Target = Victim (or "Intermediary" who is both Victim and Attacker in a "MITM"/Supply Chain Attack TTP). Plenty of legacy verbiage on why some of us argue that "Target" is a critical missing element/TLO in CTI (most recently when discussing CTI Charter).
We can currently describe who's holding the spear, the attributes of the spear, and the "point" where the "pointy part" is headed/entered...but not the "pointee".
From: <
cti-stix@lists.oasis-open.org > on behalf of "Chernin, Aharon"
Date: Monday, September 21, 2015 at 1:56 PM
To: "Wunder, John A.", "
cti-stix@lists.oasis-open.org "
Subject: Re: [cti-stix] Targeting in STIX 2.0
For example, a cyber intelligence feed that provides attack target URLS: TTP -> Victim Targeting -> Observable -> URL
Which of my URLs are being attacked?
Aharon
From: <
cti-stix@lists.oasis-open.org > on behalf of "Wunder, John A."
Date: Monday, September 21, 2015 at 1:14 PM
To: "
cti-stix@lists.oasis-open.org "
Subject: Re: [cti-stix] Targeting in STIX 2.0
What do you mean by targeting? Can you give a couple examples of how that would make the content smaller/better?
Sorry, just having trouble picturing this.
John
On Sep 21, 2015, at 12:57 PM, Aharon Chernin <
achernin@soltra.com > wrote:
Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex.
I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity
of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest.
Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example).
Questions:
Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object?
--
Aharon Chernin
CTO
SOLTRA
An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173
achernin@soltra.com www.soltra.com