Analysis of STIX 2.0 example

What is STIX?

STIX [1], Structured Threat Information Expression, is a language and serialization format for exchanging threat information in cyberspace. STIX is open source and free.

Why should you care about STIX

It is easier to contribute and obtain cyberspace Threat Intelligence. With STIX, all aspects of suspicion, capture and traceability can be clearly expressed using objects and descriptive relationships. STIX information can be visually presented to analysts, or stored in JSON format for fast machine-readable. STIX's openness allows for integration with existing tools and products, or for specific analyst or network requirements.

STIX object

The STIX object classifies each piece of information with a specific attribute to be populated. Connecting multiple objects through relationships can simplify or complicate the representation of cyberspace Threat Intelligence. The following is a list that can be expressed through STIX.

STIX2 defines twelve SDO s (STIX field objects)

Attack mode, a kind of TTP (attack method), is used to describe the method that the threat subject tries to attack the target.

An offensive activity, a set of hostile acts, that describes a series of malicious acts or attacks launched against a specific target over a period of time.

Countermeasures, measures used to prevent or respond to attacks.

Identity, person, organization or group, and the category of person, organization or group.

Attack metrics, including patterns that can be used to detect suspicious or malicious network behavior.

Intrusion set, a grouping set of hostile behaviors and resources with common attributes, is considered to be planned by a single threat subject.

Malware, a type of TTP (attack method), also known as malicious code and malware, is used to exploit the confidentiality, integrity, or availability of victim data or systems.

Observable data that represents information observed on a system or network (e.g., IP address).

Reports, a collection of Threat Intelligence focused on one or more topics, such as a description of the threat subject, malware, or attack technology, including context content details.

The subject of threat, the individual, group or organization that is regarded as malicious operation.

Tool, the software used by the threatened subject to implement the attack.

Vulnerability, an error in software, can be directly used by hackers to access systems or networks.

STIX defines two SRO s (STIX relational objects)

Relationship, which connects two SDO s (STIX field objects) to describe how they relate to each other.

Targeting refers to the situation that network threat intelligence elements (such as attack indicators and malware) are seen.

Structure of STIX 2.0

The object of STIX 2 is represented by JSON. The following is an example of the JSON based attack activity object of STIX 2.0:

{
    "type": "campaign",  
    "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",  
    "created": "2016-04-06T20:03:00.000Z",  
    "name": "Green Group Attacks Against Finance",  
    "description": "Campaign by Green Group against targets in the financial services sector."  
}

STIX relationship example

STIX 2.0 sample overview

The following example demonstrates how to use the STIX 2.0 concept for common use cases [2]. They can be used to connect multiple concepts together and provide more details about STIX objects and properties

Brief introduction to identifying threat subjects

Commercial Threat Intelligence providers and well resourced government agencies usually trace malicious acts to specific threat subjects or threat subject groups [3].

scene

In this scenario, a threat agent group named "disco team" is modeled using STIX threat agents and identity objects. Disco team mainly operates in Spanish. They are famous for stealing credit card information to obtain economic benefits. They use the email alias "disco Team @ steelhealmail. Com", or "Equipo del Discoteca"

data model

As you would expect, threat subject identification is represented by the SDO (STIX field object) of the threat subject. Information related to the threat subject, such as target and motivation, can be obtained in this object. Other basic information is not specific to the threat subject, such as contact information, which is best represented by identity SDO. Identity objects can also be used for information other than threat subjects in STIX. They can model content such as organizations, government agencies, and sources of information.

It should be noted that in this scenario, the Disco team is a threat subject rather than an intrusion collection. They may support intrusion aggregation, but this information is unknown. An intrusion set is most suitable to describe the whole attack set which contains multiple attacks. In this case, Disco team is a purposeful threat subject.

The name and labels tags are the only required attributes required by the threat principal SDO. The labels field is essential to describe what kind of threat subject the Disco team is. Because Disco teams are considered large, organized, interest driven criminal gangs that steal financial information, it's best to label them crime syndicate.

SDO can also model optional attributes for building a more complete threat agent profile. For example, the aliases field contains a list of other names for this threat subject. Threat agents may also have one or more roles to describe their work more. For example, threat agents can sponsor or direct attacks, write malware, or run malicious infrastructure. In the case of Disco team, they operate as agents, launch attacks and steal financial information.

Like most threat agents, the Disco team has a specific target in their attack. Therefore, the goals list describes what the threat subject wants to do. In this case, the Disco team's only goal is to steal credit card vouchers. The threat subjects also have different degrees of professional knowledge. Therefore, the sophistication level of the attacker (if known) can describe the attacker's skills and knowledge. Due to advanced attack methods and skilled tools or malicious code, Disco team is marked as expert. The resource'u level field of their organization shows that they are larger and have more money than small-scale individuals or teams. Finally, the threat subject usually has the motivation behind one or more attacks. The primary? Motivation field describes the primary cause of the attack. Some threat subjects may seek bad reputation or dominance, while others seek revenge or personal satisfaction. For Disco team, the motivation for obtaining financial information is classified as personal gain motivation.

The basic identity information of threat subject can be modeled by identity SDO. For Disco teams, they are a type of organization, which is obtained through the identity ﹣ class field. This is because the threat subject is more formal and organized, rather than individual hackers or informal hacker groups. Gets another property, contact u information, if known, that represents any email address or phone number. For the Disco team, an email address has been provided.

Since the Disco team's information is represented in the threat subject and identity SDO, the two objects are connected through the relationship SRO. In this case, the source ref threat principal id is attribute to to target ref identity id.

The following diagram illustrates the SDO and SRO of the threat subject and identity:

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--c9567f73-3803-415c-b06e-2b0622830e5d",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "threat-actor",
      "id": "threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
      "created": "2014-11-19T23:39:03.893348Z",
      "modified": "2014-11-19T23:39:03.893348Z",
      "name": "Disco Team Threat Actor Group",
      "description": "This organized threat actor group operates to create profit from all types of crime.",
      "labels": [
        "crime-syndicate"
      ],
      "aliases": [
        "Equipo del Discoteca"
      ],
      "roles": [
        "agent"
      ],
      "goals": [
        "Steal Credit Card information"
      ],
      "sophistication": "expert",
      "resource_level": "organization",
      "primary_motivation": "personal-gain"
    },
    {
      "type": "identity",
      "id": "identity--733c5838-34d9-4fbf-949c-62aba761184c",
      "created": "2016-08-23T18:05:49.307000Z",
      "modified": "2016-08-23T18:05:49.307000Z",
      "name": "Disco Team",
      "description": "Disco Team is the name of an organized threat actor crime-syndicate.",
      "identity_class": "organization",
      "contact_information": "disco-team@stealthemail.com"
    },
    {
      "type": "relationship",
      "id": "relationship--966c5838-34d9-4fbf-949c-62aba7611837",
      "created": "2016-08-23T18:05:49.307000Z",
      "modified": "2016-08-23T18:05:49.307000Z",
      "relationship_type": "attributed-to",
      "source_ref": "threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
      "target_ref": "identity--733c5838-34d9-4fbf-949c-62aba761184c"
    }
  ]
}

Python producers

import stix2
threat_actor = stix2.ThreatActor( id="threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428", created="2014-11-19T23:39:03.893Z", modified="2014-11-19T23:39:03.893Z", name="Disco Team Threat Actor Group", description="This organized threat actor group operates to create profit from all types of crime.", labels=["crime-syndicate"], aliases=["Equipo del Discoteca"], roles=["agent"], goals=["Steal Credit Card Information"], sophistication="expert", resource_level="organization", primary_motivation="personal-gain" )
identity = stix2.Identity( id="identity--733c5838-34d9-4fbf-949c-62aba761184c", created="2016-08-23T18:05:49.307Z", modified="2016-08-23T18:05:49.307Z", name="Disco Team", description="Disco Team is the name of an organized threat actor crime-syndicate.", identity_class="organisation", contact_information="disco-team@stealthemail.com" )
relationship = stix2.Relationship(threat_actor, 'attributed-to', identity)
bundle = stix2.Bundle(objects=[threat_actor, identity, relationship])

Python consumer

import stix2

for obj in bundle.objects: if obj == threat_actor: print("------------------") print("== THREAT ACTOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0]) print("Aliases: " + obj.aliases[0]) print("Goals: " + obj.goals[0]) print("Sophistication: " + obj.sophistication) print("Resource Level: " + obj.resource_level) print("Primary Motivation: " + obj.primary_motivation)
elif obj == identity: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Identity Class: " + obj.identity_class) print("Contact Information: " + obj.contact_information)
elif obj == relationship: print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref)

Define attack activity VS. threat subject VS. intrusion set

Network attacks are often used by threat agents as part of cooperative attacks against specific targets. These attacks usually have a target or object. Sometimes, these attacks are planned by threat agents from the national level, criminal group level or other evil organization level, and contain similar attributes, behaviors and properties, so as to achieve multiple targets in a long period of time. The whole attack package is called intrusion set [4].

scene

The scenario expresses a suspicion of a high-level ongoing threat (APT) funded by the state "Franistan", targeting the BPP (people's Party of Branistan), one of the ruling parties of the state. The intrusion collection includes a series of complex attack activities and attack patterns against BPP websites. One of the attacks is to insert the wrong information into the web page of BPP; the other is DDOS attack against BPP network server.

data model

First, identity SDO is used to model Franistan and BPP related information. As mentioned in other STIX examples (for example, a brief introduction to identifying threat agents), this object is specifically used to represent common identifiable information about Franistan and BPP. Identity objects in a scene are best used to help establish relationships with other objects using SRO (STIX relational objects). For example, Franistan is classified as a threat subject, while BPP is the target of intrusion set and multiple attack activities.

Next, the details of the advanced persistent threat in this example are represented in the intrusion set SDO. The intrusion collection object marked with name APT BPP contains any motive and target that the intrusion collection attempts to achieve. Some of the objects of APT BPP in the goals attribute list are to affect Branistan election and disrupt BPP. Therefore, their motives are similar. Their primary motivation is ideology, and their secondary motivation is control. In addition, because they are highly suspected to be funded by Franistan's funds and resources, their resource level is government, and their motivation and resource level values come from the public vocabulary attack motivation and attack resource level.

