-
Notifications
You must be signed in to change notification settings - Fork 3
Use Case: Analyzing Cyber Threats in Real Time Machine to Human
Abstraction Level (High, Medium or Low): Low
Related Use Cases: Analyzing Cyber Threats (at High Level of Abstraction)
Description: Enterprise A Human Cybersecurity Threat Analyst (HCTA) in a Security Operations Center (SOC) identifies indicators of compromise (IoCs) that may indicate a real-time attack on a network or on an end-point in the monitored system. Enterprise A HCTA executes pre-established ISAC and/or ISAO notification procedures and receives immediate approval to communicate information and data about the IoCs externally to the trust network through the pre-approved and subscribed channel (i.e., TAXII). Pre-approved channels have previously established data markings framework (e.g., TLP, FOUO, LES, etc.) and a mechanism for anonymizing inputs from trust partner members. Data or information is posted anonymously.
Communicated data and/or information is displayed on the ISAC or ISAO's Threat Intelligence Platform in the form of IoCs (e.g., address objects, eMail header information, malware hashs, etc...). Other HCTAs operating within their SOCs (Enterprise B, Enterprise C, Enterprise n) are alerted to the instances of new IoCs in accordance with their own alerting policies. HTCA in Enterprise C recognizes IoC data and uploads enriched data and/or defensive code snippets (e.g., Snort signature, Yara signature) to supplement original SIGHTING from anonymized Enterprise A HCTA. Source of data uploaded to the Threat Intelligence Platform by Enterprise C HCTA is also anonymized.
Enterprise A HCTA receives enriched data and/or information and takes remedial action on his/her network and/or end-point to ameliorate attack (or potential attack).
Stakeholders/Goals:
_Stakeholder_: Members of an ISAC or ISAO that recognize the force multiplier effect of threat intelligence sharing among peer organizations.
_ Goal_: To enable threat intelligence sharing that will allow all members of the trust group to move left on the kill chain sequence in a machine-to-human context where judgement and interpretation is necessary.
Preconditions:
Organizational and institutional arrangements have been established on the sharing conditions for the trust circle including signed NDAs among all HCTAs and participants on the Threat Intelligence Platform. This includes, but is not limited to: data markings, default confidence ratings for within trust circle communications (e.g., Based on Reliability and Credibility ratings of the Admiralty Code), anonymous pseudonyms of all approved participants, common terminology for IoCs used, etc.
Dependencies:
Machine-to-Human communications possible if STIX semantics and syntax for objects (e.g., STIX Indicators and/or CybOX Objects) are agreed upon by all members of the sharing trust community.
Main Success Scenario:
Success can be achieved is there is active participation in real-time by trained human cybersecurity specialists that can interpret IoCs and communicate the potential implications of an attack on enterprise assets up the organizational hierarchy. Subsequent response actions executed within the pre-defined risk and governance framework of the enterprise.