OASIS Cyber Threat Intelligence (CTI) TC

 View Only

  • 1.  RE: [cti] Threat Actor Sophistication Levels

    Posted 08-07-2016 02:00




    This has the best approach it this IMHO
    http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf
     
     
    Sent from my Windows 10 phone
     

    From: Jordan, Bret
    Sent: Saturday, August 6, 2016 9:28 PM
    To: cti@lists.oasis-open.org
    Subject: [cti] Threat Actor Sophistication Levels

     
    I have been drilling in to the Threat Actor vocabularies today and would like to propose some changes to the Sophistication Levels.  We currently have the following levels:



    none
    novice
    practitioner
    expert
    innovator


     


    I am wondering about changing that list to be something more like the following.... I have added some details (to be fleshed out) to give you some context of what I am thinking.
     The initial list of 5 I feel is way to short. I would be very interested in your comments and feedback.  




    basic (average joe/jane)
    novice (script kiddie)
    hobbyist (your average IT geek)
    operator



    Focuses on specific tasks within a campaign
    Can operate systems for an attack
    Can run tool kits designed by others
    Is a contributor to a larger organization



    technician



    Focuses on specific mission objectives and goals
    Can troubleshoot and fix systems used in an attack
    Can execute attack plans and campaigns



    professional



    Focuses on broad tactical and mission goals
    Can identify targets and build attack plans
    Can use and taylor advanced toolkits



    architect



    Focuses on broad organizational goals
    Can design the attack infrastructure 



    specialist



    Has very specialized skills but is not planning on running the show
    Reverse Engineers
    1-day Malware Author
    Botnet infrastructure architect



    expert



    Focuses on strategic goals
    Able to plan very elaborate and advanced attacks
    Is a specialist in more than one area
    0-day Malware Author



    innovator



    Thinks and plans for the future
    Designs new malware toolkits
    Innovates and move the attacker community forward
    Is an expert in more than one area


     









     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     
     






  • 2.  Re: [cti] Threat Actor Sophistication Levels

    Posted 08-07-2016 03:40
    Mark,  What parts?  What would you have us extract from this document to use here?   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Aug 6, 2016, at 19:59, Mark Clancy < mclancy@soltra.com > wrote: This has the best approach it this IMHO   http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf     Sent from my Windows 10 phone   From:   Jordan, Bret Sent:   Saturday, August 6, 2016 9:28 PM To:   cti@lists.oasis-open.org Subject:   [cti] Threat Actor Sophistication Levels   I have been drilling in to the Threat Actor vocabularies today and would like to propose some changes to the Sophistication Levels.  We currently have the following levels: none novice practitioner expert innovator   I am wondering about changing that list to be something more like the following.... I have added some details (to be fleshed out) to give you some context of what I am thinking.  The initial list of 5 I feel is way to short. I would be very interested in your comments and feedback.   basic (average joe/jane) novice (script kiddie) hobbyist (your average IT geek) operator Focuses on specific tasks within a campaign Can operate systems for an attack Can run tool kits designed by others Is a contributor to a larger organization technician Focuses on specific mission objectives and goals Can troubleshoot and fix systems used in an attack Can execute attack plans and campaigns professional Focuses on broad tactical and mission goals Can identify targets and build attack plans Can use and taylor advanced toolkits architect Focuses on broad organizational goals Can design the attack infrastructure  specialist Has very specialized skills but is not planning on running the show Reverse Engineers 1-day Malware Author Botnet infrastructure architect expert Focuses on strategic goals Able to plan very elaborate and advanced attacks Is a specialist in more than one area 0-day Malware Author innovator Thinks and plans for the future Designs new malware toolkits Innovates and move the attacker community forward Is an expert in more than one area     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 3.  Re: [cti] Threat Actor Sophistication Levels

    Posted 08-08-2016 08:40
    Basically +1 for not reinventing the wheel On Sunday, 7 August 2016, Mark Clancy < mclancy@soltra.com > wrote: This has the best approach it this IMHO http://www.acq.osd.mil/dsb/ reports/ ResilientMilitarySystems. CyberThreat.pdf     Sent from my Windows 10 phone   From: Jordan, Bret Sent: Saturday, August 6, 2016 9:28 PM To: cti@lists.oasis-open.org Subject: [cti] Threat Actor Sophistication Levels   I have been drilling in to the Threat Actor vocabularies today and would like to propose some changes to the Sophistication Levels.  We currently have the following levels: none novice practitioner expert innovator   I am wondering about changing that list to be something more like the following.... I have added some details (to be fleshed out) to give you some context of what I am thinking.  The initial list of 5 I feel is way to short. I would be very interested in your comments and feedback.   basic (average joe/jane) novice (script kiddie) hobbyist (your average IT geek) operator Focuses on specific tasks within a campaign Can operate systems for an attack Can run tool kits designed by others Is a contributor to a larger organization technician Focuses on specific mission objectives and goals Can troubleshoot and fix systems used in an attack Can execute attack plans and campaigns professional Focuses on broad tactical and mission goals Can identify targets and build attack plans Can use and taylor advanced toolkits architect Focuses on broad organizational goals Can design the attack infrastructure  specialist Has very specialized skills but is not planning on running the show Reverse Engineers 1-day Malware Author Botnet infrastructure architect expert Focuses on strategic goals Able to plan very elaborate and advanced attacks Is a specialist in more than one area 0-day Malware Author innovator Thinks and plans for the future Designs new malware toolkits Innovates and move the attacker community forward Is an expert in more than one area     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."     


Related Content