As with many intrusion sets, there may be multiple threat agents (see threat agent SDO) and attack activities. In this scenario, there is a threat subject called fake BPP, whose goal is to influence the election of Branistan. Its motivation and resource level are the same as the intrusion set SDO, because the threat subject has already been associated with this APT, so it is meaningful. The fake BPP is suspected to be funded by Franistan, which means the labels of the threat subject are nation state. Other relevant information can be found in the roles and sophistication attributes. In this case, the fake BPP is the lead against the Branistan attack, so its roles field will be marked as director. Because they are regarded as the advanced national threat subject with abundant funds and can launch the attack at APT level, the sophistication level of fake BPP is considered as the strategic level. The values of roles and sophistication can be found in the threat subject roles and threat subject complexity in the open vocabulary list of STIX 2.0 specification.

As a part of the intrusion set, some different attacks have been associated with the threat subject. These details can be obtained in 2 attack activities SDO. The first attack, called Operation Bran Flakes, was planned by the fake BPP to hack into the BPP website www.bpp.bn and inject false information into the website. The second reported attack, called Operation Raisin Bran, occurred after the first attack and attempted to flood the BPP website to deny legitimate users access to the website.

In addition to modeling attack details in attack activity objects, attack mode SDO also uses CAPEC to classify specific attacks. In this type of object, you can find a reference to the CAPEC ID under the external_references property. For example, the first attack that attempts to insert false information falls into external_id CAPEC-148 or "content spoofing.". The second attack mode SDO reference associated with the denial of service activity is external_id CAPEC-488 or "HTTP flood attack.".

Now that we've covered all of the STIX field objects in this example, we can examine the relationships or SROs in them. In this scenario, threat agents, intrusion sets, and attack activities use attack patterns, so multiple SROs are created to represent these relationships. In all these relationships, source ref refers to the ID of the threat subject, intrusion collection or attack activity, and target ref refers to any attack mode ID mentioned in this instance. The relationship 'type attribute will simply be marked as uses.

The next common relationship involves the identity SDO of the BPP. In this case, the attack activity, intrusion set, and threat subject all point to this identity, so the target ref field will include the identity ID of the BPP whose target is the relationship U type. In addition to these relationships, the threat subject fake BPP also has relationships with other identity objects. Because the fake BPP is associated with the national Franistan, the threat subject SDO is associated with the Franistan identity SDO through the relationship "type" of the attribute to. In addition, in the other attack mentioned above, the fake BPP attempts to take over the website of the real BPP and post the content pretending to be the real BPP on the website, so another relationship is needed to represent the fake BPP impersonates the real BPP.

Finally, there are more relationships that link attack activity, intrusion set and threat subject. The two attacks are related to intrusion set and attack subject SDO through two independent attribute to relationships. In addition, since the intrusion set indicates that the attack subject dominates the whole attack package, the SDO of the intrusion set is also associated with the threat subject through the attribute to relationship.

The following diagram helps to visualize the relationship between SDO s in this scenario. The first graph below is used to represent the association among intrusion set, threat subject and attack activity object.

The second figure models the relationship among identity object, intrusion set, threat subject and SDO.

Finally, the third figure captures the relationship between attack mode SDO and intrusion set, threat subject and attack activity object.

Realization

JSON

{
  "spec_version": "2.0",
  "type": "bundle",
  "id": "bundle--81810123-b298-40f6-a4e7-186efcd07670",
  "objects": [
    {
      "type": "identity",
      "id": "identity--8c6af861-7b20-41ef-9b59-6344fd872a8f",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "name": "Franistan Intelligence",
      "identity_class": "organisation"
    },
    {
      "type": "identity",
      "id": "identity--ddfe7140-2ba4-48e4-b19a-df069432103b",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "external_references": [
        {
          "source_name": "website",
          "url": "http://www.bpp.bn"
        }
      ],
      "name": "Branistan Peoples Party",
      "identity_class": "organisation"
    },
    {
      "type": "threat-actor",
      "id": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "labels": [
        "nation-state"
      ],
      "roles": [
        "director"
      ],
      "goals": [
        "Influence the election in Branistan"
      ],
      "resource_level": "government",
      "primary_motivation": "ideology",
      "secondary_motivations": [
        "dominance"
      ],
      "name": "Fake BPP (Branistan Peoples Party)",
      "sophistication": "strategic"
    },
    {
      "type": "campaign",
      "id": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "name": "Operation Bran Flakes",
      "description": "A concerted effort to insert false information into the BPP's web pages",
      "aliases": [
        "OBF"
      ],
      "first_seen": "2016-01-08T12:50:40.123Z",
      "objective": "Hack www.bpp.bn"
    },
    {
      "type": "campaign",
      "id": "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "name": "Operation Raisin Bran",
      "description": "A DDOS campaign to flood BPP web servers",
      "aliases": [
        "ORB"
      ],
      "first_seen": "2016-02-07T19:45:32.126Z",
      "objective": "Flood www.bpp.bn"
    },
    {
      "type": "intrusion-set",
      "id": "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "name": "APT BPP",
      "description": "An advanced persistent threat that seeks to disrupt Branistan's election with multiple attacks",
      "first_seen": "2016-01-08T12:50:40.123Z",
      "resource_level": "government",
      "primary_motivation": "ideology",
      "goals": [
        "Influence the Branistan election",
        "Disrupt the BPP"
      ],
      "secondary_motivations": [
        "dominance"
      ],
      "aliases": [
        "Bran-teaser"
      ]
    },
    {
      "type": "attack-pattern",
      "id": "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2017-01-30T21:15:04.127Z",
      "external_references": [
        {
          "external_id": "CAPEC-148",
          "source_name": "capec"
        }
      ],
      "name": "Content Spoofing"
    },
    {
      "type": "attack-pattern",
      "id": "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2017-01-30T21:15:04.127Z",
      "external_references": [
        {
          "external_id": "CAPEC-488",
          "source_name": "capec"
        }
      ],
      "name": "HTTP Flood"
    },
    {
      "type": "relationship",
      "id": "relationship--3dcf59c3-30e3-4aa5-9c05-2cbffcee5922",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
      "target_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500"
    },
    {
      "type": "relationship",
      "id": "relationship--45cd8846-fec5-4e64-8271-3d807dc4ea3b",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
      "target_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500"
    },
    {
      "type": "relationship",
      "id": "relationship--9b35d9a0-87ae-4800-88fc-f1fc63246c18",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
      "target_ref": "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713"
    },
    {
      "type": "relationship",
      "id": "relationship--50896dfd-d12f-4376-8b47-26ca4155ed52",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
      "target_ref": "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713"
    },
    {
      "type": "relationship",
      "id": "relationship--8bd69586-33a6-4dab-99b1-e5728cc3dcd8",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "attributed-to",
      "source_ref": "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
      "target_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500"
    },
    {
      "type": "relationship",
      "id": "relationship--11290b55-63e2-40f7-be78-7c32a8c08e68",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "targets",
      "source_ref": "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
      "target_ref": "identity--ddfe7140-2ba4-48e4-b19a-df069432103b"
    },
    {
      "type": "relationship",
      "id": "relationship--af2a647c-c215-4dc1-af29-19b4aab94f96",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "uses",
      "source_ref": "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
      "target_ref": "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a"
    },
    {
      "type": "relationship",
      "id": "relationship--98f8012d-a797-43f8-bd59-ed11c078fae0",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "uses",
      "source_ref": "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
      "target_ref": "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c"
    },
    {
      "type": "relationship",
      "id": "relationship--6b6b524f-f115-4eeb-b488-045d62ddfb66",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "targets",
      "source_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
      "target_ref": "identity--ddfe7140-2ba4-48e4-b19a-df069432103b"
    },
    {
      "type": "relationship",
      "id": "relationship--032fb0f6-c1ab-4caf-95aa-25cdd7fb0563",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "targets",
      "source_ref": "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
      "target_ref": "identity--ddfe7140-2ba4-48e4-b19a-df069432103b"
    },
    {
      "type": "relationship",
      "id": "relationship--1f820ee7-bb30-4d0c-96c8-08e07e08b0ed",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "uses",
      "source_ref": "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
      "target_ref": "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a"
    },
    {
      "type": "relationship",
      "id": "relationship--addad2d4-f7f1-4d8d-95fb-a94fe084a433",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "uses",
      "source_ref": "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
      "target_ref": "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c"
    },
    {
      "type": "relationship",
      "id": "relationship--5b271699-d2ad-468c-903d-304ad7a17d71",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "attributed-to",
      "source_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
      "target_ref": "identity--8c6af861-7b20-41ef-9b59-6344fd872a8f"
    },
    {
      "type": "relationship",
      "id": "relationship--f9d2f337-bf47-40d2-8afd-908d4e366572",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "impersonates",
      "source_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
      "target_ref": "identity--ddfe7140-2ba4-48e4-b19a-df069432103b"
    },
    {
      "type": "relationship",
      "id": "relationship--51c9484f-e415-4156-a910-613e9f06ba98",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "targets",
      "source_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
      "target_ref": "identity--ddfe7140-2ba4-48e4-b19a-df069432103b"
    },
    {
      "type": "relationship",
      "id": "relationship--f9d2f337-bf47-40d2-8afd-908d4e366572",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
      "target_ref": "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a"
    },
    {
      "type": "relationship",
      "id": "relationship--f9d2f337-bf47-40d2-8afd-908d4e366572",
      "created": "2016-08-08T15:50:10.983Z",
      "modified": "2016-08-08T15:50:10.983Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
      "target_ref": "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c"
    }
  ]
}

