Re: [cti-stix] Infrastructure

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I have not seen anyone else reply on this
yet, but I am in support of this proposal - nice and simple.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:      
 Bret Jordan <Bret_Jordan@symantec.com>
To:      
 "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date:      
 08/30/2017 07:34 PM
Subject:    
   [cti-stix] Infrastructure
Sent by:    
   <cti-stix@lists.oasis-open.org>

---

All,

I would like to propose the following very
simple object for Infrastructure:

1) The primary goal is to document attacker
infrastructure. Specifically where malware was delivered from and where
it is beaconing to.
2) If other types of architecture can be
documented, okay, but that is not our focus right now.
3) Historically we talked about embedding
the cyber observables, I would now like to propose that we just use external
references to observed_data with a relationship type of "part-of"

This s what I propose:

Common Properties
TODO
Infrastructure Specific Properties
name, description, kill_chain_phases, first_seen, last_seen
Property Name	Type	Description
type(required)	string	The value of this field MUST be infrastructure
labels(required)	listof type open-vocab	The type of infrastructure being described. This is an open vocabulary and values SHOULD come from the infrastructure-type-ovvocabulary.
name(optional)	string	A name for this infrastructure
description(optional)	string	A description that provides more details and context about the malicious Infrastructure, potentially including its purpose and its key characteristics.
kill_chain_phases(optional)	listof typekill-chain-phase	The list of Kill Chain phases for which this Infrastructure is used.
first_seen(optional)	timestamp	The time that this malicious Infrastructure was first seen.
last_seen(optional)	timestamp	The time that this malicious Infrastructure was last seen.

Then we would relationships from here to

Embedded Relationships
created_by_ref		source
object_markings_refs		marking-definition
Common Relationships
duplicate-of, derived-from, related-to
Source	Name	Target	Description
infrastructure	targets	identity, vulnerability	This Relationship documents that this malicious Infrastructure is being used to target this Victim Target or Vulnerability. For example, a targetsRelationship linking an Infrastructure for a phishing hosting site to a Victim Target representing the retail sector indicates that the phishing hosting site is targeted at the retail sector.
infrastructure	supports, delivers	malware	The infrastructure is used to host a malware family or particular malware instance.
infrastructure	supports	infrastructure	The infrastructure is a component of some broader/overarching infrastructure.
infrastructure	owned-by	threat-actor	The infrastructure is owned-by or belongs to a particular threat actor.
Reverse Relationships
indicator	indicates	infrastructure	See forward relationship for definition.
course-of-action	mitigates	infrastructure	See forward relationship for definition.
malware	beacons-to, exfiltrate-to	infrastructure	See forward relationship for definition.
campaign, intrusion-set, malware, threat-actor,   tool	uses	infrastructure	See forward relationship for definition. This Relationship documents that this Tool uses the related infrastructure to perform its functions. For example, a usesRelationship linking a remote access Tool to an Infrastructure representing a proxy indicates that Tool is or can be used through that proxy.
observed-data	part-of	infrastructure	See forward relationship for definition.