OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  Re: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

    Posted 05-24-2016 10:14
      |   view attached




    Gary,
     
    A couple questions/comments:
     
    The campaign definition is dependent on the term incident. Is it necessary for an incident (which would not need to be represented in STIX or shared) to have occurred in order for there to be a campaign? I had always thought of Campaigns
    as “related activity performed by one or more threat actors/groups”, but I’m not a threat analyst (and never have been). Does my definition align/overlap with yours, or are there key differences?
     
    I’m still fuzzy on Intrusion Set. Is intrusion set effectively an “unknown” Threat Actor? Intrusion Set and Campaign share a lot of the same concepts (e.g., both relater a set of incidents, indicators, tools, infrastructure or TTPs).
    And I think a lot of the Intrusion Set sentences make sense if you swap in “Campaign” for “Intrusion Set”. For instance:

     
    Threat actors could move from supporting one
    Intrusion Set Campaign , to supporting another, or they may support multiple
    Intrusion Set Campaigns .  A Intrusion Set Campaign is usually tracked over a long period of time.  While sometime a
    Intrusion Set Campaign goes silent, or changes focus, it is usually difficult to know if it has truly disappeared or ended.  Analysts may have varying level of fidelity on attributing a
    Intrusion Set Campaign back to Threat Actors.
     
    My apologies if I missed a key point in all of this – I’m trying to better my understanding.
     
    Thank you.
    -Mark
     
    P.S. Pats will beat the Jets 4 Christmas
    J

     
     
    On 5/23/16, 1:26 PM, "cti@lists.oasis-open.org on behalf of Katz, Gary CTR DC3/DCCI" <cti@lists.oasis-open.org on behalf of Gary.Katz.ctr@dc3.mil> wrote:
     
    >During some of the previous discussions, individuals had asked for definitions on Campaigns, Intrusion Sets and Threat Actors.  The below definitions were put together to help with the discussions.  I put together these definitions/examples
    and ran them by Paul Patrick to get some concurrence, but if individuals do not agree, I would be interested in understanding where there is disagreement.
    >  
    >Hope it helps the discussion,
    >    -Gary
    >  
    >  
    >Campaign: A campaign is a set of incidents that occur over a specific time period that relate to each other by shared indicators, tools, infrastructure or TTPs which indicate that they were performed by the same Intrusion Set/Threat
    Actor and/or have a shared objective.  Some SOCs will associate incidents to a campaign if: a new incident shares observables that are relatively unique and difficult to change from 2 or more phases of the kill chain with observables from incidents already
    associated with that campaign. 
    >  
    >An Intrusion Set relates a set of incidents, indicators, tools, infrastructure or TTPs, that are grouped together to show a believed attribution back to an entity.  For example, a set of Incidents may share a set of TTPs.  The Threat
    Actors behind the attack may not be known but the activity can be grouped together and new activity can be attributed to that Intrusion Set.  Threat actors could move from supporting one Intrusion Set, to supporting another, or they may support multiple Intrusion
    Sets.  An Intrusion Set is usually tracked over a long period of time.  While sometime an Intrusion Set goes silent, or changes focus, it is usually difficult to know if it has truly disappeared or ended.  Analysts may have varying level of fidelity on attributing
    an Intrusion Set back to Threat Actors.  The analysts may be able to only attribute it back to a nation-state, perhaps back to an organization within that nation-state, or perhaps back to the individuals within that organization.
    >  
    >Threat Actor: Threat Actors are the individuals or organizations related to a set of incidents, indicators, tools, infrastructure or TTPs.  There can be multiple Threat Actors associated to the same thing.  For example, a Threat Actor
    1, malware author, may provide malware to an attack which is used by Threat Actor 2 to perform the attack.  Both Threat Actors work for the same organization, which would also be represented using the Threat Actor object.  An analyst may wish to map out the
    organization and the individual members, how they interact and any overlaps the have supporting multiple organizations.  The analyst may want to capture the infrastructure used by those threat actors, their tools, or motivations, etc.
    >  
    >Examples:
    > // Campaign Example
    > {
    >              "type": "campaign",
    >              "title": "Jets4Christmas"
    >              "description": "shared TTP of malicious Christmas messages"
    >              "motive": "Political"
    >              "objective": "Access documents pertaining to jet engine designs"
    >              "id": "campaign--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
    >              "created_time": "2015-12-06T20:07:09Z",
    >              "created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    >    
    > }
    >
    > // Intrusion Set Example
    > {
    >              "type:": "intrusion-set"
    >              "id": "intrusion-set-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
    >              "title": "Bobcat Breakin",
    >              "description": "Incidents usually feature a shared TTP of a bobcat being released within the building containing network                access, scaring users to leave their computers without locking them first.  Still
    determining where the threat actors are             getting the bobcats.",
    >              "sophistication": "Unique"
    > }
    >
    > // Threat Actor Example
    > {
    >              "type": "threat-actor"
    >              "id": "threat-actor-4e78f46f-a023-4e5f-bc24-71b3ca22ec29",
    >              "title": "Norway Nasjonal Sikkerhetsmyndighet"
    >              "title": "Norway Nasjonal Sikkerhetsmyndighet"
    >              "description": "Norway National Security Authority"
    >              "motivation": "Usually focused on capturing intelligence about meatball recipes devised by their neighboring country"
    >              "sophistication": "High, perfect meatballs are of utmost importance"
    > }
    >  
    >---------------------------------------------------------------------
    >To unsubscribe from this mail list, you must leave the OASIS TC that

