OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  On TTPs and specifications

    Posted 05-04-2016 15:43
    Let's talk TTPs: Tactics, Techniques, and Procedures. Relevant background reading and other links are at the end, including to the playground space that Bret Jordan set up.  What is a TTP anyway? Basically, how an actor carries out their intent. It's not a tool. It's a set of methods, effectively, specified to varying levels of detail. In general, when an actor deploys a capability against a target to accomplish some goal, the way the actor does so can be represented as a set of TTPs. For a non-cyber example, and because it's May 4th when I write this: Goal: Destroy the Death Star TTP: X-wing fighter-bombers provide close space support to Y-wing bombers against TIE fighters until equatorial trench is reached, at which point all craft proceed linearly until ordnance is successfully delivered to the reactor. Tools: Proton Torpedoes This can further be broken down between the specific tactics, techniques, and procedures, but for illustrative purposes this suffices. Additionally, given the lack of consensus among practitioners, it might not be useful to go to a level of detail where we differentiate between the three. Whether STIX should support those distinctions is an open question. STIX Representations I envision four different ways that STIX could represent TTPs, listed here in order of desirability (according to my personal estimation, of course): Use the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework from MITRE. This is not desirable right now because the framework currently limits itself to Windows post-exploitation activity. Maintain the existing TTP definition from STIX v1.2. This might provide a good starting point, but lacks clarity because it includes other information and suffers from the general over-engineering common in v1.2. Simply adopt the VERIS framework, in particular the Actions section. While useful, this does not contain enough information. Allow users to specify TTPs in their own way, possibly including a field to note which existing standard they choose to use. As an example, we could include the following fields within TTP: Goal (string) Action sequence (list of strings) Reference framework ("ATT&CK", "CAPEC", "VERIS", or other user-supplied) We should strip out mentions of targeting as listed in v1.2 because those should be listed as separate objects and a relationship created. There are other metadata fields that will be important, of course, like IDs and whatnot, but here I have been focusing on the TTP-specific things. Next steps In my mind, we need to first figure out a general approach: do we marry ourselves to a particular framework? Do we try to maintain some level of connection to the previous format? Relevant Links Google Doc Playground ( https://docs.google.com/document/d/1ei7poJMigVasVkoKeEhe0sBa-BS59WU0xJwtBDwpmv0/edit ) On TTPs - Blog post by Ryan Stillions ( http://ryanstillions.blogspot.com/2014/04/on-ttps.html ) VERIS Actions ( http://veriscommunity.net/actions.html )  STIX 1.2 ( http://stixproject.github.io/data-model/1.2/ttp/TTPType/ ) ATT&CK ( https://attack.mitre.org/wiki/Main_Page ) CAPEC ( https://capec.mitre.org/ ) -- Kyle Maxwell [kmaxwell@verisign.com] iDefense Senior Analyst


  • 2.  RE: On TTPs and specifications

    Posted 05-04-2016 19:31
    For the sake of learning from past experience, let's consider this topic in the broader context of criminal investigation. The terminology is different (MO and signature) but the concepts are the same. These definitions are taken in part from "Criminal Profiling: An Introduction to Behavioral Evidence Analysis" by Brent Turvey. Examples of from my joint work with Brent Turvey. 1) Modus operandi (MO) is Latin for "a method of operating." It refers to the behaviors that are committed by an offender for the purpose of successfully completing an offense. An offender's modus operandi reflects how an offender committed their crimes. It is separate from the offender's motives, or signature aspects. MO most often serves one or more of three purposes: a) protects the offender's identity b) ensures the successful completion of the crime c) facilitates the offender's escape Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to: - Amount of planning before a crime, evidenced by behavior and materials (i.e. notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer). - Materials used by the offender in the commission of the specific offense (i.e. system type, connection type, software involved, etc.). - Presurveillance of a crime scene or victim (i.e. monitoring a potential victim's posting habits on a discussion list, learning about a potential victim's lifestyle or occupation on their personal website, contacting a potential victim directly using a friendly alias or a pretense, etc.). - Offense location selection (i.e. a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.). - Use of a weapon during a crime (i.e. a harmful virus sent to a victim's PC as an e-mail attachment, etc.). - Offender precautionary acts (i.e. the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.). 2) Offender Signature (comprised of two parts): a) Signature Behaviors: Signature behaviors are those acts committed by an offender that are not necessary to complete the offense. Their convergence can be used to suggest an offender's psychological or emotional needs (signature aspect). They are best understood as a reflection of the underlying personality, lifestyle, and developmental experiences of an offender. b) Signature Aspects: The emotional or psychological themes or needs that an offender satisfies when they commit offense behaviors. Let's not limit TTP to a small subset of this valuable information. The details of an offender's MO and signature can be useful for case linkage - the general process of demonstrating discrete connections between two or more previously unrelated cases. A connection between one or more cases can be sufficiently distinctive as to support the inference that the same person is responsible. Eoghan Casey