Python producers

import stix2

threat_actor = stix2.ThreatActor( id="threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500", created="2016-08-08T15:50:10.983Z", modified="2016-08-08T15:50:10.983Z", name="Fake BPP (Branistan Peoples Party)", labels=["nation-state"], roles=["director"], goals=["Influence the election in Branistan"], resource_level="government" primary_motivation="ideology", secondary_motivations=["dominance"], sophistication="strategic" )
identity1 = stix2.Identity( id="identity--8c6af861-7b20-41ef-9b59-6344fd872a8f", created="2016-08-08T15:50:10.983Z", modified="2016-08-08T15:50:10.983Z", name="Franistan Intelligence", identity_class="organisation" )
ref_bpp = stix2.ExternalReference( source_name="website", url="http://www.bpp.bn" )
identity2 = stix2.Identity( id="identity--ddfe7140-2ba4-48e4-b19a-df069432103b", created="2016-08-08T15:50:10.983Z", modified="2016-08-08T15:50:10.983Z", name="Branistan Peoples Party", identity_class="organisation" external_references= [ref_bpp] )
ref_capec1 = stix2.ExternalReference( source_name="capec", url="https://capec.mitre.org/data/definitions/148.html", external_id="CAPEC-148" )
ref_capec2 = stix2.ExternalReference( source_name="capec", url="https://capec.mitre.org/data/definitions/488.html", external_id="CAPEC-488" )
attack_pattern1 = stix2.AttackPattern( id="attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a", created="2016-08-08T15:50:10.983Z", modified="2017-01-30T21:15:04.127Z", name="Content Spoofing", external_references=[ref_capec1] )
attack_pattern2 = stix2.AttackPattern( id="attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c", created="2016-08-08T15:50:10.983Z", modified="2017-01-30T21:15:04.127Z", name="HTTP Flood", external_references=[ref_capec2] )
campaign1 = stix2.Campaign( id="campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e", created="2016-08-08T15:50:10.983Z", modified="2016-08-08T15:50:10.983Z", name="Operation Bran Flakes", description="A concerted effort to insert false information into the BPP's web pages.", aliases=["OBF"], first_seen="2016-01-08T12:50:40.123Z", objective="Hack www.bpp.bn" )
campaign2 = stix2.Campaign( id="campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727", created="2016-08-08T15:50:10.983Z", modified="2016-08-08T15:50:10.983Z", name="Operation Raisin Bran", description="A DDOS campaign to flood BPP web servers.", aliases=["ORB"], first_seen="2016-02-07T19:45:32.126Z", objective="Flood www.bpp.bn" )
intrusionset = stix2.IntrusionSet( id="intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713", created="2016-08-08T15:50:10.983Z", modified="2016-08-08T15:50:10.983Z", name="APT BPP", description="An advanced persistent threat that seeks to disrupt Branistan's election with multiple attacks.", first_seen="2016-01-08T12:50:40.123Z", resource_level="government", primary_motivation="ideology", goals=["Influence the Branistan election", "Disrupt the BPP"], secondary_motivations=["dominance"], aliases=["Bran-teaser"] )
relationship1 = stix2.Relationship(campaign1, 'attributed-to', threat_actor) relationship2 = stix2.Relationship(campaign2, 'attributed-to', threat_actor) relationship3 = stix2.Relationship(campaign1, 'attributed-to', intrusionset) relationship4 = stix2.Relationship(campaign2, 'attributed-to', intrusionset) relationship5 = stix2.Relationship(intrusionset, 'attributed-to', threat_actor) relationship6 = stix2.Relationship(intrusionset, 'targets', identity2) relationship7 = stix2.Relationship(intrusionset, 'uses', attack_pattern1) relationship8 = stix2.Relationship(intrusionset, 'uses', attack_pattern2) relationship9 = stix2.Relationship(campaign1, 'targets', identity2) relationship10 = stix2.Relationship(campaign2, 'targets', identity2) relationship11 = stix2.Relationship(campaign1, 'uses', attack_pattern1) relationship12 = stix2.Relationship(campaign2, 'uses', attack_pattern2) relationship13 = stix2.Relationship(threat_actor, 'impersonates', identity2) relationship14 = stix2.Relationship(threat_actor, 'targets', identity2) relationship15 = stix2.Relationship(threat_actor, 'attributed-to', identity1) relationship16 = stix2.Relationship(campaign2, 'targets', identity2) relationship17 = stix2.Relationship(threat_actor, 'uses', attack_pattern1) relationship18 = stix2.Relationship(threat_actor, 'uses', attack_pattern2)
bundle = stix2.Bundle(objects=[threat_actor, identity1, identity2, attack_pattern1, attack_pattern2, campaign1, campaign2, intrusionset, relationship1, relationship2, relationship3, relationship4, relationship5, relationship6, relationship7, relationship8, relationship9, relationship10, relationship11, relationship12, relationship13, relationship14, relationship15, relationship16, relationship17, relationship18])

Python consumer

import stix2
import re

for obj in bundle.objects: if obj == threat_actor: print("------------------") print("== THREAT ACTOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Labels: " + str(obj.labels)) print("Roles: " + str(obj.roles)) print("Goals: " + str(obj.goals)) print("Resource Level: " + obj.resource_level) print("Primary Motivation: " + obj.primary_motivation) print("Secondary Motivations: " + str(obj.secondary_motivations)) print("Sophistication: " + obj.sophistication)
elif obj == identity1: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Identity Class: " + obj.identity_class)
elif obj == identity2: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("External References: " + str(obj.external_references))
elif obj == attack_pattern1: print("------------------") print("== ATTACK PATTERN ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("External References: " + str(obj.external_references))
elif obj == attack_pattern2: print("------------------") print("== ATTACK PATTERN ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("External References: " + str(obj.external_references))
elif obj == campaign1: print("------------------") print("== CAMPAIGN ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Aliases: " + str(obj.aliases)) print("First Seen: " + str(obj.first_seen)) print("Objective: " + obj.objective)
elif obj == campaign2: print("------------------") print("== CAMPAIGN ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Aliases: " + str(obj.aliases)) print("First Seen: " + str(obj.first_seen)) print("Objective: " + obj.objective)
elif obj == intrusionset: print("------------------") print("== INTRUSION SET ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.name) print("Resource Level: " + obj.resource_level) print("First Seen: " + str(obj.first_seen)) print("Primary Motivation: " + obj.primary_motivation) print("Secondary Motivations: " + str(obj.secondary_motivations)) print("Aliases: " + str(obj.aliases)) print("Goals: " + str(obj.goals))
elif re.search('relationship*', str(obj)): print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref)

Attack index of malicious URL

A common way to deliver malware to a potential target is to host it in a specific URL, and then the target is directed to that URL through a phishing message or a link to another website and used when accessing the URL. Sharing a list of malicious URLs may be an effective and cheap way to limit the exposure of malicious code [5].

scene

This scenario includes an attack indicator of a known malicious URL http://x4z9arb.cn/4712/ and a backdoor malware related to the URL. The site has been proven to host this backdoor malware and is known to be able to download remote files.

data model

The malicious URL value is only one of the many attack indicators that can be represented by using the attack indicator SDO. This is done by using the pattern attribute of the attack indicator SDO based on the STIX language pattern. With this language, URLs can be constructed by using comparison expressions: [url:value = 'http://x4z9arb.cn/4712 /']

The attack metric object must also contain a labels attribute that provides more context content information about the URL. It is known that the URL in this scenario is malicious, so the label of this attack indicator is malicious activity. The value is taken from the open vocabulary of attack indicator label, which contains other useful labels used to classify attack indicators.

Another required field of the attack metric object, valid from, indicates that this URL should be considered valuable intelligence. In this case, the URL takes effect from the time the object is created.

In this scenario, the URL related malware is a backdoor program, which can be modeled using STIX malware SDO. Like attack target objects, malware objects can be classified by using the labels attribute, which is selected from the open glossary of malware labels. For example, a malware may be classified as a keyboard recorder, spyware, worm, virus, etc. In this case, the malware attached to the URL is a backdoor and remote access Trojan.

Malware SDO can also be used to capture information about the kill chain of malware instances. It is understood that this malware attempts to build a backdoor foothold and download remote files. Therefore, the malware object is represented by a kill chain phases list, which contains both the name of the kill chain used and the phase of the kill chain. In this case, the Mandiant attack life cycle model is used as the kill chain and contains the establish focus of phase ﹣ name. Other lethality chains can also be used, such as lockmartin or other organizations.

Finally, relational SDO can be used to connect attack metrics and malware objects. The URL attack metric indicates the backdoor malware object. In this relationship, the attack indicator id is source ref and the malware id is target Ref.

The following diagram shows attack metrics and malware SDO, and their relationship SRO

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--44af6c39-c09b-49c5-9de2-394224b04982",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "indicator",
      "id": "indicator--d81f86b9-975b-bc0b-775e-810c5ad45a4f",
      "created": "2014-06-29T13:49:37.079000Z",
      "modified": "2014-06-29T13:49:37.079000Z",
      "labels": [
        "malicious-activity"
      ],
      "name": "Malicious site hosting downloader",
      "pattern": "[url:value = 'http://x4z9arb.cn/4712/']",
      "valid_from": "2014-06-29T13:49:37.079000Z"
    },
    {
      "type": "malware",
      "id": "malware--162d917e-766f-4611-b5d6-652791454fca",
      "created": "2014-06-30T09:15:17.182Z",
      "modified": "2014-06-30T09:15:17.182Z",
      "name": "x4z9arb backdoor",
      "labels": [
        "backdoor",
        "remote-access-trojan"
      ],
      "description": "This malware attempts to download remote files after establishing a foothold as a backdoor.",
      "kill_chain_phases": [
        {
          "kill_chain_name": "mandiant-attack-lifecycle-model",
          "phase_name": "establish-foothold"
        }
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--6ce78886-1027-4800-9301-40c274fd472f",
      "created": "2014-06-30T09:15:17.182Z",
      "modified": "2014-06-30T09:15:17.182Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--d81f86b9-975b-bc0b-775e-810c5ad45a4f",
      "target_ref": "malware--162d917e-766f-4611-b5d6-652791454fca"
    }
  ]
}

Python producers

import stix2

indicator = stix2.Indicator( id="indicator--d81f86b9-975b-bc0b-775e-810c5ad45a4f", created="2014-06-29T13:49:37.079Z", modified="2014-06-29T13:49:37.079Z", name="Malicious site hosting downloader", description="This organized threat actor group operates to create profit from all types of crime.", labels=["malicious-activity"], pattern="[url:value = 'http://x4z9arb.cn/4712/']", valid_from="2014-06-29T13:49:37.079000Z" )
foothold = stix2.KillChainPhase( kill_chain_name="mandiant-attack-lifecycle-model", phase_name="establish-foothold" )
malware = stix2.Malware( id="malware--162d917e-766f-4611-b5d6-652791454fca", created="2014-06-30T09:15:17.182Z", modified="2014-06-30T09:15:17.182Z", name="x4z9arb backdoor", labels=["backdoor", "remote-access-trojan"], description="This malware attempts to download remote files after establishing a foothold as a backdoor.", kill_chain_phases=[foothold] )
relationship = stix2.Relationship(indicator, 'indicates', malware)
bundle = stix2.Bundle(objects=[indicator, malware, relationship])

Python consumer

import stix2

for obj in bundle.objects: if obj == malware: print("------------------") print("== MALWARE ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0] + ", " + obj.labels[1]) print("Kill Chain: " + str(obj.kill_chain_phases))
elif obj == indicator: print("------------------") print("== INDICATOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0]) print("Pattern: " + obj.pattern) print("Valid From: " + str(obj.valid_from))
elif obj == relationship: print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref)

Malware attack index of file hash

The common way of threat intelligence sharing is to share the attack index of host based malicious code, which is usually file name and hash value. This example describes the file hash attack index, the name and type of malicious code [6].

scene

This scenario consists of a simple description of an attack indicator, which represents a pattern of given hash file and context content information. If a file with this hash value is found, this may indicate that there may be a sample of Poison Ivy.

data model

The attack metric SDO is used to model expression patterns, such as the hash of the pool Ivy file in this example. This hash represents the pattern attribute of the attack target object based on STIX pattern language. Through this language, the comparison expression of SHA-256 hash is as follows: [file:hashes. 'SHA-256' = 'ef537f25c895bba782526529a9b63d97aa631564d5d789c2b765448c8635fb6c]. If known, other file properties, such as name or path, can be represented. In addition, although this example only deals with file hashes, many other network observable data objects and their attributes can be modeled using attack metric patterns. For example, mail information, domain name, IP address, process, etc.

