[cti-users] Conceptual threat/risk models and CTI/STIX

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[cti-users] Conceptual threat/risk models and CTI/STIX

Cory Casanave

Oasis/CTI/STIX Stakeholders,

As many of you know, we are concurrently working on a specification within the Object Management Group (OMG) for an operational threats and risks model. This effort is related to CTI but has some different goals. The submission team has just released the second draft revision of this specification which we are releasing publicly for comment and community building as it works its way through the OMG process. We expect one more major revision prior to adoption.


The focus of this effort is different from CTI in three ways:

·         It is an “all threats/all risks” model inclusive of cyber and physical. STIX has been and will continue to be a major input into this effort for both general and cyber specific concerns. The intent of this broad scope is the federation of information from and between multiple domains such as Cyber, Critical Infrastructure, Law Enforcement, Emergency Management, Safety Engineering, Terrorist Prevention and others. As such the information for a particular domain is less detailed but more general as it focuses on what would be of interest across these domains and communities as we deal with sophisticated multi-dimensional attacks.

·         The foundation is a semantic conceptual model in UML, not a data model. Threat/risk defines no new exchange formats but provides the “semantic glue” between the many formats we have in different communities, both standards based and proprietary. This allows for federating and analyzing information from multiple sources as well as translating information between formats.

·         It brings together the more tactical “situational awareness” perspectives with enterprise and system risk management.


Within the threat/risk specification an initial mapping to STIX (1.2 at this time) is included such that STIX information can be comprehended and federated in this way. We hope to utilize the final CTI specifications in the next revision. The other mappings included are NIEM (From the Justice/Public Safety Community) and NIST 800-53. We expect to add others over time, including Oasis EDXL.


Many of the concepts and issues we deal with in threat/risk are “front and center” in CTI – we hope to collaborate on working out these ideas.


This is a draft specification and input and engagement from the STIX community is welcome. Artifacts are available here:

·         Specification Document (PDF): http://www.threatrisk.org/spec/RevisedSubmission/Revised%20Operational%20Threat%20Risk%20Submission.pdf

·         Specification Document (.DOC): http://www.threatrisk.org/spec/RevisedSubmission/Revised%20Operational%20Threat%20Risk%20Submission.doc

·         Specification .ZIP with all models: http://www.threatrisk.org/spec/RevisedSubmission/Revised%20threat-risk%20Submission%20machine%20readable%20files.zip

·         Community portal: http://threatrisk.org/drupal/


We look forward to working together!

The threat/risk submission team.