STIX 2.0 Proposal12 : Clarify semantics of different types of TTPs as expressed in the TTP construct (#360)
There is currently a lack of semantic clarity with regards to Attack Pattern, Malware, Exploit, Infrastructure, Tools, Personas, Victim Targeting and Kill Chains within TPP. It is the current semantic intent that each of these are separate types of TTP and a single TTP instance would not include more than one of them. If more than one of them is relevant within a given context they should be specified separately and then related to each other.
Break out each specific type of TTP (e.g. Infrastructure) into its own class each of which are specializations of TTPType.
- Modify AttackPatternType to be a specialization of TTPType.
- Modify MalwareInstanceType to be a specialization of TTPType.
- Modify ExploitType to be a specialization of TTPType.
- Modify InfrastructureType to be a specialization of TTPType.
- Rename ToolInformationType to AttackerToolInformationType and make it a specialization of both TTPType and CYBOX:cyboxCommon:ToolInformationType.
- Modify PersonaType to be a specialization of both TTPType and IdentityType.
- Modify VictimTargetingType to be a specialization of both TTPType and VictimType.
- Modify KillChainType to be a specialization of TTPType.
- Modify KillChainPhaseType to be a specialization of TTPType.
- Remove properties redundant with IDableConstructType from all TTP-related IDable classes
Example #1: simple malware instance TTP
Example #2: simple TA, simple MalwareInstance TTP, simple Infrastructure (IP address) TTP, simple VictimTargeting TTP with relationships tying TA to each TTP
Example #1:
{
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "malware-instance",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Sakurel Malware"
}Example #2:
{
"id": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
"type": "threat-actor",
"timestamp": {"value": "2015-12-21T21:54:19.000000+00:00"},
"name": "Black Vine"
}
{
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "malware-instance",
"timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
"name": "Sakurel Malware",
"malware_instance_type": {
"value": "Remote Access Trojan",
"vocab": "malware-type-vocab-1.0"
}
}
{
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "infrastructure",
"timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
"title": "Sakurel Command & Control Server",
"infrastructure_type": {
"value": "Hosting",
"vocab": "attacker-infrastructure-type-vocab-1.0"
},
"observable_characterization": "observable pattern characterizing the infrastructure would go here"
}
{
"id": "example:ttp-a8e12797-a5a9-d0d6-bd87-28e7d69f409d",
"type": "victim-targeting",
"timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
"title": "Targeting of Healthcare Sector",
"specification": "CIQ content for sector would go here. Still to be determined how to do this in JSON."
}
{
"id": "example:rel-3b9edb33-5379-4566-8deb-9db1eba074d8",
"type": "related-ttp",
"timestamp": {"value": "2015-12-21T19:59:12.000000+00:00"},
"confidence": {
"value": {
"value": "High",
"vocab": "high-medium-low-vocab-1.0"
}
},
"from": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
"to": [
"example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"example:ttp-a8e12797-a5a9-d0d6-bd87-28e7d69f409d"
],
"relationship_nature": {"value": "Observed TTP"}
}