All,
I would like to propose the following very simple object for Infrastructure:
1) The primary goal is to document attacker infrastructure. Specifically where malware was delivered from and where it is beaconing to.
2) If other types of architecture can be documented, okay, but that is not our focus right now.
3) Historically we talked about embedding the cyber observables, I would now like to propose that we just use external references to observed_data with a relationship type of "part-of"
This s what I propose:
Common Properties
|
TODO
|
Infrastructure
Specific Properties
|
name,
description,
kill_chain_phases,
first_seen,
last_seen
|
Property
Name
|
Type
|
Description
|
type
(required)
|
string
|
The value of this field
MUST
be infrastructure
|
labels
(required)
|
list
of type open-vocab
|
The type of infrastructure being described.
This is an open vocabulary and values
SHOULD
come from the
infrastructure-type-ov
vocabulary.
|
name
(optional)
|
string
|
A name for this infrastructure
|
description
(optional)
|
string
|
A description that provides more details and context about
the malicious Infrastructure, potentially including its purpose and its key characteristics.
|
kill_chain_phases
(optional)
|
list
of type
kill-chain-phase
|
The list of Kill Chain phases for which this Infrastructure
is used.
|
first_seen
(optional)
|
timestamp
|
The time that this malicious Infrastructure was first seen.
|
last_seen
(optional)
|
timestamp
|
The time that this malicious Infrastructure was last seen.
|
|
|
|
Then we would relationships from here to
Embedded
Relationships
|
created_by_ref
|
source
|
object_markings_refs
|
marking-definition
|
Common Relationships
|
duplicate-of,
derived-from,
related-to
|
Source
|
Name
|
Target
|
Description
|
infrastructure
|
targets
|
identity,
vulnerability
|
This Relationship documents that this malicious Infrastructure
is being used to target this Victim Target or Vulnerability.
For example, a
targets
Relationship linking an Infrastructure for a phishing hosting site to a Victim Target representing the retail sector indicates that the phishing hosting site is targeted at the retail sector.
|
infrastructure
|
supports, delivers
|
malware
|
The infrastructure is used to host a malware family or
particular malware instance.
|
infrastructure
|
supports
|
infrastructure
|
The infrastructure is a component of some broader/overarching
infrastructure.
|
infrastructure
|
owned-by
|
threat-actor
|
The infrastructure is owned-by or belongs to a particular
threat actor.
|
Reverse Relationships
|
indicator
|
indicates
|
infrastructure
|
See forward relationship for definition.
|
course-of-action
|
mitigates
|
infrastructure
|
See forward relationship for definition.
|
malware
|
beacons-to, exfiltrate-to
|
infrastructure
|
See forward relationship for definition.
|
campaign,
intrusion-set,
malware,
threat-actor,
tool
|
uses
|
infrastructure
|
See forward relationship for definition.
This Relationship documents that this Tool uses the related
infrastructure to perform its functions.
For example, a
uses
Relationship linking a remote access Tool to an Infrastructure representing a proxy indicates that Tool is or can be used through that proxy.
|
observed-data
|
part-of
|
infrastructure
|
See forward relationship for definition.
|
|