there may be an opportunity to define a single structure for Victim and just have the differing contexts for specific characterization ( in Incidents) and abstract characterization (currently in TTP) simply have elements referencing the common type.

 

Does the above explanation help or confuse things further? :-)

 

sean

 

From: <Collie>, Byron Collie <[hidden email]>
Reply-To: Byron Collie <[hidden email]>
Date: Thursday, September 4, 2014 at 3:24 PM
To: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

 

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech] 
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Joep Gommers
In reply to this post by Townsend, Ryan
I would concur with this and add that the as apposed to most “red” components in STIX, there are quite some use-cases for “blue” components such as victim, targeted business process and other constructs.

It could facilitate, as Byron described, more strategic/trend/net-assessment type intelligence as apposed to the current intelligence/incident sharing nature of STIX.

J-

From: <Collie>, "Byron S." <[hidden email]>
Reply-To: "Collie, Byron S." <[hidden email]>
Date: Thursday, September 4, 2014 at 9:24 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech]
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

pmaroney
[+1]  Target/Victim modeling is equally important as Adversary/Attacker modeling for many of us. 

Providing a rich standardized taxonomy for Target/Victim enables key methods like redaction, tokenization, target generalization to aggregate Sector/Technology specific intelligence, etc.

It is also a key element for both tactical objectives like reconnaissance detection/characterization, attack packaging/targeting analysis, attribution, etc. and more strategic objectives like Predictive Analytics.

As always, this is an argument for additional applications and use cases with the full understanding that these constructs may not be applicable to all stakeholders.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
[hidden email]
From: Joep Gommers <[hidden email]>
Sent: Friday, September 05, 2014 4:29:55 AM
To: [hidden email]
Subject: Re: [STIX] Victim Targeting and Incident Victim
 
I would concur with this and add that the as apposed to most “red” components in STIX, there are quite some use-cases for “blue” components such as victim, targeted business process and other constructs.

It could facilitate, as Byron described, more strategic/trend/net-assessment type intelligence as apposed to the current intelligence/incident sharing nature of STIX.

J-

From: <Collie>, "Byron S." <[hidden email]>
Reply-To: "Collie, Byron S." <[hidden email]>
Date: Thursday, September 4, 2014 at 9:24 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech]
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

pmaroney
As one of the advocates for adopting OASYS CIQ (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ciq) want to propose that application of same to common entity/persona elements was and should remain as part of  the strategy to leverage existing standards wherever possible/practical and extend as required for our Domain.

To Dr. Burger's point, we also need to handle the increasingly common TTP of determined adversaries targeting an intermediary (e.g., Supply Chain, Partner, New/Pending Acquisition, Service Provider) to gain access to the ultimate end target objectives.  Intermediary "target" becomes the "attacker" in one context, but is also a "victim" in another context.


Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
[hidden email]


From: Eric Burger <[hidden email]>
Date: Friday, September 5, 2014 at 6:36 AM
To: Patrick Maroney <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

We would like to see this too, from an analysis perspective. I need to check what is there today, but what I would not want to see is full enumerations of target and victim if they are the same. Please have an enterprise entity that is referred by both. Otherwise, I can guarantee that when the target and victim are the same, we will think they are different.

--
Sent from a mobile device. Sorry for typos or weird auto-correct. Thank IETF LEMONADE for mobile email! See <http://www.standardstrack.com/ietf/lemonade/>

On Sep 5, 2014, at 5:35 AM, Patrick Maroney <[hidden email]> wrote:

[+1]  Target/Victim modeling is equally important as Adversary/Attacker modeling for many of us. 

Providing a rich standardized taxonomy for Target/Victim enables key methods like redaction, tokenization, target generalization to aggregate Sector/Technology specific intelligence, etc.

It is also a key element for both tactical objectives like reconnaissance detection/characterization, attack packaging/targeting analysis, attribution, etc. and more strategic objectives like Predictive Analytics.