The attack metric object also requires a labels attribute, which helps define the type of attack metric being represented. In this scenario, hash value is associated with Poison Ivy (a malicious sample of known malicious type), so the attack indicator is marked as malicious activity. This value is taken from the open glossary of attack indicator tags, which provides other useful tags for classifying indicators.

Next, the details of Poison Ivy malware can be captured using STIX malware objects. The malware object in STIX also contains the labels attribute required for a specific malware type. In this case, Poison Ivy is a remote access Trojan. The term is selected from the malware tag open vocabulary, which contains a variety of common types of malware categories, such as viruses, backdoors, spyware, etc.

These SDO s are coupled together through a relational SRO. This relationship associates the source ref attack metric with the target ref malware by indicating relationship type.

The following diagram shows the relationship between attack metrics and malware SDO and relationship SRO:

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--44af6c39-c09b-49c5-9de2-394224b04982",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "indicator",
      "id": "indicator--a932fcc6-e032-176c-126f-cb970a5a1ade",
      "created": "2014-02-20T09:16:08.989000Z",
      "modified": "2014-02-20T09:16:08.989000Z",
      "name": "File hash for Poison Ivy variant",
      "description": "This file hash indicates that a sample of Poison Ivy is present.",
      "labels": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']",
      "valid_from": "2014-02-20T09:00:00.000000Z"
    },
    {
      "type": "malware",
      "id": "malware--fdd60b30-b67c-11e3-b0b9-f01faf20d111",
      "created": "2014-02-20T09:16:08.989000Z",
      "modified": "2014-02-20T09:16:08.989000Z",
      "name": "Poison Ivy",
      "labels": [
        "remote-access-trojan"
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--f191e70e-1736-47c3-b0f9-fdfe01387eb1",
      "created": "2014-02-20T09:16:08.989000Z",
      "modified": "2014-02-20T09:16:08.989000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--a932fcc6-e032-176c-126f-cb970a5a1ade",
      "target_ref": "malware--fdd60b30-b67c-11e3-b0b9-f01faf20d111"
    }
  ]
}

Python producers

import stix2

indicator = stix2.Indicator( id="indicator--a932fcc6-e032-176c-126f-cb970a5a1ade", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", name="File hash for Poison Ivy variant", description="This file hash indicates that a sample of Poison Ivy is present.", labels=["malicious-activity"], pattern="[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", valid_from="2014-02-20T09:00:00.000000Z" )
malware = stix2.Malware( id="malware--fdd60b30-b67c-11e3-b0b9-f01faf20d111", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", name="Poison Ivy", labels=["remote-access-trojan"] )
relationship = stix2.Relationship(indicator, 'indicates', malware)
bundle = stix2.Bundle(objects=[indicator, malware, relationship])

Python consumer

import stix2

for obj in bundle.objects: if obj == malware: print("------------------") print("== MALWARE ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Labels: " + obj.labels[0])
elif obj == indicator: print("------------------") print("== INDICATOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0]) print("Pattern: " + obj.pattern) print("Valid From: " + str(obj.valid_from))
elif obj == relationship: print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref)

Targeting of attack indicators

One of the main advantages of network threat intelligence sharing and collaboration is that it can alert other companies and institutions in advance before the attack indicators appear in the system or network. This provides a more active way to solve the network threat problem. In many cases, an attack indicator will appear in multiple networks. This specific attack indicator can be shared in other places, which is very important for other organizations that also use such threat intelligence [7].

scene

The scenario includes alpha and beta, two cyber security companies that share Threat Intelligence. A malicious URL is seen on Alpha's network, and an attack indicator is generated to capture this information. Alpha company then shares this information with B company. Beta company later found the attack indicator in their system. Then, beta company will create and share the targeting of the attack indicator, indicating that the attack indicator has been found.

data model

In this case, there are two identity SDOs for two companies: Alpha and Bwta. Identity objects record information about two organizations, such as which industry they are, their work, and their contact information. Both organizations are producers and consumers of STIX intelligence, so their IDs can be referenced in objects using the created by ref attribute to indicate that they are the creators of STIX objects. It is worth noting that identity SDO can also be used to represent individuals, targets, government agencies, groups, etc.

The identity object requires at least some required properties: name and identity_class. The identity class field is important for the classification of the identity types represented by Alpha and Beta. In their case, the field is populated by the value organization. The term comes from the identity type open vocabulary, which contains the recommended values for tag identity.

Other fields of identity SDO are optional to help build a complete identity profile. For example, it might be useful to understand a list of roles for an individual or group that is captured using the labels attribute. Since both companies use to deal with cyber threats in this scenario, it makes sense to mark them as cyber security. You can also provide this information for these objects if you know that the identity may belong to the sectors list or any related contact \. For example, knowing that some STIX object creators are in the financial industry may provide more background on why they find some attack indicators or become targets for specific threat subjects. Both companies in the example are in the technology industry, and these words come from the open vocabulary with the industry.

Next, Alpha uses the attack metric SDO to capture the malicious URL information they find in their network. Using the STIX pattern language, Alpha represents the URL as a comparison expression in the pattern attribute: [url:value = 'http://paypa1.banking.com']. Because Alpha knows that the URL is malicious, they mark it as malicious activity in the labels field, which comes from the attack indicator label open vocabulary.

Beta receives this attack indicator information from Alpha and deploys it on its own network to discover the specific URL. Once they are discovered, they generate a special type of relational object that targets SROs, which are different from normal relational SROs. For example, aiming contains unique fields such as count, first_seen, and last_seen, which are used to indicate when the SDO is seen at a specific time, and the number of times the SDO occurs. In addition, a standard relationship SRO is only used to connect two SDOs together and does not provide identification of the same intelligence type.

In this case, Beta's target captures information about A's attack metrics, which B finds in their network. Because in this case, they are the creator and victim of the object, B's identity ID is represented in the created by ref and where signed ref attributes. It is worth mentioning that the where? Signed? Refs field is A list, so it can list the location of other identity SDO ID S found. In another reference, the signaling of ref contains the ID aimed at the SDO, in which case it is the attack target object. This is A required attribute, because without an "aim" object, there is no aim attribute.

In some cases, attack metrics like URLs can be found multiple times over a period of time on the network. In this case, however, Beta finds the URL only once, with the last count field marked as the integer "1.". Because it's only seen once, the first and last seen attributes describe the same timestamp.

The following diagram represents identity, identity SDO, and targeting SRO:

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--c6a895f2-849c-4d1b-aba4-4b45c2800374",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "identity",
      "id": "identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
      "created": "2017-02-24T15:50:10.564Z",
      "modified": "2017-08-24T15:50:10.564Z",
      "name": "Alpha Threat Analysis Org.",
      "identity_class": "organization",
      "labels": [
        "Cyber Security"
      ],
      "sectors": [
        "technology"
      ],
      "contact_information": "info@alpha.org"
    },
    {
      "type": "identity",
      "id": "identity--5206ba14-478f-4b0b-9a48-395f690c20a2",
      "created": "2017-02-26T17:55:10.442Z",
      "modified": "2017-02-26T17:55:10.442Z",
      "name": "Beta Cyber Intelligence Company",
      "identity_class": "organization",
      "labels": [
        "Cyber Security"
      ],
      "sectors": [
        "technology"
      ],
      "contact_information": "info@beta.com"
    },
    {
      "type": "indicator",
      "id": "indicator--9299f726-ce06-492e-8472-2b52ccb53191",
      "created_by_ref": "identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
      "created": "2017-02-27T13:57:10.515Z",
      "modified": "2017-02-27T13:57:10.515Z",
      "name": "Malicious URL",
      "description": "This URL is potentially associated with malicious activity and is listed on several blacklist sites.",
      "pattern": "[url:value = 'http://paypa1.banking.com']",
      "valid_from": "2015-06-29T09:10:15.915Z",
      "labels": [
        "malicious-activity"
      ]
    },
    {
      "type": "sighting",
      "id": "sighting--8356e820-8080-4692-aa91-ecbe94006833",
      "created_by_ref": "identity--5206ba14-478f-4b0b-9a48-395f690c20a2",
      "created": "2017-02-28T19:37:11.213Z",
      "modified": "2017-02-28T19:37:11.213Z",
      "first_seen": "2017-02-27T21:37:11.213Z",
      "last_seen": "2017-02-27T21:37:11.213Z",
      "count": 1,
      "sighting_of_ref": "indicator--9299f726-ce06-492e-8472-2b52ccb53191",
      "where_sighted_refs": [
        "identity--5206ba14-478f-4b0b-9a48-395f690c20a2"
      ]
    }
  ]
}

