Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add Intermediaries as a top level class #19

Open
packet-rat opened this issue Oct 8, 2021 · 2 comments
Open

Add Intermediaries as a top level class #19

packet-rat opened this issue Oct 8, 2021 · 2 comments

Comments

@packet-rat
Copy link

Placeholder:

Attackers, Intermediaries, and Targets should all be Top Level Classes.
@rhohimer
Copy link

As you know, I agree that "Intermediary" and "Target" should be captured in our ontology.

image

  • Actor
    • Adversary
      • IntrusionSet
      • ThreatActor
    • AuthorizedActor
      • Defender
      • Intermediary

@packet-rat Thoughts?

@AtesComp
Copy link

From the TAC Charter: "The TAC focuses on the expansion of the representations of the adversaries." Maybe that's a bit too narrow.

Examining other ontologies such as VCard, only the most generic thing is "top level", i.e., vcard:Kind, vcard:VCard. Also, what domain to start with: Cyber Threat Intel (cti:) or just Threat Intel (ti) with CTI subdomain? I'll leave the prefix off as TAC has a few already specified. Then, my offering:

  1. Kind / Thing
    1. Actor (neutral, indeterminate, unknown)
      1. Organization (neutral, indeterminate, unknown)
      2. Group (neutral, indeterminate, unknown)
      3. Individual (neutral, indeterminate, unknown)
      4. Ally
      5. ThreatActor
      6. Victim and / or Target
    2. Ascription
      1. Motivation (using personalMotivation, primaryMotivtion, secondaryMotivation)
      2. Goal
      3. ResourceLevel
      4. Role
      5. Sophistication
      6. IntrusionSet (combinations of the above)
      7. ThreatActorProfile (combinations of the above + others?)

...and with more detail if you like...

  1. Kind / Thing
    1. Actor (neutral, indeterminate, unknown)
      1. Organization (neutral, indeterminate, unknown)
        1. AllyOrganization
        2. ThreatOrganization
        3. VictimOrganization
      2. Group (neutral, indeterminate, unknown)
        1. AllyGroup
        2. ThreatGroup
        3. VictimGroup
      3. Individual (neutral, indeterminate, unknown)
        1. AllyIndividual
        2. ThreatIndividual
        3. VictimIndividual
      4. Ally
        1. AllyOrganization
        2. AllyGroup
        3. AllyIndividual
      5. ThreatActor
        1. ThreatOrganization
        2. ThreatGroup
        3. ThreatIndividual
          ...

NOTE: The TAC ontology definitions seem to indicated that adversary is a convenient namespace for an information domain. Should this be "threat" or "threat_info" instead? Then, extend with "ally_info"? Or reorg as suggested above with the Actor stuff separated from the Ascription (or Attribution) stuff?

NOTE: OWL Imports in the current files don't "work" as expected--<owl:imports rdf:resource="http://docs.oasis-open.org/ns/cti/stix/core" /> are just 404s. Is there a discussion to have the CTI TC host the namespace and ontology files for the STIX ontology? If not or in the meantime, shouldn't the imports use actual working URLs? Separate issue?

We tend to think of STIX as all (most) things as adversarial, but unsurprisingly, many are not necessarily so: Course of Action, Grouping, Identity, Infrastructure, Location, Notes, Observed Data, Opinion, Report, Tool could be characterized as Neutral or Ally. Even Vulnerability--not a Threat but a Threat Vector or, more formally, a Risk in a system that is Allied, Neutral, or Adversarial.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@packet-rat @rhohimer @AtesComp