As always, this is an argument for additional applications and use cases with the full understanding that these constructs may not be applicable to all stakeholders.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
[hidden email]
From: Joep Gommers <[hidden email]>
Sent: Friday, September 05, 2014 4:29:55 AM
To: [hidden email]
Subject: Re: [STIX] Victim Targeting and Incident Victim
 
I would concur with this and add that the as apposed to most “red” components in STIX, there are quite some use-cases for “blue” components such as victim, targeted business process and other constructs.

It could facilitate, as Byron described, more strategic/trend/net-assessment type intelligence as apposed to the current intelligence/incident sharing nature of STIX.

J-

From: <Collie>, "Byron S." <[hidden email]>
Reply-To: "Collie, Byron S." <[hidden email]>
Date: Thursday, September 4, 2014 at 9:24 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech]
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Eric Burger
In reply to this post by pmaroney
We would like to see this too, from an analysis perspective. I need to check what is there today, but what I would not want to see is full enumerations of target and victim if they are the same. Please have an enterprise entity that is referred by both. Otherwise, I can guarantee that when the target and victim are the same, we will think they are different.

--
Sent from a mobile device. Sorry for typos or weird auto-correct. Thank IETF LEMONADE for mobile email! See <http://www.standardstrack.com/ietf/lemonade/>

On Sep 5, 2014, at 5:35 AM, Patrick Maroney <[hidden email]> wrote:

[+1]  Target/Victim modeling is equally important as Adversary/Attacker modeling for many of us.  

Providing a rich standardized taxonomy for Target/Victim enables key methods like redaction, tokenization, target generalization to aggregate Sector/Technology specific intelligence, etc.

It is also a key element for both tactical objectives like reconnaissance detection/characterization, attack packaging/targeting analysis, attribution, etc. and more strategic objectives like Predictive Analytics.

As always, this is an argument for additional applications and use cases with the full understanding that these constructs may not be applicable to all stakeholders.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
[hidden email] 
From: Joep Gommers <[hidden email]>
Sent: Friday, September 05, 2014 4:29:55 AM
To: [hidden email]
Subject: Re: [STIX] Victim Targeting and Incident Victim
 
I would concur with this and add that the as apposed to most “red” components in STIX, there are quite some use-cases for “blue” components such as victim, targeted business process and other constructs.

It could facilitate, as Byron described, more strategic/trend/net-assessment type intelligence as apposed to the current intelligence/incident sharing nature of STIX.

J-

From: <Collie>, "Byron S." <[hidden email]>
Reply-To: "Collie, Byron S." <[hidden email]>
Date: Thursday, September 4, 2014 at 9:24 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.
Byron

 

From: Townsend, Ryan [Tech] 
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:
-          TTP > Victim_Targeting > Identity
-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:
-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.
Are both valid routes? Is there any meaning difference between the two?

 

Thanks
Ryan

 

 

---
Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Townsend, Ryan
In reply to this post by pmaroney
I agree with leveraging existing standards, but we should also consider including some baseline elements here into STIX.
CIQ is very deep and is a hurdle to adopt end to end from the outset. Alternatively perhaps we consider a means for partial adoption of extensions as somehow encoded in STIX profiles as well. Similar to selective adoption of Cybox object types.

 
From: Patrick Maroney [mailto:[hidden email]]
Sent: Friday, September 05, 2014 06:56 AM
To: [hidden email] <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim
 
As one of the advocates for adopting OASYS CIQ (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ciq) want to propose that application of same to common entity/persona elements was and should remain as part of  the strategy to leverage existing standards wherever possible/practical and extend as required for our Domain.

To Dr. Burger's point, we also need to handle the increasingly common TTP of determined adversaries targeting an intermediary (e.g., Supply Chain, Partner, New/Pending Acquisition, Service Provider) to gain access to the ultimate end target objectives.  Intermediary "target" becomes the "attacker" in one context, but is also a "victim" in another context.


Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
[hidden email]


From: Eric Burger <[hidden email]>
Date: Friday, September 5, 2014 at 6:36 AM
To: Patrick Maroney <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

We would like to see this too, from an analysis perspective. I need to check what is there today, but what I would not want to see is full enumerations of target and victim if they are the same. Please have an enterprise entity that is referred by both. Otherwise, I can guarantee that when the target and victim are the same, we will think they are different.

--
Sent from a mobile device. Sorry for typos or weird auto-correct. Thank IETF LEMONADE for mobile email! See <http://www.standardstrack.com/ietf/lemonade/>

On Sep 5, 2014, at 5:35 AM, Patrick Maroney <[hidden email]> wrote:

[+1]  Target/Victim modeling is equally important as Adversary/Attacker modeling for many of us. 

Providing a rich standardized taxonomy for Target/Victim enables key methods like redaction, tokenization, target generalization to aggregate Sector/Technology specific intelligence, etc.

It is also a key element for both tactical objectives like reconnaissance detection/characterization, attack packaging/targeting analysis, attribution, etc. and more strategic objectives like Predictive Analytics.

As always, this is an argument for additional applications and use cases with the full understanding that these constructs may not be applicable to all stakeholders.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
[hidden email]
From: Joep Gommers <[hidden email]>
Sent: Friday, September 05, 2014 4:29:55 AM
To: [hidden email]
Subject: Re: [STIX] Victim Targeting and Incident Victim
 
I would concur with this and add that the as apposed to most “red” components in STIX, there are quite some use-cases for “blue” components such as victim, targeted business process and other constructs.

It could facilitate, as Byron described, more strategic/trend/net-assessment type intelligence as apposed to the current intelligence/incident sharing nature of STIX.

J-

From: <Collie>, "Byron S." <[hidden email]>
Reply-To: "Collie, Byron S." <[hidden email]>
Date: Thursday, September 4, 2014 at 9:24 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.

 

My 0.02c.

Byron

 

From: Townsend, Ryan [Tech]
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim

 

STIX Community:

 

There appear to be two pathways to Victim:

-          TTP > Victim_Targeting > Identity

-          Incident > Victim > Identity

 

Presumably the first represents intended targets, and the latter represents actual targets.

 

However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:

-          Incident > Leveraged_TTPs > Victim_Targeting > Identity

 

For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.

Are both valid routes? Is there any meaning difference between the two?

 

Thanks

Ryan

 

 

---

Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478

 

Reply | Threaded
Open this post in threaded view
|

Re: [STIX] Victim Targeting and Incident Victim

Gerald Beuchelt (Work)
In reply to this post by Barnum, Sean D.
Sean - 

Thanks for the explanation. Just a quick question: how are you using CIQ at this time? Any profiles or is it open to the implementor?

Best, 
Gerald Beuchelt



On Sep 4, 2014, at 4:06 PM, Barnum, Sean D. <[hidden email]> wrote:

Gerald, I don’t think anyone is arguing for a more detailed victim characterization here. Rather Ryan is just looking for clarity on the two forms of Victim characterization currently in STIX and Byron is just proposing potentially abstracting both to a single Victim structure and referencing it where appropriate.
That being said, victim identity in STIX is more than just the "information security and related domain” aspects of it. While the added dimensions under TTP/Victim_Targeting may be technology centric, Identity goes beyond that. The community has had extensive discussions in the past about what level of detail would be appropriate for characterizing Identity within a cyber threat context and identified key properties needed. These discussions led to the choice of OASIS:CIQ as the current default identity extension. CIQ is one of the richest structures available for characterizing identity, it covers the identified needs for STIX and it has a large base of use across the commercial landscape and internationally. To date, I can’t think of any requests for more detail than CIQ currently provides.
I think the issues being discussed here from Ryan’s initial post and Byron’s reply are more about abstraction than specialization.