    >generates this mail.  Follow this link to all your TCs in OASIS at:
    >https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

    >  






  • 2.  RE: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

    Posted 05-24-2016 14:12
    I'm still trying to wrap my head around how these concepts relate, based on my limited experience in operational government environments. I (believe I) understand the difference, particularly in (U.S.) government circles, between one or more "campaigns" and the encompassing intrusion set(s). From a data modeling perspective, though, I wonder if it makes sense to consider intrusion sets to just be a "meta-campaign", and allow a STIX Campaign to be made up of "subcampaigns". From my perspective, both campaigns and intrusion sets can be loosely defined as "collections of activity determined by an analyst to be related based on shared TTPs (tools, infrastructure, targets, themes, etc.)". The exact method of that determination can vary wildly based on the source (and we can and probably should support the representation of those assertions in STIX), but I'm hesitant to encode the distinction between the more general term "campaign" and the more specific term "intrusion set" directly into the STIX data model. As a concrete example, if one STIX producer considers a set of activity to be a "campaign" and another (likely US gov't) producer considers it to be an "intrusion set", it's simpler and easier to reconcile in STIX if you can assert a relationship between the two campaigns than saying "campaign X is the same as intrusion set Y". On top of that is the idea that some organizations consider "Threat Actors" to be individuals who can move between groups/campaigns/intrusion sets, while others consider the group itself to be the Threat Actor. It's likely that STIX will need to support both models. In some ways, it's similar to Intrusion Set/Campaign in that you can have "meta threat actors" (groups) which are made up of "sub threat actors" (individuals). Gary, do you think it would be possible for government users to use the existing "Campaign" construct (perhaps with modifications) to handle intrusion sets (where an Intrusion Set is just a special type of Campaign)? I realize the terminology itself may cause confusion, but if you get past that, are the data types at least compatible? Just my 2 cents. Greg


