Comments (7)
This was my internal list so far - thoughts?
Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **
from specifications.
I do like your list, and agree w/ spelling out Command and Control.
I would remove Host/Process as that is creating an artificial distinction that isn't needed.
Maybe change Quantified Risk to Known Vulnerability? Quantified Risk sounds too abstract.
There is still a slight distinction which I'm not sure we should make, being an activity and a state. The Observables have Action and Event to take this on, so specifying Activity is extra. With this said, what is the difference between Malicious and Compromise(d)?
I don't like Privilege Escalation. I feels too similar to some of the others. Is this an attempt to elevate privilege (Malicious), or is it that a privilege escalation happened (Compromise), or is that it enables privilege escalation (Known Vulnerability)?
Policy Violation should maybe be a subtype, or located else where, because even if it's a policy violation, doesn't override any of the other vocab.
from specifications.
Host/Process Compromise - The emphasis should probably be more on the "compromise" part. I am trying to call out the difference between an indicator communicating an actual compromise, vs. an indicator simply communicating activity. These are quite different events.
"Quantified Risk to Known Vulnerability? " - I am actually not referring to simply a vulnerability, but anything that indicates a risk. For example, a port that has been suspiciously opened in the host-based firewall would be a risk indicating APT activity.
Privilege Escalation is a specific phase of the kill chain - I really think it should be in there...
from specifications.
Compromise - I agree a difference between simple activity vs compromise. We don't have a normal activity vocab, and I think that is fine, since why would you want to alert on that.
For Quantified Risk: in the case of a port opened, why isn't that Anomalous Activity instead? Pretty much anything in an Indicator is a Risk, otherwise we wouldn't be looking for it.
I'd still like to know how Privilege Escalation differs from Compromise or Known Vulnerability in your midset, though we should probably take this part of the discussion to something like slack.
from specifications.
"In the case of a port opened, why isn't that Anomalous Activity instead?" A port being open is not activity in and of itself.. it is simply a state of a host.
"how Privilege Escalation differs from Compromise or Known Vulnerability" - It's a phase of the kill chain that happens after a host compromise. Also, you don't necessarily need a known vulnerability to perform a privilege escalation.
from specifications.
But you were the one that said an open port is a risk indicating APT activity. If it's a risk of APT activity, then it should be Anomalous Activity or another one.
from specifications.
My proposal for the vocab is:
Anomalous Activity - Indicator describes unexpected, or unusual activity that may not necessarily be malicious or indicate compromise.
Anonymization - Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).
Command and Control - Indicator describes suspected command and control activity or static indications.
Compromised - Indicator describes a compromised object, e.g., key, login, password.
Data Exfiltration - Indicator describes suspected exfiltration techniques or behavior.
Malicious Activity - Indicator describes suspected malicious objects and/or activity.
Watchlist - Indicator describes a set of suspected malicious objects.
from specifications.
Related Issues (20)
- Stix Difficulties: Cannot generate a relationship between two third-party objects
- Stix Difficulties: Too many ways to do things
- Stix Difficulties: Indicators/Observable, Composition/Object hierarchy is complicated
- Stix Difficulties: Embedded and Referenced Objects
- Stix Difficulties: Difficult for third parties to show agreement or disagreement
- Stix Difficulties: Obfuscation of Producer Identity is Difficult
- Stix Difficulties: Difficult to ask for a referred object
- Stix Difficulties: Victim Targeting is embedded within a TTP
- Stix Difficulties: No STIX-wide way to handle aliases
- Stix Difficulties: Interoperability is difficult if custom vocabularies are allowed
- Stix Difficulties: Difficult to group 'possibly' related things during an investigation
- Stix Difficulties: Cannot suggest hypotheses to a community through STIX
- Stix Difficulties: Relationships are constrained to limited Objects within STIX
- Stix Difficulties: TTPs are almost mandatory
- Stix Difficulties: Which to use? Indicator Composition, Observable Composition, or referenced Object?
- Stix Difficulties: Are CybOX <Object> IDs used in STIX?
- Stix Difficulties: Some Object names are confusing
- STIX should mandate a single timestamp format HOT 1
- Comments from Dave C. on Vocabularies
- idref successor
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from specifications.