Threat Modeling and S haring
S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta Model Expand to non-cyber domains Community focused Leverage existing work (S TIX, OpenIOC, IODef, S I*, etc.) Connect to stakeholder within OMG and external
Motivation Threat information sharing critical enabler for ‘ wire-speed’ defense of complex systems Information sharing requires shared concepts for subj ect area NIEM is used by US federal, st at e, and local government , as well as int ernat ionally S TIX is being adopt ed by a large number of users S nort rules are common for IDS Multiple protocols, languages, and models used throughout industry today, but: Re-use of exist ing prot ocols for t hreat exchange (e.g. IODef) Focus on t hreat indicat ors/ signat ure and classificat ion (e.g. S TIX, OpenIOC) Desire to have traceability from indicators to threat actors and their motivation/ intent Leverage exist ing work performed by social modeling and behavior groups, e.g. S I* S ome integration with other enterprise systems, but no comprehensive approach
Motivation – Clarification IODef Point-to- Point This is NOT to concentrate threat mapping sharing and modeling at OMG S TIX No desire to ‘ take over’ from successful approaches such as S TIX or OpenIOC Collaboration with non-OMG member OpenIOC S I* will be critical for success Focus on development of meta-model and semantic interoperability for S nort NIEM broadening view on, and Rules identifying specific areas of improvement Leverage strength of MDA to threat Threat Models Today are – at best – ad hoc coordinated sharing
Approach Multi-Phase Approach Start with initial mapping of existing concepts (STIX Data Model <-> NIEM UML Profile Develop meta-model for threat modeling and expand scope Include non-cyber domains Include creation of Platform Independent Model (PIM) and Platform S pecific Models (PS M) that represent S TIX, OpenIOC Include social model of threat actors, campaigns, motivation E.g. through leveraging SI* framework concepts Integrate with NIEM 3.0 Common Alerting Protocol (CAP) Other applicable systems Extend beyond cyber threat sharing Non-cyber domain integration Sharing of countermeasure for specific threats
Phase 1 Create “ Cyber Domain PIM” utilizing UML Profile for NIEM to model S TIX information exchange NIEM profile exists today S TIX has currently richest model and broadest interest base • Expected output: S pecification that includes – Cyber Domain PIM – S TIX PS M • Rationale: fairly easy to achieve, concretization of a Cyber Domain PIM that can serve as basis for meta- model or semantic models for other platforms
Phase 2 Richer social and behavioral modeling, e.g.: Leverage of S I* framework concepts of modeling social actors and their behavior Integration with CORAS modeling Inclusion of XORCIS M approaches • Expansion of Cyber Domain PIM, adding new PS Ms, and/ or development of Threat Meta-Model – OpenIOC, IODef, XORCIS M, S I*, S nort Rules, etc.
Phase 3 (notional) Non-cyber domain modeling Int egrat ion wit h exist ing t hreat models for law-enforcement , defense, emergency preparedness Develop common t hreat ont ology, based on t hreat met a-model Provide cross-domain capabilit ies, e.g. for describing complex campaigns Include domains such as S upply Chain Risk Management (S CRM), Digit al Forensics (e.g. S COX, DFXML), et c. Countermeasure modeling Develop consist ent model for count ermeasures Allow mapping of count ermeasures t o t hreat Count ermeasure sharing t o facilit at e aut omat ic mit igat ion of known t hreat s
Goals Enable concept ual int eroperabilit y of exist ing syst ems Validate existing mappings (e.g. S TIX/ OpenIOC) and allow mapping of new PS Ms (NIEM Threat S haring PS M, S I*, XORCIS M, etc.) to each other Enable simplified creat ion of aut omat ed t hreat sharing syst ems Tools-supported code generation S emantic interoperability through shared ontology Enable aut omat ic t hreat mit igat ion Include mitigation recommendations in modeling to enable wire- speed defense Improve at t ribut ion capabilit ies by including richer charact erizat ion of social domain in act or/ campaign classificat ion Full traceability from observed indicators to social and individual motivation and intent
Notional Timeline
Recommend
More recommend