Python producers

import stix2

identityAlpha = stix2.Identity( id="identity--39012926-a052-44c4-ae48-caaf4a10ee6e", created="2017-02-24T15:50:10.564Z", modified="2017-02-24T15:50:10.564Z", name="Alpha Threat Analysis Org.", identity_class="organisation", contact_information="info@alpha.org", labels=["Cyber Security"], sectors=["technology"] )
identityBeta = stix2.Identity( id="identity--5206ba14-478f-4b0b-9a48-395f690c20a2", created="2017-02-26T17:55:10.442Z", modified="2017-02-26T17:55:10.442Z", name="Beta Cyber Intelligence Company", identity_class="organisation", contact_information="info@beta.com", labels=["Cyber Security"], sectors=["technology"] )
indicator = stix2.Indicator( id="indicator--9299f726-ce06-492e-8472-2b52ccb53191", created_by_ref="identity--39012926-a052-44c4-ae48-caaf4a10ee6e", created="2017-02-27T13:57:10.515Z", modified="2017-02-27T13:57:10.515Z", name="Malicious URL", description="This URL is potentially associated with malicious activity and is listed on several blacklist sites.", labels=["malicious-activity"], pattern="[url:value = 'http://paypa1.banking.com']", valid_from="2015-06-29T09:10:15.915Z" )
sighting = stix2.Sighting( id="sighting--8356e820-8080-4692-aa91-ecbe94006833", created_by_ref="identity--5206ba14-478f-4b0b-9a48-395f690c20a2", created="2017-02-28T19:37:11.213Z", modified="2017-02-28T19:37:11.213Z", first_seen="2017-02-27T21:37:11.213Z", last_seen="2017-02-27T21:37:11.213Z", count=1, sighting_of_ref="indicator--9299f726-ce06-492e-8472-2b52ccb53191", where_sighted_refs=["identity--5206ba14-478f-4b0b-9a48-395f690c20a2"] )
bundle = stix2.Bundle(objects=[indicator, identityAlpha, identityBeta, sighting])

Python consumer

import stix2

for obj in bundle.objects: if obj == identityAlpha: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Identity Class: " + obj.identity_class) print("Contact Information: " + obj.contact_information) print("Labels: " + obj.labels[0]) print("Sectors: " + obj.sectors[0])
elif obj == identityBeta: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Identity Class: " + obj.identity_class) print("Contact Information: " + obj.contact_information) print("Labels: " + obj.labels[0]) print("Sectors: " + obj.sectors[0])
elif obj == indicator: print("------------------") print("== INDICATOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref: " + obj.created_by_ref) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0]) print("Pattern: " + obj.pattern) print("Valid From: " + str(obj.valid_from))
elif obj == sighting: print("------------------") print("== SIGHTING ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref: " + obj.created_by_ref) print("First Seen: " + str(obj.first_seen)) print("Last Seen: " + str(obj.last_seen)) print("Count: " + str(obj.count)) print("Sighting of Ref: " + obj.sighting_of_ref) print("Where Sighted Refs: " + obj.where_sighted_refs[0])

Aiming of observable data

Although the attack index indicates the intelligence identification behind the attack, the original observable data is helpful to build the foundation behind the threat intelligence. In many cases, sharing observable data is good for the organization. Similar to attack metrics, targeting can include references to observable data objects: observable data observed in other organizations' networks can represent information about a certain malware. This may potentially allow a deeper identification of intelligence based on the targeted raw data [8].

scene

The scenario consists of two cyber threat companies, Pym and oscorp, who share Threat Intelligence with each other. Pym was the first company to share the malware SDO with oscorp. Oscorp later believed that they had found malware objects on their own networks based on some observable data captured. These data contain registry key values that match the malware hash and malware creation. To represent this, oscorp has released an targeting SRO, which contains a reference to these observable data, based on which it can become an targeting of the specific malware.

data model

In this case, two companies use two identities SDO: Pym and Oscorp. Identity objects record information about the two organizations, such as their industry and contact information. Both organizations are producers and consumers of STIX intelligence, so their IDs can be referenced in objects that use the created by ref attribute to indicate that they are the creators of STIX objects they generate. It is worth noting that identity SDOs can also be used to represent individuals, targets, government agencies and groups, etc.

The identity object requires at least some required properties: name and identity_class. The identity ABCD class field is important for classifying the types of Pym and Oscorp identities. In this case, it is identified as organization. This value comes from the identity category open vocabulary, which contains the recommended values for identity.

Pym first creates a malware SDO to represent the details of the malware types in the scenario. This particular malware type is marked as remote access Trojan and disguised as a pdf file that can create multiple registry keys. Pym shared the information with Oscorp.

Oscorp, who owns the malware object, believes that the malware has been found in his network, and has created a targeting object to represent it. Targeting SRO is a special type of STIX relationship, which contains the attributes of the object seen, such as the id of the malware SDO (with signaling \\\\\\\\\\\. In addition, an observable data list is included to express any necessary information that may support the targeting of the malware.

Observable data SDO contains network observable data information captured in the system and network, including IP address, file and URL. In this scenario, Oscorp observes information about files and registry keys, and they model using two different observable data objects. Although you can include multiple network observable data objects in the observable data case, in this case, the file and registry key data are not directly related. Therefore, they are included in separate observable data. You can read the concept and object content of STIX network observable data covered in part 3 and Part 4 of STIX 2.0 specification respectively.

In addition to the general properties of all objects, the properties of observable data are required. Therefore, for each object, Oscorp must provide the first, last, and number of observations for each case. In addition, they need to provide actual network observable objects in objects. The first observable data in this example (Observed Data 1 in the figure below) contains information about the file you see. Therefore, the file is represented with data that contains a Hash list, file name, and size. In the second observable data object, Oscorp models Windows registry keys, such as those created by suspicious malware.

Finally, it is worth mentioning that in this case, no object uses the standard relationship SRO that normally associates one object with another. Targeting SRO is used for targeting malware objects. All other relationships in the following figure are nested in these objects. For example, targeting objects include several embedded relationships, including the observed content, who created the object and where to see it.

The following figure describes this scenario:

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--a836f05a-f235-4b4b-b523-bd87e40478a1",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "identity",
      "id": "identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c",
      "created": "2017-04-14T13:07:49.812Z",
      "modified": "2017-04-14T13:07:49.812Z",
      "name": "Oscorp Industries",
      "identity_class": "organization",
      "contact_information": "norman@oscorp.com",
      "sectors": [
        "technology"
      ]
    },
    {
      "type": "identity",
      "id": "identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
      "created": "2017-04-14T13:07:49.812Z",
      "modified": "2017-04-14T13:07:49.812Z",
      "name": "Pym Technologies",
      "identity_class": "organization",
      "contact_information": "hank@pymtech.com",
      "sectors": [
        "technology"
      ]
    },
    {
      "type": "malware",
      "id": "malware--ae560258-a5cb-4be8-8f05-013d6712295f",
      "created_by_ref": "identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
      "created": "2014-02-20T09:16:08.989000Z",
      "modified": "2014-02-20T09:16:08.989000Z",
      "name": "Online Job Site Trojan",
      "description": "Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.",
      "labels": [
        "remote-access-trojan"
      ]
    },
    {
      "type": "sighting",
      "id": "sighting--779c4ae8-e134-4180-baa4-03141095d971",
      "created_by_ref": "identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c",
      "created": "2017-02-28T19:37:11.213Z",
      "modified": "2017-02-28T19:37:11.213Z",
      "first_seen": "2017-02-28T19:07:24.856Z",
      "last_seen": "2017-02-28T19:07:24.856Z",
      "count": 1,
      "sighting_of_ref": "malware--ae560258-a5cb-4be8-8f05-013d6712295f",
      "where_sighted_refs": [
        "identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c"
      ],
      "observed_data_refs": [
        "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1",
        "observed-data--a0d34360-66ad-4977-b255-d9e1080421c4"
      ]
    },
    {
      "type": "observed-data",
      "id": "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1",
      "created_by_ref": "identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c",
      "created": "2017-02-28T19:37:11.213Z",
      "modified": "2017-02-28T19:37:11.213Z",
      "first_observed": "2017-02-27T21:37:11.213Z",
      "last_observed": "2017-02-27T21:37:11.213Z",
      "number_observed": 1,
      "objects": {
        "0": {
          "type": "file",
          "hashes": {
            "MD5": "1717b7fff97d37a1e1a0029d83492de1",
            "SHA-1": "c79a326f8411e9488bdc3779753e1e3489aaedea"
          },
          "name": "resume.pdf",
          "size": 83968
        }
      }
    },
    {
      "type": "observed-data",
      "id": "observed-data--a0d34360-66ad-4977-b255-d9e1080421c4",
      "created_by_ref": "identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c",
      "created": "2017-02-28T19:37:11.213Z",
      "modified": "2017-02-28T19:37:11.213Z",
      "first_observed": "2017-02-27T21:37:11.213Z",
      "last_observed": "2017-02-27T21:37:11.213Z",
      "number_observed": 1,
      "objects": {
        "0": {
          "type": "windows-registry-key",
          "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WSALG2"
        }
      }
    }
  ]
}

Python producers

import stix2

identityOscorp = stix2.Identity( id="identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c", created="2017-04-14T13:07:49.812Z", modified="2017-04-14T13:07:49.812Z", name="Oscorp Industries", identity_class="organisation", contact_information="norman@oscorp.com", sectors=["technology"] )
identityPym = stix2.Identity( id="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33", created="2017-04-14T13:07:49.812Z", modified="2017-04-14T13:07:49.812Z", name="Pym Technologies", identity_class="organisation", contact_information="hank@pymtech.com", sectors=["technology"] )
malware = stix2.Malware( id="malware--ae560258-a5cb-4be8-8f05-013d6712295f", created="2014-02-20T09:16:08.989Z", modified="2014-02-20T09:16:08.989Z", created_by_ref="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33", name="Online Job Site Trojan", description="Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.", labels=["remote-access-trojan"] )
observedDataFile = stix2.ObservedData( id="observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1", created="2017-02-28T19:37:11.213Z", modified="2017-02-28T19:37:11.213Z", first_observed="2017-02-27T21:37:11.213Z", last_observed="2017-02-27T21:37:11.213Z", number_observed=1, created_by_ref="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33", objects={ "0": { "type": "file", "hashes": { "MD5": "1717b7fff97d37a1e1a0029d83492de1", "SHA-1": "c79a326f8411e9488bdc3779753e1e3489aaedea" }, "name": "resume.pdf", "size": 83968 } } )
observedDataRegKey = stix2.ObservedData( id="observed-data--a0d34360-66ad-4977-b255-d9e1080421c4", created="2017-02-28T19:37:11.213Z", modified="2017-02-28T19:37:11.213Z", first_observed="2017-02-27T21:37:11.213Z", last_observed="2017-02-27T21:37:11.213Z", number_observed=1, created_by_ref="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33", objects={ "0": { "type": "windows-registry-key", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WSALG2" } } )
sighting = stix2.Sighting( id="sighting--779c4ae8-e134-4180-baa4-03141095d971", created_by_ref="identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c", created="2017-02-28T19:37:11.213Z", modified="2017-02-28T19:37:11.213Z", first_seen="2017-02-28T19:07:24.856Z", last_seen="2017-02-28T19:07:24.856Z", count=1, sighting_of_ref="malware--ae560258-a5cb-4be8-8f05-013d6712295f", where_sighted_refs=["identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c"], observed_data_refs=["observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1", "observed-data--a0d34360-66ad-4977-b255-d9e1080421c4"] )
bundle = stix2.Bundle(objects=[identityPym, identityOscorp, malware, observedDataFile, observedDataRegKey, sighting])

