Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider an "Threat Actor Type" decision point #710

Open
ahouseholder opened this issue Feb 21, 2025 · 1 comment
Open

Consider an "Threat Actor Type" decision point #710

ahouseholder opened this issue Feb 21, 2025 · 1 comment
Assignees
@sei-bkoo
Labels
enhancement New feature or request

Comments

@ahouseholder
Copy link
Contributor

Is your feature request related to a problem? Please describe.

Some organizations considering the use of SSVC have mentioned that they factor threat actor types into their vulnerability response decision process. SSVC currently has no mechanism to express this.

Describe the solution you'd like

A simple delineation we've seen differentiates between state and non-state actors. However, we might look into whether other taxonomies are in widespread use. The goal would be to create at least one decision point out of this, but I could also imagine having a few different ones so that folks could choose the one that maps onto the taxonomy they are already familiar with/using.

In keeping with the general coarse-grained categories approach that we prefer for SSVC decision points, we would probably want to limit the number of values in the (each) decision point to something like no more than 5 or 6 options, with smaller sets being preferable.

Describe alternatives you've considered

MITRE ATT&CK has a list of specific threat actor groups. That list is obviously too fine-grained to be a decision point.

Additional context

Different granularity decision points from this could be another example of the Acuity Ramp concept in action.
@ahouseholder ahouseholder added the enhancement New feature or request label Feb 21, 2025
@sei-bkoo sei-bkoo self-assigned this Feb 24, 2025
@j---
Copy link
Collaborator

j--- commented Mar 5, 2025

I specifically would argue against this as falling into a mental trap of valorizing the attacker.

While it is true that it is important to understand if some actor has all three of capability, access, and intent to compromise a network when assessing risk, "type" does a bad job of proxying for that. Currently, State of Exploitation is designed to proxy for that (because it demonstrates an actor has all three on at least some systems).

If people want to downgrade some Active vuls because they are not being attacked, then probably a better way to do that would be by sector. Active attacks against other organizations in the same sector as "you" are a stronger proxy for capability, access, and intent than knowing who the threat actor group has been attributed as.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sei-bkoo sei-bkoo

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ahouseholder @j--- @sei-bkoo