IndicatorTypeVocab needs to be improved about specifications HOT 7 OPEN

This was my internal list so far - thoughts?

Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **

from specifications.

I do like your list, and agree w/ spelling out Command and Control.

I would remove Host/Process as that is creating an artificial distinction that isn't needed.

Maybe change Quantified Risk to Known Vulnerability? Quantified Risk sounds too abstract.

There is still a slight distinction which I'm not sure we should make, being an activity and a state. The Observables have Action and Event to take this on, so specifying Activity is extra. With this said, what is the difference between Malicious and Compromise(d)?

I don't like Privilege Escalation. I feels too similar to some of the others. Is this an attempt to elevate privilege (Malicious), or is it that a privilege escalation happened (Compromise), or is that it enables privilege escalation (Known Vulnerability)?

Policy Violation should maybe be a subtype, or located else where, because even if it's a policy violation, doesn't override any of the other vocab.

from specifications.

Host/Process Compromise - The emphasis should probably be more on the "compromise" part. I am trying to call out the difference between an indicator communicating an actual compromise, vs. an indicator simply communicating activity. These are quite different events.

"Quantified Risk to Known Vulnerability? " - I am actually not referring to simply a vulnerability, but anything that indicates a risk. For example, a port that has been suspiciously opened in the host-based firewall would be a risk indicating APT activity.

Privilege Escalation is a specific phase of the kill chain - I really think it should be in there...

from specifications.

Compromise - I agree a difference between simple activity vs compromise. We don't have a normal activity vocab, and I think that is fine, since why would you want to alert on that.

For Quantified Risk: in the case of a port opened, why isn't that Anomalous Activity instead? Pretty much anything in an Indicator is a Risk, otherwise we wouldn't be looking for it.

I'd still like to know how Privilege Escalation differs from Compromise or Known Vulnerability in your midset, though we should probably take this part of the discussion to something like slack.

from specifications.

"In the case of a port opened, why isn't that Anomalous Activity instead?" A port being open is not activity in and of itself.. it is simply a state of a host.

"how Privilege Escalation differs from Compromise or Known Vulnerability" - It's a phase of the kill chain that happens after a host compromise. Also, you don't necessarily need a known vulnerability to perform a privilege escalation.

from specifications.

But you were the one that said an open port is a risk indicating APT activity. If it's a risk of APT activity, then it should be Anomalous Activity or another one.

from specifications.

My proposal for the vocab is:
Anomalous Activity - Indicator describes unexpected, or unusual activity that may not necessarily be malicious or indicate compromise.
Anonymization - Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).
Command and Control - Indicator describes suspected command and control activity or static indications.
Compromised - Indicator describes a compromised object, e.g., key, login, password.
Data Exfiltration - Indicator describes suspected exfiltration techniques or behavior.
Malicious Activity - Indicator describes suspected malicious objects and/or activity.
Watchlist - Indicator describes a set of suspected malicious objects.

from specifications.