OASIS Threat Actor Context (TAC) TC

Agenda for tomorrow's working call

  • 1.  Agenda for tomorrow's working call

    Posted 04-01-2020 12:04



    TAC TC,


    Over the past one week Ryan and I spent some time on prioritizing which properties in the TAC object model we should start focusing on.


    For tomorrow s working call we want to discuss two topics.




    1.  First, is the continuation of what we have discussed in the previous calls, creating a standard process for classifying concrete cases of Threat Actors to specific TA
    types and the power of axioms for inferencing information. Since our first call we have discussed how classifying Threat Actors using a standardized process and having a set of defined properties would be beneficial for achieving consistency among TA type
    classification. We described how this can be achieved by using ontologies and defining a set of axioms. Big part of that is the consistency of the TA vocabulary/classes among security professionals, threat intelligence platform data models, threat information
    sharing standards etc. For that reason our first step was to create a table that maps intel s Threat Agent Library (TAL) and STIX TA labels which is partially influenced from TAL. It is in our belief that the models can be integrated since STIX can be used
    for defining parent classes and TAL can be used for defining child classes (subclasses). More details will follow in the working call on April 2, 2020.


    2. Second, is the creation of a Goals taxonomy characterizing and standardizing the goals of a threat actor (what are they trying to do when carrying out
    an attack) . This can be many levels deep. For example, a threat actor that intrudes for tech_advantage . One level down in goals we can have that this TA targets intellectual_property , and one level lower can describe industry such as automobile ,
    one level lower that the TA is interested in having IP for   power_supply , and finally that is specific to battery . This is just an initial idea and we will start creating a taxonomy after our working call.


    We have created a new document that we used to report the research that we have done, and it includes some requirements and some literature. For tomorrow s working call only the pages 1, 2 and 5 are relevant. Please take a look before the meeting
    and of course you are more than welcome to read the whole document and comment.


    The link to access the doc is  https://docs.google.com/document/d/10KQRR45jm3k67EDl4IFB4l2f5BNz0jc2HWFan4_E3iQ/edit?usp=sharing


    After tomorrow s meeting we will integrate this information to the official requirements document and hopefully we can start writing text soon.


    Stay safe.




    Best,


    Vasileios