85 lines
3.8 KiB
Markdown
85 lines
3.8 KiB
Markdown
|
# STORM
|
||
|
|
|
||
|
|
An angry cloud.
|
||
|
|
|
||
|
|
A registry of how to protect a system.
|
||
|
|
|
||
|
|
## Tags
|
||
|
|
|
||
|
|
Tags are limited to `a-z`, `0-9`, or `-` characters and can be hierarchically separated via `.`.
|
||
|
|
|
||
|
|
For example when referring to a MITRE ATT&CK technique we could use `attack.t0001`.
|
||
|
|
|
||
|
|
## Domains
|
||
|
|
|
||
|
|
| Domain | Model | Description |
|
||
|
|
| ---------- | ------------- | ----------------------------------------------------------------------------- |
|
||
|
|
| [Source] | | Sourcing of intelligence for improving observation, reaction and mitigation |
|
||
|
|
| | Intelligence | Feed or result of a query used to satisfy intelligence requirements |
|
||
|
|
| | Requirement | Collection of intelligence used by actions, detections and mitigations |
|
||
|
|
| | Provider | An internal or external supplier of intelligence |
|
||
|
|
| [Threat] | | Modelling and simulations of threat actor tactics, techniques and software |
|
||
|
|
| | Tactic | High-level categorization of threat actor behaviour |
|
||
|
|
| | Technique | Specific description of threat actor behaviour |
|
||
|
|
| | Software | Code/utilities/tools used in conducting threat actor behaviour |
|
||
|
|
| | Simulation | Generating threat behaviour for testing observation, reaction and mitigations |
|
||
|
|
| [Observe] | | Events, definitions and configuration for observing threat actor behaviour |
|
||
|
|
| | Event | Observable items use to detect and respond to threat actor behaviour |
|
||
|
|
| | Detection | Rule used to detect threat actor behaviour mapped to threat actor behaviour |
|
||
|
|
| | Provider | Software or systems that are capable of producing events |
|
||
|
|
| | Configuration | Configuration applied to a provider enabling it to produce events |
|
||
|
|
| [React] | | Structured responses to observed threat behaviour |
|
||
|
|
| | Stage | Phase of a response to observed threat behaviour |
|
||
|
|
| | Action | An atomic human action assigned to an response stage |
|
||
|
|
| | Playbook | Composition of response actions for a given context |
|
||
|
|
| [Mitigate] | | Proactive and reactive strategies to address address threats |
|
||
|
|
| | Strategy | Composition of platforms and configurations to address a threat |
|
||
|
|
| | Platform | Platform that is capable of mitigating threats with or without configuration |
|
||
|
|
| | Configuration | Configuration applied to a platform enabling it to mitigate threats |
|
||
|
|
|
||
|
|
### Source
|
||
|
|
|
||
|
|
How do you what is happening outside of your system or if something you saw
|
||
|
|
is elsewhere considered a threat?
|
||
|
|
|
||
|
|
A source is an entity that provides an external perspective and knowledge of
|
||
|
|
threats, techniques, tools, mitigations that can be pulled or queried.
|
||
|
|
|
||
|
|
#### Provider
|
||
|
|
|
||
|
|
#### Requirement
|
||
|
|
|
||
|
|
#### Intelligence
|
||
|
|
|
||
|
|
### Threat
|
||
|
|
|
||
|
|
### Observe
|
||
|
|
|
||
|
|
### React
|
||
|
|
|
||
|
|
### Mitigate
|
||
|
|
|
||
|
|
source/
|
||
|
|
provider `SPR#####`
|
||
|
|
requirement `SRT#####`
|
||
|
|
intelligence `SIE#####`
|
||
|
|
threat/
|
||
|
|
tactic `TTC#####`
|
||
|
|
software `TSE#####`
|
||
|
|
technique `TTE#####`
|
||
|
|
deficiency
|
||
|
|
simulation `TSN#####`
|
||
|
|
observe/
|
||
|
|
event `OET#####`
|
||
|
|
detection `ODN#####`
|
||
|
|
provider `OPR#####`
|
||
|
|
configuration `OCG#####`
|
||
|
|
react/
|
||
|
|
stage `RSE#####`
|
||
|
|
action `RAN#####`
|
||
|
|
playbook `RPK#####`
|
||
|
|
mitigate/
|
||
|
|
strategy `MSY#####`
|
||
|
|
platform `MPM#####`
|
||
|
|
configuration `MCG#####`
|