  • 3.  Re: [cti] RE: On TTPs and specifications

    Posted 05-04-2016 19:44
    Some of this has been discussed on the slack subgroup, but since not everyone is on slack I will duplicate here. There are always trade-offs between flexibility and rigidness. If TTPs are too flexible, we will end up in a STIX 1.X scenario, where we can allow people to specify anything under the sun, but no one can actually use it in practice for anything useful (it's essentially just a bunch of text blobs inside JSON). Conversely, if we make them too rigid, then we can have awesomely powerful software that is amazingly reactive to TTPs, but we won't be able to properly represent any data in it because nothing will ever perfectly align. We need the middle ground. Somewhere between a bunch of free-form text and a series of fixed enumerations. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Casey, Eoghan CIV DC3---05/04/2016 04:30:40 PM---For the sake of learning from past experience, let's consider this topic in the broader context of c From: "Casey, Eoghan CIV DC3/DCCI" <Eoghan.Casey@dc3.mil> To: "'Maxwell, Kyle'" <kmaxwell@verisign.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date: 05/04/2016 04:30 PM Subject: [cti] RE: On TTPs and specifications Sent by: <cti@lists.oasis-open.org> For the sake of learning from past experience, let's consider this topic in the broader context of criminal investigation. The terminology is different (MO and signature) but the concepts are the same. These definitions are taken in part from "Criminal Profiling: An Introduction to Behavioral Evidence Analysis" by Brent Turvey. Examples of from my joint work with Brent Turvey. 1) Modus operandi (MO) is Latin for "a method of operating." It refers to the behaviors that are committed by an offender for the purpose of successfully completing an offense. An offender's modus operandi reflects how an offender committed their crimes. It is separate from the offender's motives, or signature aspects. MO most often serves one or more of three purposes:    a) protects the offender's identity    b) ensures the successful completion of the crime    c) facilitates the offender's escape Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to:     - Amount of planning before a crime, evidenced by behavior and materials (i.e. notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer).     - Materials used by the offender in the commission of the specific offense (i.e. system type, connection type, software involved, etc.).     - Presurveillance of a crime scene or victim (i.e. monitoring a potential victim's posting habits on a discussion list, learning about a potential victim's lifestyle or occupation on their personal website, contacting a potential victim directly using a friendly alias or a pretense, etc.).     - Offense location selection (i.e. a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.).     - Use of a weapon during a crime (i.e. a harmful virus sent to a victim's PC as an e-mail attachment, etc.).     - Offender precautionary acts (i.e. the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.). 2) Offender Signature (comprised of two parts):    a) Signature Behaviors: Signature behaviors are those acts committed by an offender that are not necessary to complete the offense. Their convergence can be used to suggest an offender's psychological or emotional needs (signature aspect). They are best understood as a reflection of the underlying personality, lifestyle, and developmental experiences of an offender.    b) Signature Aspects: The emotional or psychological themes or needs that an offender satisfies when they commit offense behaviors. Let's not limit TTP to a small subset of this valuable information. The details of an offender's MO and signature can be useful for case linkage - the general process of demonstrating discrete connections between two or more previously unrelated cases. A connection between one or more cases can be sufficiently distinctive as to support the inference that the same person is responsible. Eoghan Casey