  • 3.  RE: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

    Posted 05-24-2016 14:52
    Greg, It's an interesting point and I had originally considered it. The information captured within a Campaign object and what is captured within an Intrusion Set object are very similar. The issue is that the constructs mean two different things. At the end of the day, what we are representing in a STIX format needs to be displayed to analysts in a user interface. I apologize for the large amount of text below, but at the end of it I do have a compromise. Anyone who has worked with intel analysts (and I realize most of you have) know that they are extremely literal. Their job is to make sure that they fully understand the facts and what something means. If they write something in a document, they do their best to make sure that what they have written has the correct caveats and will be interpreted by all readers correctly. I remind everyone of this, because I have made the mistake in the past of asking analysts to respond to requests where any other person would understand what I meant, but an analyst analyzes the request and comes back with questions or caveats to consider. The issues arises that while we might be able to represent Campaigns and Intrusion Sets in a single object, we would not be able to easily digest STIX from an external source and distinguish to the analyst what is a Campaign and what is an Intrusion Set. To the analyst, they are not the same thing. If they need to look through a list of Intrusion Sets and apply attribution to an Incident, they don't want to see Campaign names coming up. That is a separate distinction. Campaigns are identified fairly quickly. Hey, I just had 5 spear phishing emails sent to me by partner organizations that all look very similar. There's a campaign going on. Identifying a new Intrusion Set is much more meticulous. There is a process. They need to prove to the community that it really is a new Intrusion Set and that the activity is not really attributed to something already known. The analyst typically needs to identify at least 3 of the 4 points in the diamond model. Most organizations track how many new Intrusion Sets they have identified to the community and named as a source of pride. There are naming boards to come to a consensus on the names. All of this is to say that the analyst community views these as different things with different controls attached to the creation and usage of these objects. Which makes me believe combining them would result in a negative reaction from the analysts. With that being said, I could see us having one object definition in the documentation that under the 'type' field has the option of 'campaign' or 'intrusion-set' and in the description of the object we provide definitions for both and when to use which object. Thoughts?


  • 4.  RE: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

    Posted 05-24-2016 15:20
    What if we had an object with a different name - lets call it fooferah for now. Then that object had a "fooferah-type" that pointed at a closed vocab - which had entries "campaign", "intrusion set", other "fooferah" objects, and possible other in the future. This object is allowed to have all of the required relationship types to TTPs, indicators, threat actors, etc. And can have optional life-cycle type of attributes. This makes it not ambiguous at all to an analyst - it's one or the other. But, it eliminates a superfluous TLO from the model. We would just need to name this TLO. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Katz, Gary CTR DC3---05/24/2016 11:51:48 AM---Greg, It's an interesting point and I had originally considered it. The information captured wi From: "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil> To: "'Back, Greg'" <gback@mitre.org>, "'cti@lists.oasis-open.org'" <cti@lists.oasis-open.org> Cc: Mark Davidson <mdavidson@soltra.com> Date: 05/24/2016 11:51 AM Subject: RE: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors Sent by: <cti@lists.oasis-open.org> Greg,    It's an interesting point and I had originally considered it.  The information captured within a Campaign object and what is captured within an Intrusion Set object are very similar.  The issue is that the constructs mean two different things.  At the end of the day, what we are representing in a STIX format needs to be displayed to analysts in a user interface.  I apologize for the large amount of text below, but at the end of it I do have a compromise.   Anyone who has worked with intel analysts (and I realize most of you have) know that they are extremely literal.  Their job is to make sure that they fully understand the facts and what something means.  If they write something in a document, they do their best to make sure that what they have written has the correct caveats and will be interpreted by all readers correctly.  I remind everyone of this, because I have made the mistake in the past of asking analysts to respond to requests where any other person would understand what I meant, but an analyst analyzes the request and comes back with questions or caveats to consider.   The issues arises that while we might be able to represent Campaigns and Intrusion Sets in a single object, we would not be able to easily digest STIX from an external source and distinguish to the analyst what is a Campaign and what is an Intrusion Set.  To the analyst, they are not the same thing.  If they need to look through a list of Intrusion Sets and apply attribution to an Incident, they don't want to see Campaign names coming up.  That is a separate distinction.     Campaigns are identified fairly quickly.  Hey, I just had 5 spear phishing emails sent to me by partner organizations that all look very similar.  There's a campaign going on.  Identifying a new Intrusion Set is much more meticulous.  There is a process.  They need to prove to the community that it really is a new Intrusion Set and that the activity is not really attributed to something already known.  The analyst typically needs to identify at least 3 of the 4 points in the diamond model.   Most organizations track how many new Intrusion Sets they have identified to the community and named as a source of pride.  There are naming boards to come to a consensus on the names.     All of this is to say that the analyst community views these as different things with different controls attached to the creation and usage of these objects.  Which makes me believe combining them would result in a negative reaction from the analysts.  With that being said, I could see us having one object definition in the documentation that under the 'type' field has the option of 'campaign' or 'intrusion-set' and in the description of the object we provide definitions for both and when to use which object. Thoughts?