Python consumer

import stix2

for obj in bundle.objects: if obj == identityPym: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Identity Class: " + obj.identity_class) print("Contact Information: " + obj.contact_information) print("Sectors: " + obj.sectors[0])
elif obj == identityOscorp: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Identity Class: " + obj.identity_class) print("Contact Information: " + obj.contact_information) print("Sectors: " + obj.sectors[0])
elif obj == malware: print("------------------") print("== MALWARE ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref: " + obj.created_by_ref) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0])
elif obj == observedDataFile: print("------------------") print("== OBSERVED DATA ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref: " + obj.created_by_ref) print("First Observed: " + str(obj.first_observed)) print("Last Observed: " + str(obj.last_observed)) print("Number Observed: " + str(obj.number_observed)) print("Objects: " + str(obj.objects))
elif obj == observedDataRegKey: print("------------------") print("== OBSERVED DATA ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref: " + obj.created_by_ref) print("First Observed: " + str(obj.first_observed)) print("Last Observed: " + str(obj.last_observed)) print("Number Observed: " + str(obj.number_observed)) print("Objects: " + str(obj.objects))
elif obj == sighting: print("------------------") print("== SIGHTING ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref: " + obj.created_by_ref) print("First Seen: " + str(obj.first_seen)) print("Last Seen: " + str(obj.last_seen)) print("Count: " + str(obj.count)) print("Sighting of Ref: " + obj.sighting_of_ref) print("Where Sighted Refs: " + obj.where_sighted_refs[0])

Threat agents using attack patterns and malware

A large part of the reason for tracing and relating the threat subject is to better understand the enemy's behavior, to determine countermeasures and to defend against such attacks. In many cases, enemy behavior can be characterized by the type of attack mode they use. For example, as a delivery mechanism of malware, using spear phishing is an attack mode. In other cases, the behavior can be described according to the malware commonly used by the enemy [9].

scene

This scenario represents a threat subject known as "advertisement Bravo", which is known to use phishing attacks to deliver remote access malware to the target. They usually use a variant of Poison Ivy malware.

data model

Any known characteristics and attributes of the enemy Bravo can be modeled using the threat subject SDO. This object captures the specific information of the threat subject, such as other aliases, attack motivation, and the role they may play in the attack. Sometimes, the information is not completely clear, as is the case with the enemy bravo. Therefore, you only need to specify the required attributes of the threat subject object, including the name and labels lists. The labels field classifies the types of threat subjects according to the open vocabulary thread actor label ov. In this case, we can infer that by using Poison Ivy malware to establish a remote back door, the enemy Bravo may carry out malicious activities or espionage activities, resulting in criminal and spy tags.

Other basic identification information about the enemy Bravo is obtained through identity SDO. In this scenario, this object is used to threaten the identity of the subject, but it can also represent the organization, government and other subjects. This is useful for obtaining the industry to which this identity may belong and the relevant contact information. In the case of enemy Bravo, there is little information about this identity, so the identity class attribute required to open the list based on the identity class may be unknown. Identity SDO can be connected to the threat principal SDO by using relational objects. The relationship type between the two objects (represented by the relationship "type field) will contain the attribute to value, which means that the threat subject belongs to this identity.

The malware in this scenario is a variant of Poison Ivy d1c6, which can be represented by a malware SDO. Each malware object needs to contain a series of tags to describe the malware. Since this is a remote Trojan, the labels attribute will contain the value remote access Trojan from the malware tag open vocabulary. In addition, you can tag malware objects with multiple values, because some malware may have multiple functions. For example, certain types of malware may be both keyboard recorders and spyware. Another relationship may be established between the malware SDO and the threat subject SDO. In this case, the relationship "type" is used between two objects, threatening the subject to use the malware.

The adversary Bravo uses phishing as a delivery mechanism of the malware Poison Ivy, which can be represented by attack mode SDO. In addition to providing more context information about what the attacker wants to do, attack pattern objects are useful for representing classifications, such as the external_references field of CAPEC. CAPEC is a dictionary of potential attack modes, so in this case, by looking at the dictionary, the producer can see that "CAPEC-98" is the ID of phishing and can be marked as external_id. The relationship SRO again uses the relationship "type" to connect the threat principal to this attack mode object.

Another useful concept that can be seen in malware and attack mode objects is the ability to obtain information about the kill chain. For example, once the system is attacked, some attack modes, malware and tools may be used to establish a foothold or move horizontally. In this case, since the attacker attempts to build a primary back door with the Poison Ivy variant, the Poison Ivy malware and phishing attack modes are related to the initial comparison stage of the kill chain. This phase comes from the Mandiant attack lifecycle model, but you are not limited to using any specified type of kill chain.

The following image shows the objects used in this scene:

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--44af6c39-c09b-49c5-9de2-394224b04982",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "attack-pattern",
      "id": "attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5",
      "created": "2015-05-07T14:22:14.760144Z",
      "modified": "2015-05-07T14:22:14.760144Z",
      "name": "Phishing",
      "description": "Spear phishing used as a delivery mechanism for malware.",
      "external_references": [
        {
          "source_name": "capec",
          "description": "phishing",
          "url": "https://capec.mitre.org/data/definitions/98.html",
          "external_id": "CAPEC-98"
        }
      ],
      "kill_chain_phases": [
        {
          "kill_chain_name": "mandiant-attack-lifecycle-model",
          "phase_name": "initial-compromise"
        }
      ]
    },
    {
      "type": "identity",
      "id": "identity--1621d4d4-b67d-11e3-9670-f01faf20d111",
      "created": "2015-05-10T16:27:17.760123Z",
      "modified": "2015-05-10T16:27:17.760123Z",
      "name": "Adversary Bravo",
      "description": "Adversary Bravo is a threat actor that utilizes phishing attacks",
      "identity_class": "unknown"
    },
    {
      "type": "threat-actor",
      "id": "threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
      "created": "2015-05-07T14:22:14.760144Z",
      "modified": "2015-05-07T14:22:14.760144Z",
      "name": "Adversary Bravo",
      "description": "Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.",
      "labels": [
        "spy",
        "criminal"
      ]
    },
    {
      "type": "malware",
      "id": "malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
      "created": "2015-04-23T11:12:34.760122Z",
      "modified": "2015-04-23T11:12:34.760122Z",
      "name": "Poison Ivy Variant d1c6",
      "labels": [
        "remote-access-trojan"
      ],
      "kill_chain_phases": [
        {
          "kill_chain_name": "mandiant-attack-lifecycle-model",
          "phase_name": "initial-compromise"
        }
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--ad4bccee-1ed3-44f5-9a56-8085584d3360",
      "created": "2015-05-07T14:22:14.760144Z",
      "modified": "2015-05-07T14:22:14.760144Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
      "target_ref": "malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4"
    },
    {
      "type": "relationship",
      "id": "relationship--e05a50c3-a557-4d5f-ac19-e3f0859171cc",
      "created": "2015-05-07T14:22:14.760144Z",
      "modified": "2015-05-07T14:22:14.760144Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
      "target_ref": "attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5"
    },
    {
      "type": "relationship",
      "id": "relationship--bdcef81d-9dfa-4f5d-a7e5-7ab13b695495",
      "created": "2015-05-07T14:22:14.760144Z",
      "modified": "2015-05-07T14:22:14.760144Z",
      "relationship_type": "attributed-to",
      "source_ref": "threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
      "target_ref": "identity--1621d4d4-b67d-11e3-9670-f01faf20d111"
    }
  ]
}

Python producers

import stix2

threat_actor = stix2.ThreatActor( id="threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f", created="2015-05-07T14:22:14.760Z", modified="2015-05-07T14:22:14.760Z", name="Adversary Bravo", description="Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.", labels=["spy", "criminal"] )
identity = stix2.Identity( id="identity--1621d4d4-b67d-11e3-9670-f01faf20d111", created="2015-05-10T16:27:17.760Z", modified="2015-05-10T16:27:17.760Z", name="Adversary Bravo", description="Adversary Bravo is a threat actor that utilizes phishing attacks.", identity_class="unknown" )
init_comp = stix2.KillChainPhase( kill_chain_name="mandiant-attack-lifecycle-model", phase_name="initial-compromise" )
malware = stix2.Malware( id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4", created="2015-04-23T11:12:34.760Z", modified="2015-04-23T11:12:34.760Z", name="Poison Ivy Variant d1c6", labels=["remote-access-trojan"], kill_chain_phases=[init_comp] )
ref = stix2.ExternalReference( source_name="capec", description="phishing", url="https://capec.mitre.org/data/definitions/98.html", external_id="CAPEC-98" )
attack_pattern = stix2.AttackPattern( id="attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5", created="2015-05-07T14:22:14.760Z", modified="2015-05-07T14:22:14.760Z", name="Phishing", description="Spear phishing used as a delivery mechanism for malware.", kill_chain_phases=[init_comp], external_references=[ref] )
relationship1 = stix2.Relationship(threat_actor, 'uses', malware) relationship2 = stix2.Relationship(threat_actor, 'uses', attack_pattern) relationship3 = stix2.Relationship(threat_actor, 'attributed-to', identity)
bundle = stix2.Bundle(objects=[threat_actor, malware, attack_pattern, identity, relationship1, relationship2, relationship3])

Python consumer

import stix2

for obj in bundle.objects: if obj == threat_actor: print("------------------") print("== THREAT ACTOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0] + ", " + obj.labels[1])
elif obj == identity: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Identity Class: " + obj.identity_class)
elif obj == malware: print("------------------") print("== MALWARE ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Labels: " + obj.labels[0]) print("Kill Chain: " + str(obj.kill_chain_phases))
elif obj == attack_pattern: print("------------------") print("== ATTACK PATTERN ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Description: " + obj.description) print("Kill Chain: " + str(obj.kill_chain_phases)) print("External References: " + str(obj.external_references))
elif obj == relationship1: print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref)
elif obj == relationship2: print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref)
elif obj == relationship3: print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref)

Use tag definition

The ability to build data processing through the use of data markers is critical for organizations that share network threat intelligence (CTI). The advantage of this approach is to allow STIX producers to restrict access to objects and to communicate terms of use and copyright information [10].

scene

This scenario focuses on the STIX producer "start industries", which adds object tags to attack target objects. Before sharing this metric, Stark creates a declaration tag definition and selects the traffic light protocol (TLP) tag definition. These tags contain copyright information. In addition, the use of attack indicators can be limited based on their TLP tag types.

data model

First, let's start with the STIX content producer of this scenario, star industries. Information about the company can be represented by identity SDO. Like all STIX objects, the id attribute uniquely identifies the start industries and can be referenced using the created by ref attribute in all generated objects. Although created by ref is optional, it helps to attribute the created tags directly to Stark. The identity object can also be used to list other relevant details about the start, such as contact_information and the identity type of their identity_class field.