  • 4.  Re: [cti] RE: On TTPs and specifications

    Posted 05-04-2016 22:57
    Eoghan & All: I'm taking some of these suggestions and incorporating them into a Mind Map. I'm embedding the URL links Kyle sent us right into the Mind Map objects. To your point, there are other models, as well. At this point I'm just trying to be as inclusive as possible.. so we can begin to harmonize across the models. https://mm.tt/695976249?t=VfINUnftUs I've embedded your suggestions, given below, on the Modus Operandi Object in the Mind Map... Not sure if that is the right place... but, now there is a placeholder for these thoughts moving forward. TTP playground document on Google: https://docs.google.com/document/d/1ei7poJMigVasVkoKeEhe0sBa-BS59WU0xJwtBDwpmv0/edit We will use the process described by John Wunder (for STIX) and confirmed by Trey and Ivan (for CybOX) for working these through to resolution among the entire TC. For those that are not yet on Slack, there is a very active conversation going in the #ttps channel, the analysts are beginning to weigh in... on what they need and really want to see for STIX 2.x & CybOX 3.x.....all CTI-TC Members are welcome. Jane Ginn CTIN On 5/4/2016 12:30 PM, Casey, Eoghan CIV DC3/DCCI wrote: For the sake of learning from past experience, let's consider this topic in the broader context of criminal investigation. The terminology is different (MO and signature) but the concepts are the same. These definitions are taken in part from "Criminal Profiling: An Introduction to Behavioral Evidence Analysis" by Brent Turvey. Examples of from my joint work with Brent Turvey. 1) Modus operandi (MO) is Latin for "a method of operating." It refers to the behaviors that are committed by an offender for the purpose of successfully completing an offense. An offender's modus operandi reflects how an offender committed their crimes. It is separate from the offender's motives, or signature aspects. MO most often serves one or more of three purposes: a) protects the offender's identity b) ensures the successful completion of the crime c) facilitates the offender's escape Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to: - Amount of planning before a crime, evidenced by behavior and materials (i.e. notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer). - Materials used by the offender in the commission of the specific offense (i.e. system type, connection type, software involved, etc.). - Presurveillance of a crime scene or victim (i.e. monitoring a potential victim's posting habits on a discussion list, learning about a potential victim's lifestyle or occupation on their personal website, contacting a potential victim directly using a friendly alias or a pretense, etc.). - Offense location selection (i.e. a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.). - Use of a weapon during a crime (i.e. a harmful virus sent to a victim's PC as an e-mail attachment, etc.). - Offender precautionary acts (i.e. the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.). 2) Offender Signature (comprised of two parts): a) Signature Behaviors: Signature behaviors are those acts committed by an offender that are not necessary to complete the offense. Their convergence can be used to suggest an offender's psychological or emotional needs (signature aspect). They are best understood as a reflection of the underlying personality, lifestyle, and developmental experiences of an offender. b) Signature Aspects: The emotional or psychological themes or needs that an offender satisfies when they commit offense behaviors. Let's not limit TTP to a small subset of this valuable information. The details of an offender's MO and signature can be useful for case linkage - the general process of demonstrating discrete connections between two or more previously unrelated cases. A connection between one or more cases can be sufficiently distinctive as to support the inference that the same person is responsible. Eoghan Casey --------------------------------------------------------------------- -- Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us


  • 5.  RE: [cti] RE: On TTPs and specifications

    Posted 05-05-2016 12:38
    Hi!, Just out of interest (based on the conversations going on with TTP's), is anyone looking at structuring COA's as well, especially with an end-game of looking to potentially automate activities based on the contents of a STIX package ? I know this is something that we are pushing with vendors at the moment. Of course the trick is coming up with a unified set of tasks/actions that vendors will want to support in their products. Regards, Dean


  • 6.  RE: [cti] RE: On TTPs and specifications

    Posted 05-05-2016 12:54
    The OpenC2 project ( http://openc2.org/ ) recently came to my attention and their roadmap lists STIX COA's.


  • 7.  Re: [cti] RE: On TTPs and specifications

    Posted 05-05-2016 13:00
    We’re a member of OpenC2 and I’ve reached out to colleagues that are members to get some input. Regards, Paul Patrick On 5/5/16, 8:53 AM, "cti@lists.oasis-open.org on behalf of Crawford, David" <cti@lists.oasis-open.org on behalf of David.Crawford@aetna.com> wrote: >The OpenC2 project ( http://openc2.org/ ) recently came to my attention and their roadmap lists STIX COA's. > >


  • 8.  Re: [cti] RE: On TTPs and specifications

    Posted 05-05-2016 14:01
    Dean: There is a #coa Channel that has been set-up on Slack... John-Mark Gurney would like to work on that issue too. Can you join the Slack channel? If so, send Bret an email. He can onboard you. Jane On 5/5/2016 6:00 AM, Paul Patrick wrote: We’re a member of OpenC2 and I’ve reached out to colleagues that are members to get some input. Regards, Paul Patrick On 5/5/16, 8:53 AM, "cti@lists.oasis-open.org on behalf of Crawford, David" <cti@lists.oasis-open.org on behalf of David.Crawford@aetna.com> wrote: The OpenC2 project ( http://openc2.org/ ) recently came to my attention and their roadmap lists STIX COA's.


