CTI STIX Subcommittee

  • 1.  Infrastructure

    Posted 08-30-2017 22:35
    All, I would like to propose the following very simple object for Infrastructure: 1) The primary goal is to document attacker infrastructure. Specifically where malware was delivered from and where it is beaconing to. 2) If other types of architecture can be documented, okay, but that is not our focus right now. 3) Historically we talked about embedding the cyber observables, I would now like to propose that we just use external references to observed_data with a relationship type of "part-of" This s what I propose: Common Properties TODO Infrastructure Specific Properties name , description , kill_chain_phases , first_seen , last_seen Property Name Type Description type (required) string The value of this field MUST be infrastructure labels (required) list of type open-vocab The type of infrastructure being described. This is an open vocabulary and values SHOULD come from the infrastructure-type-ov vocabulary. name (optional) string A name for this infrastructure description (optional) string A description that provides more details and context about the malicious Infrastructure, potentially including its purpose and its key characteristics. kill_chain_phases (optional) list of type kill-chain-phase The list of Kill Chain phases for which this Infrastructure is used. first_seen (optional) timestamp The time that this malicious Infrastructure was first seen. last_seen (optional) timestamp The time that this malicious Infrastructure was last seen. Then we would relationships from here to Embedded Relationships created_by_ref source object_markings_refs marking-definition Common Relationships duplicate-of , derived-from , related-to Source Name Target Description infrastructure targets identity , vulnerability This Relationship documents that this malicious Infrastructure is being used to target this Victim Target or Vulnerability. For example, a targets Relationship linking an Infrastructure for a phishing hosting site to a Victim Target representing the retail sector indicates that the phishing hosting site is targeted at the retail sector. infrastructure supports, delivers malware The infrastructure is used to host a malware family or particular malware instance. infrastructure supports infrastructure The infrastructure is a component of some broader/overarching infrastructure. infrastructure owned-by threat-actor The infrastructure is owned-by or belongs to a particular threat actor. Reverse Relationships indicator indicates infrastructure See forward relationship for definition. course-of-action mitigates infrastructure See forward relationship for definition. malware beacons-to, exfiltrate-to infrastructure See forward relationship for definition. campaign , intrusion-set , malware , threat-actor ,   tool uses infrastructure See forward relationship for definition. This Relationship documents that this Tool uses the related infrastructure to perform its functions. For example, a uses Relationship linking a remote access Tool to an Infrastructure representing a proxy indicates that Tool is or can be used through that proxy. observed-data part-of infrastructure See forward relationship for definition.


  • 2.  Re: [cti-stix] Infrastructure

    Posted 09-06-2017 15:46
    I have not seen anyone else reply on this yet, but I am in support of this proposal - nice and simple. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security Without data, all you are is just another person with an opinion - Unknown From:         Bret Jordan <Bret_Jordan@symantec.com> To:         "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date:         08/30/2017 07:34 PM Subject:         [cti-stix] Infrastructure Sent by:         <cti-stix@lists.oasis-open.org> All, I would like to propose the following very simple object for Infrastructure: 1) The primary goal is to document attacker infrastructure. Specifically where malware was delivered from and where it is beaconing to. 2) If other types of architecture can be documented, okay, but that is not our focus right now. 3) Historically we talked about embedding the cyber observables, I would now like to propose that we just use external references to observed_data with a relationship type of "part-of" This s what I propose: Common Properties TODO Infrastructure Specific Properties name , description , kill_chain_phases , first_seen , last_seen Property Name Type Description type (required) string The value of this field MUST be infrastructure labels (required) list of type open-vocab The type of infrastructure being described. This is an open vocabulary and values SHOULD come from the infrastructure-type-ov vocabulary. name (optional) string A name for this infrastructure description (optional) string A description that provides more details and context about the malicious Infrastructure, potentially including its purpose and its key characteristics. kill_chain_phases (optional) list of type kill-chain-phase The list of Kill Chain phases for which this Infrastructure is used. first_seen (optional) timestamp The time that this malicious Infrastructure was first seen. last_seen (optional) timestamp The time that this malicious Infrastructure was last seen. Then we would relationships from here to Embedded Relationships created_by_ref source object_markings_refs marking-definition Common Relationships duplicate-of , derived-from , related-to Source Name Target Description infrastructure targets identity , vulnerability This Relationship documents that this malicious Infrastructure is being used to target this Victim Target or Vulnerability. For example, a targets Relationship linking an Infrastructure for a phishing hosting site to a Victim Target representing the retail sector indicates that the phishing hosting site is targeted at the retail sector. infrastructure supports, delivers malware The infrastructure is used to host a malware family or particular malware instance. infrastructure supports infrastructure The infrastructure is a component of some broader/overarching infrastructure. infrastructure owned-by threat-actor The infrastructure is owned-by or belongs to a particular threat actor. Reverse Relationships indicator indicates infrastructure See forward relationship for definition. course-of-action mitigates infrastructure See forward relationship for definition. malware beacons-to, exfiltrate-to infrastructure See forward relationship for definition. campaign , intrusion-set , malware , threat-actor ,   tool uses infrastructure See forward relationship for definition. This Relationship documents that this Tool uses the related infrastructure to perform its functions. For example, a uses Relationship linking a remote access Tool to an Infrastructure representing a proxy indicates that Tool is or can be used through that proxy. observed-data part-of infrastructure See forward relationship for definition.