Next, Stark uses two STIX tag definition objects to restrict the processing of attack target objects, and contains copyright information. First, start selects the TLP marker object type to convey the appropriate restrictions for the attack metric. For this tag definition object, the definition? Type must be TLP, and the definition field must contain one of the four types of TLP. In this case, the TLP restriction type is amber, which only provides limited disclosure to suitable recipients who need to know. To understand this limitation and other types of TLPs, review the TLP definition and use of US-CERT.

A second tag type, called statement, created by start industries, represents their copyright information and applies to all objects they generate. This is similar to the format of the TLP tag definition object, except in this case the definition ﹣ type must be a statement, and there is a created ﹣ by ﹣ ref field, because TLP has been pre-defined in the STIX 2.0 specification. The definition field contains any type of copyright information you want to convey. For this organization, it just claims copyright @ Star Industries 2017. This property can also convey any terms of use, or because statement allows multiple tag types, you can use both.

It is worth noting that tag definition objects cannot be versioned like other STIX objects. For example, if start industries wants to update their Statement information or add terms to the tag definition, they have to generate a new tag definition object and update the attack metric SDO to point to the new definition. They can't add or change the current Statement tag, just update the modified property as they would any other object, because the tag definition object doesn't have the required modified property. To learn more about versioning objects, see this tutorial video on how to use versioning in STIX 2.

Finally, Stark can apply these tag definitions to include the malicious IP address attack index SDO that they find on the network. These object tags are embedded in the object marking refs attribute of the attack indicator object, and reference the tag of Statement and TLP to define the object ID. Once referenced, these tags are applied to the attack metric object. It is worth mentioning that this property and the created by ref described earlier represent only one of several embedded relationships in STIX 2.0. In most cases, in order to establish the relationship between objects in STIX, for example, between attack indicators and SDOs of threat subjects, you can create a relationship SRO.

In addition to the object tag reference, the rest of the attack metric object contains properties for more information about the IP address. For example, the pattern attribute is based on the STIX pattern language and represents the IPv4 address as a comparison expression: [IPv4 addr: value = '10.0.0.0'. Stark also knows that this is a malicious IP, and associates this information with the labels attribute, indicating that this IP is related to malicious activity. Because this is a known bad IP on the network, it is advantageous for stark to define the attack index with the appropriate TLP tag.

The following figure describes the identity and attack indicators SDO and the token definition object:

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--b56c1e2e-a40c-44ca-83dd-09e25936d273",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "identity",
      "id": "identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
      "created": "2017-04-14T13:07:49.812Z",
      "modified": "2017-04-14T13:07:49.812Z",
      "name": "Stark Industries",
      "identity_class": "organization",
      "contact_information": "info@stark.com",
      "sectors": [
        "defence"
      ]
    },
    {
      "type": "marking-definition",
      "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
      "created": "2017-01-20T00:00:00.000Z",
      "definition_type": "tlp",
      "definition": {
        "tlp": "amber"
      }
    },
    {
      "type": "marking-definition",
      "id": "marking-definition--d771aceb-3148-4315-b4b4-130b888533d0",
      "created": "2017-04-14T13:07:49.812Z",
      "created_by_ref": "identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
      "definition_type": "statement",
      "definition": {
        "statement": "Copyright © Stark Industries 2017."
      }
    },
    {
      "type": "indicator",
      "id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
      "created": "2017-04-14T13:07:49.812Z",
      "modified": "2017-04-14T13:07:49.812Z",
      "created_by_ref": "identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
      "name": "Known malicious IP Address",
      "labels": [
        "malicious-activity"
      ],
      "pattern": "[ipv4addr:value = '10.0.0.0']",
      "valid_from": "2017-04-14T13:07:49.812Z",
      "object_marking_refs": [
        "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
        "marking-definition--d771aceb-3148-4315-b4b4-130b888533d0"
      ]
    }
  ]
}

Python producers

import stix2

identity = stix2.Identity( id="identity--611d9d41-dba5-4e13-9b29-e22488058ffc", created="2017-04-14T13:07:49.812Z", modified="2017-04-14T13:07:49.812Z", name="Stark Industries", contact_information="info@stark.com", identity_class="organisation", sectors=["defence"] )
marking_def_amber = stix2.MarkingDefinition( id="marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", created="2017-01-20T00:00:00.000Z", definition_type="tlp", definition={ "tlp": "amber" } )
marking_def_statement = stix2.MarkingDefinition( id="marking-definition--d81f86b9-975b-bc0b-775e-810c5ad45a4f", created="2017-04-14T13:07:49.812Z", definition_type="statement", definition=stix2.StatementMarking("Copyright (c) Stark Industries 2017.") )
indicator = stix2.Indicator( id="indicator--33fe3b22-0201-47cf-85d0-97c02164528d", created="2017-04-14T13:07:49.812Z", modified="2017-04-14T13:07:49.812Z", created_by_ref="identity--611d9d41-dba5-4e13-9b29-e22488058ffc", name="Known malicious IP Address", labels=["malicious-activity"], pattern="[ipv4-addr:value = '10.0.0.0']", valid_from="2017-04-14T13:07:49.812Z", object_marking_refs=[marking_def_amber, marking_def_statement] )
bundle = stix2.Bundle(objects=[identity, indicator, marking_def_amber, marking_def_statement])

Python consumer

import stix2

for obj in bundle.objects: if obj == identity: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Identity Class: " + obj.identity_class) print("Contact Information: " + obj.contact_information) print("Sectors: " + str(obj.sectors))
elif obj == indicator: print("------------------") print("== INDICATOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref: " + obj.created_by_ref) print("Name: " + obj.name) print("Labels: " + obj.labels[0]) print("Pattern: " + obj.pattern) print("Valid From: " + str(obj.valid_from)) print("Object Marking Refs: " + str(obj.object_marking_refs))
elif obj == marking_def_amber: print("------------------") print("== MARKING DEFINITION ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Definition Type: " + obj.definition_type) print("Definition: " + str(obj.definition))
elif obj == marking_def_statement: print("------------------") print("== MARKING DEFINITION ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Definition Type: " + obj.definition_type) print("Definition: " + str(obj.definition))

Using granularity markers

It is beneficial for organizations that are not willing to share some specific information to make more detailed and detailed restrictions on which network threat intelligence to share. This control element allows STIX producers to restrict the accessibility of specific data in their intelligence sharing organizations [11].

scene

This scenario focuses on STIX producer "Gotham National Bank", which applies granularity markers in the attack target. Before sharing this indicator, Gotham selects some TLP tag definitions that apply to the attack indicator. These tag definitions based on TLP tag types help to limit the use of certain attributes of attack metrics.

data model

The STIX object producer Gotham National Bank in this scenario can be represented by identity SDO. Like all STIX objects, the id attribute uniquely identifies Gotham national and can be used in all objects they generate using the created by ref attribute. Although created by ref is optional, it helps to directly attribute the attack metric SDO to Gotham and allows any consumer to see who applies the TLP tag to the attack metric. Identity objects can also be used to list other relevant information about Gotham, such as contact_information and their identity types with the identity_class field.

In order to enforce restrictions on the specific attributes of the attack metric object, Gotham decided to define the object using TLP tags. This special tag definition type can be seen in the STIX 2.0 specification under the TLP tag object type, which helps to specify the type of restriction they want to impose. For example, in this case, they need to use three defined TLP tag definitions, each with a different restriction type. For all these objects, definition "U type is required and must be TLP. In addition, the definition attribute is also required and must contain one of four types of TLPs. Gotham needs three of the four types defined by TLP: green, amber, and red. To learn about each of the four TLP types, and the constraints they specify, see US-CERT's TLP definition and usage. Understanding these types is useful for the level of restriction you want to provide for objects and object properties.

It is worth noting that the TLP tag object type defined in the STIX 2.0 specification must be used to represent the TLP tag. Gotham or any other producer cannot create its own TLP tag, but can create a Statement tag object type for organization specific. Neither TLP nor Statement can be versioned like other STIX objects, which is why these types do not have the modified attribute. To learn more about versioning objects, see this video tutorial on how to use versioning in STIX 2.

Now Gotham has chosen the appropriate TLP tag object types that can be applied to other STIX objects or to the properties of objects. In the first part of this scenario, they are attached to the attributes of the attack metric SDO generated by Gotham. The attack metric was created to represent a fake email address that asked bank members for their credentials. Because the attack index contains some sensitive information, they apply different TLP tags to all parts of the object using the granular_marksattribute. This attribute is a list that contains a reference to the tag definition object ID with the marking ref field and a selector attribute that specifies the tag content that should be defined with this tag. For example, Gotham believes that strict TLP: Red tags need to be applied in the description field, because this will provide some sensitive information about the threat subject in this scenario. For further explanation, the marking ref attribute will contain the TLP tag definition ID in the nominal marks field of the attack indicator: the Red and selectors list will contain the value description.

For other attack metric attributes, Gotham uses a less restrictive flag: Red. A required attack metric attribute is a labels list that provides more context for modeling metric types. In this attribute list, Gotham marks this attack indicator as malicious activity and attribute. Both tags in the list are from the STIX 2.0 specification's attack metrics open vocabulary. Gotham decided to apply the TLP of lower restriction level: Green tag to malicious activity, and thought that TLP was more restrictive; attribute needed Amber tag. In order to communicate two different tags in the labels attribute, the first tag in the list is represented as labels[0], and the second tag is represented as labels[1]. To illustrate this, the following JSON example shows how these tags will be marked if only the labels field is marked (Note: the tags are marked with "f88..." The definition ID at the beginning is TLP: Amber, with "340..." ID starting with TLP: Green)

{
"granular_markings": [  
  {
    "marking_ref": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
    "selectors": [    
      "labels.[1]"
    ]
  },
  {
    "marking_ref": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
    "selectors": [
      "labels.[0]",      
    ]
  }
]}

In addition to these attack indicators labels, Gotham chooses to mark the attributes name and pattern as TLP: Green. They can mark any attribute they want, but they cannot mark invalid attributes, such as labels[3] or kill_chain_uphases [0], because they do not currently exist in this attack indicator SDO.