  • 9.  Re: [cti] On TTPs and specifications

    Posted 05-05-2016 04:12
    Just adding this link to the thread HTTPS://github.com/patcain/ecrisp   Ref from NIST SP 800-150 On Wednesday, 4 May 2016, Casey, Eoghan CIV DC3/DCCI < Eoghan.Casey@dc3.mil > wrote: For the sake of learning from past experience, let's consider this topic in the broader context of criminal investigation. The terminology is different (MO and signature) but the concepts are the same. These definitions are taken in part from "Criminal Profiling: An Introduction to Behavioral Evidence Analysis" by Brent Turvey. Examples of from my joint work with Brent Turvey. 1) Modus operandi (MO) is Latin for "a method of operating." It refers to the behaviors that are committed by an offender for the purpose of successfully completing an offense. An offender's modus operandi reflects how an offender committed their crimes. It is separate from the offender's motives, or signature aspects. MO most often serves one or more of three purposes:     a) protects the offender's identity     b) ensures the successful completion of the crime     c) facilitates the offender's escape Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to:      - Amount of planning before a crime, evidenced by behavior and materials (i.e. notes taken in the planning stage regarding location selection and potential victim information, found in e-mails or personal journals on a personal computer).      - Materials used by the offender in the commission of the specific offense (i.e. system type, connection type, software involved, etc.).      - Presurveillance of a crime scene or victim (i.e. monitoring a potential victim's posting habits on a discussion list, learning about a potential victim's lifestyle or occupation on their personal website, contacting a potential victim directly using a friendly alias or a pretense, etc.).      - Offense location selection (i.e. a threatening message sent to a Usenet newsgroup, a conversation had in an Internet Relay Chat room to groom a potential victim, a server hosting illicit materials for covert distribution, etc.).      - Use of a weapon during a crime (i.e. a harmful virus sent to a victim's PC as an e-mail attachment, etc.).      - Offender precautionary acts (i.e. the use of aliases, stealing time on a private system for use as a base of operations, IP spoofing, etc.). 2) Offender Signature (comprised of two parts):     a) Signature Behaviors: Signature behaviors are those acts committed by an offender that are not necessary to complete the offense. Their convergence can be used to suggest an offender's psychological or emotional needs (signature aspect). They are best understood as a reflection of the underlying personality, lifestyle, and developmental experiences of an offender.     b) Signature Aspects: The emotional or psychological themes or needs that an offender satisfies when they commit offense behaviors. Let's not limit TTP to a small subset of this valuable information. The details of an offender's MO and signature can be useful for case linkage - the general process of demonstrating discrete connections between two or more previously unrelated cases. A connection between one or more cases can be sufficiently distinctive as to support the inference that the same person is responsible. Eoghan Casey


  • 10.  RE: [Non-DoD Source] Re: [cti] On TTPs and specifications

    Posted 05-05-2016 19:41
    There are two lessons I have learned over the years when it come to TTP / MO: 1) Attackers/offender change their TTP/MO over time 2) Let the evidence speak for itself With this in mind, I recommend an approach that uses different aspects of TTP/MO to categorize items in STIX/CybOX. These TTP/MO categories can be named, defined, and organized using your Action Lifecycle of choice. Using this approach, you enrich the evidence with TTP/MO context rather than trying to cram evidence into a single, rigid TTP/MO model. Some evidence/activities will fall into multiple categories, and using the Action Lifecycle approach is flexible to allow for this. To avoid getting into a religious war or trademark issues, the Action Lifecycle approach is flexible to use any TPP/MO construct, depending on the use case. For instance, here is a general example of an Action Lifecycle: - Planning - Materials (tools and infrastructure) - Presurveillance - Attack location selection - Weapon used during crime - Precautionary acts - Escape In the criminal realm, the action lifecycle of a sexual predator: - Victim selection - Materials (tools and infrastructure) - Establish trust - Desensitization to sexual activity/abuse - Maintain secrecy (persuasion/threats) - Arrange meeting - Restraints used during crime - Conceal evidence Signature could be treated as another categorization for distinctive characteristics in the data that may be attributable to an attacker. Eoghan