Call for Participation: Threat Actor Context (TAC) TC

A new OASIS technical committee is being formed. The Threat Actor Context (TAC) Technical Committee (TC) has been proposed by the members of OASIS listed in the charter below. The TC name, statement of purpose, scope, list of deliverables, audience, IPR mode and language specified in this proposal will constitute the TC's official charter. Submissions of technology for consideration by the TC, and the beginning of technical discussions, may occur no sooner than the TC's first meeting.

The eligibility requirements for becoming a participant in the TC at the first meeting are:

(a) you must be an employee or designee of an OASIS member organization or an individual member of OASIS, and

(b) you must join the Technical Committee, which members may do by using the Roster "join group: link on the TC's web page at [a].

To be considered a voting member at the first meeting:

(a) you must join the Technical Committee at least 7 days prior to the first meeting (on or before 15 November 2019); and

(b) you must attend the first meeting of the TC, at the time and date fixed below (22 November 2019).

Participants also may join the TC at a later time. OASIS and the TC welcomes all interested parties.

Non-OASIS members who wish to participate may contact us about joining OASIS [b]. In addition, the public may access the information resources maintained for each TC: a mail list archive, document repository and public comments facility, which will be linked from the TC's public home page at [c].

Please feel free to forward this announcement to any other appropriate lists. OASIS is an open standards organization; we encourage your participation.

----------

[a] https://www.oasis-open.org/apps/org/workgroup/tac/

[b] See http://www.oasis-open.org/join/

[c] http://www.oasis-open.org/committees/tac/

----------

CALL FOR PARTICIPATION

OASIS Threat Actor Context (TAC) Technical Committee Charter

The charter for this TC is as follows.

Section 1: TC Charter

(1)(a) TC Name

Threat Actor Context (TAC) TC

(1)(b) Statement of Purpose

Our purpose is to resolve ambiguity across different sources and solutions to support organizing what is known and to share information about Threat Actors, and the STIX Domain Objects (SDOs) related to them such as Intrusion Sets, Campaigns and Indicators. In this context “Threat Actor” can be, but not necessarily limited to an individual, an organization, a criminal syndicate, a nation state or other type of adversarial entity.

To resolve ambiguity we will establish a common knowledge framework that enables semantic interoperability of threat actor contextual information. We believe this may involve enhancements that run across the strategic, operational, and tactical intelligence levels for use by public and private sector entities defending networks and endpoints. The TC will establish one or more Open Repositories under the OASIS rules and each OASIS Member and non-Member will be eligible only after signing either an Entity Contributor License Agreement (CLA) or an Individual CLA per OASIS rules at https://www.oasis-open.org/resources/open-repositories/faq.

Business Benefits

Organizations that currently share cyber threat intelligence (CTI) are confronted with multiple schemas and share through multiple tools. This limits an organization's ability to strategically correlate and analyze attack data, which could lead to a better understanding of their adversary's goals, capabilities, and trends in targeting and techniques.

This TAC TC would seek to harmonize all of the sharing schema within a single data store using the STIX 2.x data model and a TAXII 2.x transport mechanism thereby allowing for an aggregate data source for the CTI community.

Semantic interoperability is the ability of computer systems to exchange data unambiguously. This enables machine computable logic, inferencing, knowledge discovery, and data federation between information systems.

We are defining terms about Threat Actors to provide semantic interoperability between the variety of systems contributing threat intelligence. This is a significant benefit to existing open sources such as MITRE’s ATT&CK and MISP Galaxy by strengthening their abilities to corroborate and cross-reference with other repositories.

The deliverables of this TC will be a benefit to the users of threat intelligence provided by sources which use different standards or knowledge representations. This enhances the usability of STIX by providing a bridge to other representations. Contributors, including both open source and proprietary, would be able to share the content descriptions and assertions regarding specific Threat Actors, Campaigns and Intrusion Sets or other SDOs. Users would gain access to a high-quality, harmonized data set that enables organizations to conduct a "competitive analysis" of their adversaries in order to react more quickly to and possibly anticipate changes in the adversary activities. This would benefit decision-making for risk management as well as resource allocation.