Does that make sense?

sean

From: "Gerald Beuchelt (Work)" <[hidden email]>
Date: Thursday, September 4, 2014 at 3:49 PM
To: "Barnum, Sean D." <[hidden email]>
Cc: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

To be honest, I cannot see how a more detailed victim characterization in the context of STIX is useful, since it is pretty much focused on modeling the information security and related domain. To capture a more comprehensive victim characterization you will need something like e.g. NIEM that has the respective SME background in place. It would be more helpful to allow clean mappings than trying to re-architect the content in STIX. 

Best, 
Gerald Beuchelt



On Sep 4, 2014, at 3:45 PM, Barnum, Sean D. <[hidden email]> wrote:

Yeah, this is a proposed change that has been talked about a bit and is likely on the table for discussion/consideration for the next major release. It is obviously a major architecture change so would be out of the question for a minor release.

To Ryan’s original question, the Victim structure in Incident is intended to capture characterization of specific victims (“who”) targeted/affected within the context of a specific Incident. The Victim_Targetting structure within TTP is intended to capture more abstract characterization of victims (“who” and/or “what”) being targeted but not limited in scope to just a single incident. The content of TTP/Victim_Targetting instances are typically derived from Victim characterizations in Incidents. They provide value in enabling characterization of victim targeting outside the bounds of a single Incident (e.g. Victim targeting by a given threat actor, or in a given campaign or by a particular TTP/Behavior). It should be noted that the Incident/Victim structure is focused purely on Identity while the more abstract TTP/Victim_Targeting can also characterize targeting behaviors against particular types of systems, types of information, or specific technical contexts in addition to Identity. These dimensions are typically derived from a range of non-identity-centric technical details/constructs within an Incident not just the “who” that was targeted.
So, there is an intentional difference between the two constructs and they are currently located in different places based on that difference in intended context. That being said, the reality is that the actual type structures for each may not need to be separate. As Byron proposes and has been discussed for a while, there may be an opportunity to define a single structure for Victim and just have the differing contexts for specific characterization ( in Incidents) and abstract characterization (currently in TTP) simply have elements referencing the common type.

Does the above explanation help or confuse things further? :-)

sean

From: <Collie>, Byron Collie <[hidden email]>
Reply-To: Byron Collie <[hidden email]>
Date: Thursday, September 4, 2014 at 3:24 PM
To: stix-discussion-list Structured Threat Information Expression/ST <[hidden email]>
Subject: Re: [STIX] Victim Targeting and Incident Victim

Actually I would vote to create a completely separate Victim entity object as, if you do targeting analysis, victim demography is very important and becomes part of the threat modeling in terms of higher order observations not just TTPs. For example, the FBI indictments of Unit 61398 members etc. I guess a difference for us may be looking to model strategic and operational intelligence, not just tactical intelligence to be applied directly to network defense. This is where STIX offers more in the threat and risk assessment space, rather than just the lower order network defense components.
 
My 0.02c.
Byron
 
From: Townsend, Ryan [Tech] 
Sent: Thursday, September 04, 2014 2:10 PM
To: [hidden email]'
Subject: Victim Targeting and Incident Victim
 
STIX Community:
 
There appear to be two pathways to Victim:
-          TTP > Victim_Targeting > Identity
-          Incident > Victim > Identity
 
Presumably the first represents intended targets, and the latter represents actual targets.
 
However, Incident also links to TTP (via Leveraged_TTPs), creating an alternate path to represent actual targets:
-          Incident > Leveraged_TTPs > Victim_Targeting > Identity
 
For other TTP constructs such as Behaviors there is not a direct link from Incident, but it appears for Victims there is some optionality.
Are both valid routes? Is there any meaning difference between the two?
 
Thanks
Ryan
 
 
---
Ryan Townsend | Technology Risk | Goldman Sachs | (917) 343-3478