Skip to content

STIX 2.0 Proposal12 : Clarify semantics of different types of TTPs as expressed in the TTP construct (#360)

sbarnum edited this page Dec 23, 2015 · 2 revisions

Issue Summary

There is currently a lack of semantic clarity with regards to Attack Pattern, Malware, Exploit, Infrastructure, Tools, Personas, Victim Targeting and Kill Chains within TPP. It is the current semantic intent that each of these are separate types of TTP and a single TTP instance would not include more than one of them. If more than one of them is relevant within a given context they should be specified separately and then related to each other.

Proposed

Actions

  • Modify AttackPatternType to be a specialization of TTPType.
  • Modify MalwareInstanceType to be a specialization of TTPType.
  • Modify ExploitType to be a specialization of TTPType.
  • Modify InfrastructureType to be a specialization of TTPType.
  • Rename ToolInformationType to AttackerToolInformationType and make it a specialization of both TTPType and CYBOX:cyboxCommon:ToolInformationType.
  • Modify PersonaType to be a specialization of both TTPType and IdentityType.
  • Modify VictimTargetingType to be a specialization of both TTPType and VictimType.
  • Modify KillChainType to be a specialization of TTPType.
  • Modify KillChainPhaseType to be a specialization of TTPType.
  • Remove properties redundant with IDableConstructType from all TTP-related IDable classes

Proposed Model

Examples

Example #1: simple malware instance TTP

Example #2: simple TA, simple MalwareInstance TTP, simple Infrastructure (IP address) TTP, simple VictimTargeting TTP with relationships tying TA to each TTP

JSON Serialization example snippets

Example #1:

{
  "id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
  "type": "malware-instance",
  "timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
  "title": "Sakurel Malware"
}

Example #2:

{
  "id": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
  "type": "threat-actor",
  "timestamp": {"value": "2015-12-21T21:54:19.000000+00:00"},
  "name": "Black Vine"
}

{
  "id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
  "type": "malware-instance",
  "timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
  "name": "Sakurel Malware",
  "malware_instance_type": {
    "value": "Remote Access Trojan", 
    "vocab": "malware-type-vocab-1.0"
  }
}

{
  "id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
  "type": "infrastructure",
  "timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
  "title": "Sakurel Command & Control Server",
  "infrastructure_type": {
    "value": "Hosting",	
    "vocab": "attacker-infrastructure-type-vocab-1.0"
  },
  "observable_characterization": "observable pattern characterizing the infrastructure would go here"
}

{
  "id": "example:ttp-a8e12797-a5a9-d0d6-bd87-28e7d69f409d",
  "type": "victim-targeting",
  "timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
  "title": "Targeting of Healthcare Sector",
  "specification": "CIQ content for sector would go here. Still to be determined how to do this in JSON."
}

{
  "id": "example:rel-3b9edb33-5379-4566-8deb-9db1eba074d8",
  "type": "related-ttp",
  "timestamp": {"value": "2015-12-21T19:59:12.000000+00:00"},
  "confidence": {
    "value": {
      "value": "High", 
      "vocab": "high-medium-low-vocab-1.0"
    }
  },
  "from": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
  "to": [
    "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
    "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
    "example:ttp-a8e12797-a5a9-d0d6-bd87-28e7d69f409d"
  ],
  "relationship_nature": {"value": "Observed TTP"}
}

JSON Schema Serialization snippets

Open Questions

Clone this wiki locally