The TAC Open Repository TC would allow for both OASIS Members and non-Members to contribute subject to the CLA terms and conditions.

(1)(c) Scope

The purpose of this TC is to create a knowledge framework that enables semantic interoperability of threat actor contextual information. In other words, the purpose of the TAC TC is to help the community have coherent conversations in the STIX language.

The scope of this TC’s efforts will include:

1. Hosting one or multiple OASIS Open Repositories of Threat Actor information in STIX 2.x format. The intent is to facilitate schema alignment.
a. Facilitating disparate contributors to submit contributions of Threat Actor information that is aligned with the repository schema is within the scope of this TC.
i. Mechanisms to allow for data marking and other associated metadata to describe the source of the contribution are considered within scope.

2. Validation, confirmation, curation, or quality control of the contributors’ assertions into the repository is not within the scope of this TC.

3. Defining and documenting concepts that provide best practices and guidelines to remove ambiguity from STIX documents produced by different authors (e.g. Intrusion Set naming conventions)

4. Identify appropriate extensions that are need to operationalize STIX 2.x threat information including but not limited to:
a. Strategic Context
b. Operational Context
c. Tactical Context
d. Motivational Context

5. Providing algorithms to align schema is an aspirational activity of this TC.

The base data model for the TAC data store would stem from the STIX 2.x Threat Actor SDO, the Campaign SDO, the Intrusion Set SDO and the Indicator SDO (including patterning) at a minimum. This will provide a uniform interface for integration of schema and content from multiple credible sources.

(1)(d) Deliverables

1. Committee Note on data store Design Specifications for Open Repositories

2. Instructions for Participation in TAC Open Repositories
a. As Contributors
b. As Consumers

(1)(e) IPR Mode

The TC will operate under the Non-Assertion IPR mode as defined in the OASIS Intellectual Property Rights (IPR) Policy.

(1)(f) Audience

The OASIS Members of the TAC TC will be:
* Existing OASIS Members that seek to shape the dialogue on the schemas to be used for the content to be contributed to the Open Repository or Repositories;
* New OASIS Members that seek to shape the dialogue on Threat Actor context.

The Contributors and Consumers of the TAC Open Repository will be:
* Government agencies protecting their information assets
* Not-for-Profit and Non-Governmental Organizations (NGOs) protecting their information assets
* Companies protecting their information assets
* Academic institutions and think tanks conducting research on threat actors, campaigns and intrusion sets
* Students conducting research on patterns of behavior of threat actors

(1)(g) Language

The primary language of the TAC TC will be English.

References:

STIX 2.1 CSPRD01 (WD05) @ https://www.oasis-open.org/committees/document.php?document_id=65771&wg_...
And subsequent revisions.

TAXII 2.1 CSPRD02 (WD05) @
https://www.oasis-open.org/committees/document.php?document_id=64353&wg_... And subsequent revisions.

STIXPreferred References:

* Website: https://oasis-stixpreferred.org/
* Part 1: http://docs.oasis-open.org/cti/stix-taxii-2-interop-p1/v1.1/stix-taxii-2...
* Part 2: http://docs.oasis-open.org/cti/stix-taxii-2-interop-p2/v1.0/stix-taxii-2...
* Terms of Use: https://oasis-stixpreferred.org/certify-instructions/terms-of-use/

Section 2: Additional Information

(2)(a) Identification of Similar Work

The TAC TC builds upon the groundwork laid by the OASIS Cyber Threat Intelligence Technical Committee, the OpenC2 TC, and Collaborative Automated Course of Action Operations (CACAO) for Cyber Security Technical Committee.

(2)(b) First TC Meeting

The meeting time for the first meeting will be held in accordance with OASIS rules subject to our Call for Participation. We are planning for a virtual meeting date of Friday, November 22, 2019 at 1:00 pm (ET).

