cyberstorm/README.md

85 lines
3.8 KiB
Markdown
Raw Normal View History

2021-03-02 04:17:16 +00:00
# STORM
An angry cloud.
A registry of how to protect a system.
## Tags
Tags are limited to `a-z`, `0-9`, or `-` characters and can be hierarchically separated via `.`.
For example when referring to a MITRE ATT&CK technique we could use `attack.t0001`.
## Domains
| Domain | Model | Description |
| ---------- | ------------- | ----------------------------------------------------------------------------- |
| [Source] | | Sourcing of intelligence for improving observation, reaction and mitigation |
| | Intelligence | Feed or result of a query used to satisfy intelligence requirements |
| | Requirement | Collection of intelligence used by actions, detections and mitigations |
| | Provider | An internal or external supplier of intelligence |
| [Threat] | | Modelling and simulations of threat actor tactics, techniques and software |
| | Tactic | High-level categorization of threat actor behaviour |
| | Technique | Specific description of threat actor behaviour |
| | Software | Code/utilities/tools used in conducting threat actor behaviour |
| | Simulation | Generating threat behaviour for testing observation, reaction and mitigations |
| [Observe] | | Events, definitions and configuration for observing threat actor behaviour |
| | Event | Observable items use to detect and respond to threat actor behaviour |
| | Detection | Rule used to detect threat actor behaviour mapped to threat actor behaviour |
| | Provider | Software or systems that are capable of producing events |
| | Configuration | Configuration applied to a provider enabling it to produce events |
| [React] | | Structured responses to observed threat behaviour |
| | Stage | Phase of a response to observed threat behaviour |
| | Action | An atomic human action assigned to an response stage |
| | Playbook | Composition of response actions for a given context |
| [Mitigate] | | Proactive and reactive strategies to address address threats |
| | Strategy | Composition of platforms and configurations to address a threat |
| | Platform | Platform that is capable of mitigating threats with or without configuration |
| | Configuration | Configuration applied to a platform enabling it to mitigate threats |
### Source
How do you what is happening outside of your system or if something you saw
is elsewhere considered a threat?
A source is an entity that provides an external perspective and knowledge of
threats, techniques, tools, mitigations that can be pulled or queried.
#### Provider
#### Requirement
#### Intelligence
### Threat
### Observe
### React
### Mitigate
source/
provider `SPR#####`
requirement `SRT#####`
intelligence `SIE#####`
threat/
tactic `TTC#####`
software `TSE#####`
technique `TTE#####`
deficiency
simulation `TSN#####`
observe/
event `OET#####`
detection `ODN#####`
provider `OPR#####`
configuration `OCG#####`
react/
stage `RSE#####`
action `RAN#####`
playbook `RPK#####`
mitigate/
strategy `MSY#####`
platform `MPM#####`
configuration `MCG#####`