Gotham also created a threat subject SDO to capture information about the threat subject indicated by this attack metric. In this case, the threat subject named Joker is assigned to the fake mail attack metric. In addition to the name, the object helps build other information about Joker, such as aliases, roles, and primarymotivation. Since all of this information is considered sensitive to Gotham National, they use object markers instead of granularity markers to mark the entire object as TLP: Red. This is done through all the attributes (object "marking" refs) inherent in SDO and SRO. This property lists all tag definition ID s that apply to this object. Different from the grand marks attribute applicable to different fields in the threat subject, object marking refs is applicable to the whole SDO of the threat subject.

In this case, the last intelligence is a relational SRO, which links the attack indicators with the threat subject SDO. In this relationship, the relationship 'type attribute specifies that this attack metric indicates the threat subject. Since this relationship object is connected to a TLP: Red marked object, Gotham also marks it as TLP: red using the object "marking" refs field within the relationship.

The complete JSON representation can be seen at the end of this example. The following shows the schematic diagram of this scenario:

Realization

JSON

{
  "type": "bundle",
  "id": "bundle--963410f2-fd7d-4d80-937c-8ad3aed5f432",
  "spec_version": "2.0",
  "objects": [
    {
      "type": "identity",
      "id": "identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
      "created": "2017-04-27T16:18:24.318Z",
      "modified": "2017-04-27T16:18:24.318Z",
      "name": "Gotham National Bank",
      "identity_class": "organization",
      "contact_information": "contact@gothamnational.com",
      "sectors": [
        "financial-services"
      ]
    },
    {
      "type": "threat-actor",
      "id": "threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c",
      "created": "2017-04-27T16:18:24.318Z",
      "modified": "2017-04-27T16:18:24.318Z",
      "created_by_ref": "identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
      "name": "The Joker",
      "labels": [
        "criminal",
        "terrorist"
      ],
      "aliases": [
        "Joe Kerr",
        "The Clown Prince of Crime"
      ],
      "roles": [
        "director"
      ],
      "resource_level": "team",
      "primary_motivation": "personal-satisfaction",
      "object_marking_refs": [
        "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed"
      ]
    },
    {
      "type": "marking-definition",
      "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
      "created": "2017-01-20T00:00:00.000Z",
      "definition_type": "tlp",
      "definition": {
        "tlp": "green"
      }
    },
    {
      "type": "marking-definition",
      "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
      "created": "2017-01-20T00:00:00.000Z",
      "definition_type": "tlp",
      "definition": {
        "tlp": "amber"
      }
    },
    {
      "type": "marking-definition",
      "id": "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed",
      "created": "2017-01-20T00:00:00.000Z",
      "definition_type": "tlp",
      "definition": {
        "tlp": "red"
      }
    },
    {
      "type": "indicator",
      "id": "indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1",
      "created": "2017-04-27T16:18:24.318Z",
      "modified": "2017-04-27T16:18:24.318Z",
      "created_by_ref": "identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
      "name": "Fake email address",
      "description": "Known to be used by The Joker.",
      "labels": [
        "malicious-activity",
        "attribution"
      ],
      "pattern": "[email-message:from_ref.value MATCHES '.+\\\\banking@g0thamnatl\\\\.com$']",
      "valid_from": "2017-04-27T16:18:24.318Z",
      "granular_markings": [
        {
          "marking_ref": "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed",
          "selectors": [
            "description"
          ]
        },
        {
          "marking_ref": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
          "selectors": [
            "labels.[1]"
          ]
        },
        {
          "marking_ref": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
          "selectors": [
            "labels.[0]",
            "name",
            "pattern"
          ]
        }
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--3d1dd3cc-eb47-4704-9c77-ceff2971b95c",
      "created": "2017-04-27T16:18:24.318Z",
      "modified": "2017-04-27T16:18:24.318Z",
      "relationship_type": "indicates",
      "object_marking_refs": [
        "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed"
      ],
      "source_ref": "indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1",
      "target_ref": "threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c"
    }
  ]
}

Python producers

import stix2

granular_red = stix2.GranularMarking( marking_ref=stix2.TLP_RED.id, selectors=["description"] )
granular_amber = stix2.GranularMarking( marking_ref=stix2.TLP_AMBER.id, selectors=["labels.[1]"] )
granular_green = stix2.GranularMarking( marking_ref=stix2.TLP_GREEN.id, selectors=["labels.[0]", "name", "pattern"] )
identity = stix2.Identity( id="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca", created="2017-04-27T16:18:24.318Z", modified="2017-04-27T16:18:24.318Z", name="Gotham National Bank", contact_information="contact@gothamnational.com", identity_class="organisation", sectors=["financial-services"] )
threat_actor = stix2.ThreatActor( id="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c", created="2017-04-27T16:18:24.318Z", modified="2017-04-27T16:18:24.318Z", created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca", name="The Joker", labels=["terrorist", "criminal"], aliases=["Joe Kerr", "The Clown Prince of Crime"], roles=["director"], resource_level="team", primary_motivation="personal-satisfaction", object_marking_refs=[stix2.TLP_RED] )
indicator = stix2.Indicator( id="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1", created="2017-04-27T16:18:24.318Z", modified="2017-04-27T16:18:24.318Z", created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca", name="Fake email address", description="Known to be used by The Joker.", labels=["malicious-activity", "attribution"], pattern="[email-message:from_ref.value MATCHES '.+\\\\banking@g0thamnatl\\\\.com$']", valid_from="2017-04-27T16:18:24.318Z", granular_markings=[granular_red, granular_amber, granular_green] )
rel = stix2.Relationship( id="relationship--3d1dd3cc-eb47-4704-9c77-ceff2971b95c", created="2017-04-27T16:18:24.318Z", modified="2017-04-27T16:18:24.318Z", relationship_type='indicates', source_ref="indicator--1ed8caa7-a708-4706-b651-f1186ede6ca1", target_ref="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c", object_marking_refs=[stix2.TLP_RED] )
bundle = stix2.Bundle(objects=[identity, indicator, threat_actor, rel])

Python consumer

import stix2

for obj in bundle.objects: if obj == threat_actor: print("------------------") print("== THREAT ACTOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref:" + obj.created_by_ref) print("Name: " + obj.name) print("Labels: " + obj.labels[0] + ", " + obj.labels[1]) print("Aliases: " + obj.aliases[0] + ", " + obj.aliases[1]) print("Roles: " + str(obj.roles)) print("Resource Level: " + obj.resource_level) print("Primary Motivation: " + obj.primary_motivation) print("Object Marking Refs: " + str(obj.object_marking_refs))
elif obj == identity: print("------------------") print("== IDENTITY ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Name: " + obj.name) print("Identity Class: " + obj.identity_class) print("Contact Information: " + obj.contact_information) print("Sectors: " + str(obj.sectors))
elif obj == indicator: print("------------------") print("== INDICATOR ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Created by Ref:" + obj.created_by_ref) print("Name: " + obj.name) print("Description: " + obj.description) print("Labels: " + obj.labels[0]) print("Pattern: " + obj.pattern) print("Valid From: " + str(obj.valid_from)) print("Granular Markings: " + str(obj.granular_markings))
elif obj == rel: print("------------------") print("== RELATIONSHIP ==") print("------------------") print("ID: " + obj.id) print("Created: " + str(obj.created)) print("Modified: " + str(obj.modified)) print("Relationship Type: " + obj.relationship_type) print("Source Ref: " + obj.source_ref) print("Target Ref: " + obj.target_ref) print("Object Marking Refs: " + str(obj.object_marking_refs))

Visual STIX field object relationship

This example changes all SDOs and visually represents the possible relationship between each SDO and another SDO. A picture is worth a thousand words. All the pictures are created by Graphviz [12].

Overview of all relationships

The following figure shows how each SDO fits into the possible relationships of the entire SDO ecosystem.

Note: the report has nothing to do with observable data

SDO relationship

Attack mode

Attack activities

Countermeasures

identity

Attack index

Intrusion set

malicious software

Threat subject

tool

Fragility

Key words translation

  • CTI Cyber Threat Intelligence

  • Campaigns attacks

  • Indicator attack indicator

  • Sighting aiming

  • Observed data

  • Course of Action

  • Identity

  • Indicator attack indicator

  • Intrusion set

  • Malware

  • Observed Data

  • Report report

  • Threat Actor threat subject / threat source

  • Tool tools

  • Vulnerability vulnerability

  • SDOs STIX Domain Objects STIX domain objects

  • SROs STIX Relationship Objects STIX relationship objects

  • TTP Tactics, Techniques, and Procedures

  • APT Advanced Persistent Threat

  • CAPEC Common Attack Pattern Enumeration and Classification

Reference resources

[1]Introduction to STIX,https://oasis-open.github.io/cti-documentation/stix/intro

[2]STIX 2.0 Examples,https://oasis-open.github.io/cti-documentation/stix/examples

[3]Identifying a Threat Actor Profile,https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile

[4]Defining Campaigns vs. Threat Actors vs. Intrusion Sets,https://oasis-open.github.io/cti-documentation/examples/defining-campaign-ta-is

[5]Indicator for Malicious URL,https://oasis-open.github.io/cti-documentation/examples/indicator-for-malicious-url

[6]Malware Indicator for File Hash,https://oasis-open.github.io/cti-documentation/examples/malware-indicator-for-file-hash

[7]Sighting of an Indicator,https://oasis-open.github.io/cti-documentation/examples/sighting-of-an-indicator

[8]Sighting of Observed-data,https://oasis-open.github.io/cti-documentation/examples/sighting-of-observed-data

[9]Threat Actor Leveraging Attack Patterns and Malware,https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware

[10]Using Marking Definitions,https://oasis-open.github.io/cti-documentation/examples/using-marking-definitions

[11]Using Granular Markings,https://oasis-open.github.io/cti-documentation/examples/using-granular-markings

[12]Visualized SDO Relationships,https://oasis-open.github.io/cti-documentation/examples/visualized-sdo-relationships

Published 23 original articles, won praise 23, visited 490000+
Private letter follow

Tags: Attribute network Python JSON

Posted on Tue, 04 Feb 2020 02:30:06 -0500 by setic