(2)(c) Ongoing Meeting Schedule

Meetings will be held monthly at a date and time which will work for the greatest number of members. It will be hosted by the primary convener or his designee. These monthly meetings will be subject to Voting Rights designation. Additional working sessions NOT subject to Voting Rights designation will be considered based on participant interest.

(2)(d) TC Proposers

Ryan Hohimer, Darklight
Jane Ginn, Cyber Threat Intelligence Network (CTIN)
Joerg Eschweiler, Individual
Javier Garcia Robles, LookingGlass
Bret Jordan, Symantec
Anuj Goel, Cyware
Avkash Kathiriya, Cyware
Shawn Riley, Darklight
Robert Keith, Symantec
Alexander Applegate, LookingGlass
Ben Ottoman, CTIN
David Powell, CTIN
Rob Arnold, CTIN
Andreas Sfakianakis, CTIN
Caitlin Huey, EclecticIQ
Chris O'Brien, EclecticIQ
Sergey Polzunov, EclecticIQ

(2)(e) Primary Representatives' Support

Ryan Hohimer, Darklight, ryan.hohimer@darklight.ai
“I, Ryan Hohimer, ryan.hohimer@darklight.ai as OASIS primary representative for DarkLight, Inc., confirm our support for the proposed TAC TC charter and endorse our participants listed above.”

Jane Ginn, Cyber Threat Intelligence Network, Inc., jg@ctin.us
“I, Jane Ginn, jg@ctin.us as OASIS primary representative for Cyber Threat Intelligence Network, Inc., confirm our support for the proposed TAC TC charter and endorse our participants listed above.”

Allan Thomson, LookingGlass, athomson@lookingglasscyber.com
“I, Allan Thomson, athomson@lookinggglasscyber.com, as OASIS primary representative for LookingGlass Cyber Solutions Inc., confirm our support for the proposed TAC TC charter and endorse our participants listed above.”

Bret Jordan, Symantec, bret_jordan@symantec.com
“I, Bret Jordan, bret_jordan@symantec.com, as OASIS primary representative for Symantec Corp., confirm our support for the proposed TAC TC charter and endorse our participants listed above.”

Anuj Goel, Cyware Labs, anuj@cyware.com
“I, Anuj Goel, anuj@cyware.com as OASIS primary representative for Cyware Labs, Inc., confirm our support for the proposed TAC TC charter and endorse our participants listed above.”

Raymon van der Velde, EclecticIQ, raymon@eclecticiq.com
“I, Raymon van der Velde, raymon@eclecticiq.com, as OASIS primary representative for EclecticIQ, confirm our support for the proposed TAC TC charter and endorse our participants listed above.”

(2)(f) TC Convener

Ryan Hohimer, Darklight, ryan@darklight.ai

(2)(g) OASIS Member Section

None

(2)(h) Anticipated Contributions

Casey, Timothy & Koeberl, Patrick & Vishik, Claire. (2011). Defining Threat Agents: Towards a More Complete Threat Analysis. 10.1007/978-3-8348-9788-6_21.

Casey, Timothy & Koeberl, Patrick & Vishik, Claire. (2010). Threat agents: A necessary component of threat analysis. ACM International Conference Proceeding Series. 10.1145/1852666.1852728.

(2)(i) FAQ Document

In our FAQ we will answer questions regarding the scope differentiators between this effort and other CTI community resources as well as details on the operations of the TAC TC. Our FAQ will also include details as given in the Open Repository FAQ as per: https://www.oasis-open.org/resources/open-repositories/faq

(2)(j) Work Product Titles and Acronyms

1. TAC Open Repositories as per: https://www.oasis-open.org/resources/open-repositories/

2. TAC TC Member Participation Guidelines

3. TAC Non-Member Participation Guidelines

In addition, there are three potential subcommittees for the TAC TC including: Strategic (S-TAC), Operational (O-TAC), and Tactical (T-TAC). There may be Work Products generated by these subcommittees.

Associated TC: 
Threat Actor Context (TAC)