  • 5.  RE: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

    Posted 05-24-2016 15:27
    Thanks, Gary. I completely agree. In some contexts (particularly U.S. Gov) it's important to be able to distinguish between "campaigns" (which as you say are very quickly identified) and "intrusion sets" (which there is much more formality and process around). I also believe, though can't say for sure, that there are contexts where this distinction is not important. In terms of implementation, I can see overriding the existing 'type', or adding a new field, as Jason suggested. One possible name, if we don't want to use Campaign, is ActivitySet. Greg >


  • 6.  Re: [cti] Definitions for Campaigns, Intrusion Sets and Threat Actors

    Posted 05-24-2016 16:40
    Lets first figure out what fields are needed on each object..  To make sure there is a 100% overlap.  Please add comments or suggestions in the document for things that need to be added, removed, or changed. Campaign https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.bcqwxvu8zvzb Intrusion Set https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.bjbu0dy8lyl6 Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On May 24, 2016, at 08:51, Katz, Gary CTR DC3/DCCI < Gary.Katz.ctr@dc3.mil > wrote: Greg,    It's an interesting point and I had originally considered it.  The information captured within a Campaign object and what is captured within an Intrusion Set object are very similar.  The issue is that the constructs mean two different things.  At the end of the day, what we are representing in a STIX format needs to be displayed to analysts in a user interface.  I apologize for the large amount of text below, but at the end of it I do have a compromise.   Anyone who has worked with intel analysts (and I realize most of you have) know that they are extremely literal.  Their job is to make sure that they fully understand the facts and what something means.  If they write something in a document, they do their best to make sure that what they have written has the correct caveats and will be interpreted by all readers correctly.  I remind everyone of this, because I have made the mistake in the past of asking analysts to respond to requests where any other person would understand what I meant, but an analyst analyzes the request and comes back with questions or caveats to consider.   The issues arises that while we might be able to represent Campaigns and Intrusion Sets in a single object, we would not be able to easily digest STIX from an external source and distinguish to the analyst what is a Campaign and what is an Intrusion Set.  To the analyst, they are not the same thing.  If they need to look through a list of Intrusion Sets and apply attribution to an Incident, they don't want to see Campaign names coming up.  That is a separate distinction.     Campaigns are identified fairly quickly.  Hey, I just had 5 spear phishing emails sent to me by partner organizations that all look very similar.  There's a campaign going on.  Identifying a new Intrusion Set is much more meticulous.  There is a process.  They need to prove to the community that it really is a new Intrusion Set and that the activity is not really attributed to something already known.  The analyst typically needs to identify at least 3 of the 4 points in the diamond model.   Most organizations track how many new Intrusion Sets they have identified to the community and named as a source of pride.  There are naming boards to come to a consensus on the names.     All of this is to say that the analyst community views these as different things with different controls attached to the creation and usage of these objects.  Which makes me believe combining them would result in a negative reaction from the analysts.  With that being said, I could see us having one object definition in the documentation that under the 'type' field has the option of 'campaign' or 'intrusion-set' and in the description of the object we provide definitions for both and when to use which object. Thoughts?