Threat Modeling and S haring S ummary Proposal to kick off - - PowerPoint PPT Presentation

threat modeling and s haring s ummary
SMART_READER_LITE
LIVE PREVIEW

Threat Modeling and S haring S ummary Proposal to kick off - - PowerPoint PPT Presentation

Apr 20, 2023 100 likes •212 views

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

slide-1
SLIDE 1

Threat Modeling and S haring

slide-2
SLIDE 2

S ummary

Proposal to kick off Threat Modeling proj ect

 Multi-phase approach  Initially: create Cyber Domain PIM and S

TIX PS M with UML Profile for NIEM

 Expand to other PS

M, create Threat Meta Model

 Expand to non-cyber domains

Community focused

 Leverage existing work (S

TIX, OpenIOC, IODef, S I*, etc.)

 Connect to stakeholder within OMG and external

slide-3
SLIDE 3

Motivation

Threat information sharing critical enabler for ‘ wire-speed’ defense of complex systems

Information sharing requires shared concepts for subj ect area

NIEM is used by US federal, st at e, and local government , as well as int ernat ionally

S TIX is being adopt ed by a large number of users

S nort rules are common for IDS 

Multiple protocols, languages, and models used throughout industry today, but:

Re-use of exist ing prot ocols for t hreat exchange (e.g. IODef)

Focus on t hreat indicat ors/ signat ure and classificat ion (e.g. S TIX, OpenIOC) 

Desire to have traceability from indicators to threat actors and their motivation/ intent

Leverage exist ing work performed by social modeling and behavior groups, e.g. S I* 

S

  • me integration with other enterprise systems, but no comprehensive

approach

slide-4
SLIDE 4

Motivation – Clarification

This is NOT to concentrate threat sharing and modeling at OMG

 No desire to ‘ take over’ from

successful approaches such as S TIX or OpenIOC

 Collaboration with non-OMG member

will be critical for success 

Focus on development of meta-model and semantic interoperability for

 broadening view on, and  identifying specific areas of

improvement 

Leverage strength of MDA to threat sharing S TIX

Threat Models Today are – at best – ad hoc coordinated

OpenIOC IODef S I* NIEM S nort Rules

Point-to- Point mapping

slide-5
SLIDE 5

Approach

Multi-Phase Approach

Start with initial mapping of existing concepts (STIX Data Model <-> NIEM UML Profile

Develop meta-model for threat modeling and expand scope

Include non-cyber domains

Include creation of Platform Independent Model (PIM) and Platform S pecific Models (PS M) that represent S TIX, OpenIOC

Include social model of threat actors, campaigns, motivation

E.g. through leveraging SI* framework concepts

Integrate with

NIEM 3.0

Common Alerting Protocol (CAP)

Other applicable systems

Extend beyond cyber threat sharing

Non-cyber domain integration

Sharing of countermeasure for specific threats

slide-6
SLIDE 6

Phase 1

Create “ Cyber Domain PIM” utilizing UML Profile for NIEM to model S TIX information exchange

 NIEM profile exists today  S

TIX has currently richest model and broadest interest base

  • Expected output: S

pecification that includes

– Cyber Domain PIM – S

TIX PS M

  • Rationale: fairly easy to achieve, concretization of a

Cyber Domain PIM that can serve as basis for meta- model or semantic models for other platforms

slide-7
SLIDE 7

Phase 2

Richer social and behavioral modeling, e.g.:

 Leverage of S

I* framework concepts of modeling social actors and their behavior

 Integration with CORAS

modeling

 Inclusion of XORCIS

M approaches

  • Expansion of Cyber Domain PIM, adding new PS

Ms, and/ or development of Threat Meta-Model

– OpenIOC, IODef, XORCIS

M, S I*, S nort Rules, etc.

slide-8
SLIDE 8

Phase 3 (notional)

Non-cyber domain modeling

Int egrat ion wit h exist ing t hreat models for law-enforcement , defense, emergency preparedness

Develop common t hreat ont ology, based on t hreat met a-model

Provide cross-domain capabilit ies, e.g. for describing complex campaigns

Include domains such as S upply Chain Risk Management (S CRM), Digit al Forensics (e.g. S COX, DFXML), et c. 

Countermeasure modeling

Develop consist ent model for count ermeasures

Allow mapping of count ermeasures t o t hreat

Count ermeasure sharing t o facilit at e aut omat ic mit igat ion of known t hreat s

slide-9
SLIDE 9

Goals

Enable concept ual int eroperabilit y of exist ing syst ems

Validate existing mappings (e.g. S TIX/ OpenIOC) and allow mapping

  • f new PS

Ms (NIEM Threat S haring PS M, S I*, XORCIS M, etc.) to each

  • ther

Enable simplified creat ion of aut omat ed t hreat sharing syst ems

Tools-supported code generation

S emantic interoperability through shared ontology

Enable aut omat ic t hreat mit igat ion

Include mitigation recommendations in modeling to enable wire- speed defense

Improve at t ribut ion capabilit ies by including richer charact erizat ion

  • f social domain in act or/ campaign classificat ion

Full traceability from observed indicators to social and individual motivation and intent

slide-10
SLIDE 10

Notional Timeline