It seems to me that we could rename the Source object to a more generic Identity object, and we would gain the ability to track identities, and use relationships to associate these identities with different parts of STIX.
- you could link threat actor with identity with a 'persona_of' relationship to represent a fake identity the threat actor uses
- you could link threat actor with identity with a 'identity_of' relationship to represent the real identity of the threat actor
- you could link object creator directly with identity to represent the source of the object.
- you could link tool creator with identity with a 'created_by' relationship to represent the real identity of the tool creator (malware would link to threat actor)
- you could link victimtarget with identity with a 'identity_of' relationship to represent the real identity of the victimtarget (if we are talking specific victims)
An Identity object seems more flexible to me than a Source object, which appears to be an identity object restricted to just representing who created something.
Cheers
Terry MacDonald
Cosive