-
Notifications
You must be signed in to change notification settings - Fork 7
STIX 2.0 Proposal8 : Remove either embedded or referenced relationships (#201)
STIX IDable content can currently be specified separately and referenced from within other IDable content or can be specified inline embedded within other IDable content.
However, this capability brings with it some complexities in structure and some ambiguities and complexities in parsing and interpretation of the content by consumers. This capability is the reason behind the id/idref combination which confuses some, brings some confusion and complexity to versioning and data markings and has the potential to lead to very deep nesting of content.
Referenced relationships between content are necessary to support evolution of content, versioning and pivoting. Embedding of content was included for ease of producers specifying simple content and for human perception when reading the content neither of which justify significant added complexity for consumers.
Remove ability to specify IDable constructs embedded/nested within other IDable constructs except for PackageType which can embed other IDable constructs within it. Require these sorts of relationships to be explicitly specified using appropriate relationship types.
Example #1a: A stix 1.2 example of indicator with embedded TTP
Example #1b: New stix 2.0 example of indicator with embedded TTP
Example #1a:
{
"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"type": "indicator",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Indicator for Sakurel Malware",
"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
"indicator_type": [
{
"value": "File Hash Watchlist",
"vocab": "indicator-type-vocab-1.1"
}
],
"indicated_ttp": [
{
"confidence": {
"value": {
"value": "High",
"vocab": "high-medium-low-vocab-1.0"
}
},
"ttp": {
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "ttp",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"Behavior" : {
"Malware" : {
"Malware_Instance" : {
"title": "Sakurel Malware"
}
}
}
}
}
]
}Example #1b:
{
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "malware-instance",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Sakurel Malware"
}
{
"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"type": "indicator",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Sakurel Malware",
"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
"indicator_type": [
{
"value": "File Hash Watchlist",
"vocab": "indicator-type-vocab-1.1"
}
]
}
{
"id": "example:rel-fd81e9fb-5c3b-4922-9307-dd226079c00f",
"type": "related-ttp",
"timestamp": { "value" : "2015-12-21T19:59:12.000000+00:00" },
"confidence": {
"value": {
"value": "High",
"vocab": "high-medium-low-vocab-1.0"
}
},
"from" : "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"to": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"relationship_nature": {
"value": "Indicated TTP"
}
}