STIX2.1 Extension Example - custom properties

cti message

Subject: STIX2.1 Extension Example - custom properties

From: Chris Ricard <cricard@fsisac.com>

To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>

Date: Fri, 16 Oct 2020 04:51:17 +0000

Folks,

On today’s TC call, Rich asked folks who are using custom STIX extensions to kick the tires on the new extension proposal.

We (FS-ISAC) use custom properties on the STIX2.1 Vulnerability SDO, in order to make some custom vulnerability reporting available via a TAXII2.1 feed.

The intent is for the content to be STIX/TAXII-compliant (since it’s being published to our TAXII server), yet still easy for non-STIX/TAXII applications (such as a vulnerability management system that has no idea what STIX and TAXII are) to be able to ingest it as a RESTful API.

I’ve attached 4 JSON files:

stix21-orig.json: This is an example of what we are currently publishing. Note that all of the “x-ctix-*” properties are custom top-level properties.
stix21-option1.json: This is my attempt to convert stix21-orig.json to the “Option 1” proposal (Adding properties to an existing STIX object instance)
stix21-option2.json: This is my attempt to convert stix21-orig.json to the “Option 2” proposal for adding custom properties to an existing STIX object (Adding properties at the top-level to an existing STIX object instance).
stix21-option3.json: This was just me taking a stab at what it would look like if there was an option to define the extensions in-line, rather than in a separate object. Obviously it would create additional, duplicative data, but I thought I would toss it out there for consideration, since it would likely be easier for a STIX client to consume.

My take-aways:

Publishing: It appears that we could publish our current custom vulnerability feed using either Option 1 and Option 2 (or Option 3).
Consuming:

For STIX/TAXII consumers, Option 1 and Option 2 seem equivalent to me. As long as the STIX client properly understands the spec, either should work. The one advantage I see to option 1 is that it allows you to overload the same custom property name in the same SDO defined in different extensions (example, it seems that I could have an “FS-ISAC” risk property, and an “IT-ISAC” risk property in the same SDO, both named “risk”. I’m not sure why you would want that, though).
For NON-STIX/TAXII consumers (example - REST clients which are STIX unaware), Option 2 seems far superior. The REST client could treat all top-level properties the same, rather than having to understand that some top-level properties are native STIX properties, while others are custom STIX properties that are embedded under the “extensions” property.

Also attached is a chicken-scratch python code (process_vulns-json.txt) to illustrate what I’m talking about. The original JSON and the Option 2 JSON can be processed without any knowledge of STIX or understanding of STIX extensions. However, Option 1 requires an understanding of STIX extensions, and some hand-waving to unpack the custom properties.

Hope this makes sense. Please let me know if I misunderstood anything.

Chris Ricard

Sr. Tech Engineer, FS-ISAC

cricard@fsisac.com

work: +1 571-446-3888

cell: +1 703-673-8621

Attachment: stix21-option2.json
Description: stix21-option2.json

Attachment: stix21-option3.json
Description: stix21-option3.json

Attachment: stix21-option1.json
Description: stix21-option1.json

Attachment: stix21-orig.json
Description: stix21-orig.json

import sys import json from pprint import pprint #Demonstrate a non-STIX aware client parsing STIX objects with custom properties. #Prints a native property value ("name"), and a custom property value ("cvss_base_score") for each. #Example of how we're doing custom properties today original_json=json.loads(''' [{ "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--55574b84-2f9e-48de-97f7-9b5cc6711f09", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "Juniper SBR Carrier Multiple Vulnerabilities", "description": "Multiple vulnerabilities have been reported in Juniper SBR Carrier, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). For more information: SA83669 (#1) SA89677 (#1) SA90843 (#1) SA91027 (#1) SA94476 (#1) The vulnerabilities are reported in versions prior to 8.5.0-R17 and prior to 8.6.0-R12. Secunia CVSS Scores: Base: 7.5 Overall: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)<div> Advisory ID: SA98310</div>", "labels": [ "vulnerability:CVE-2019-1563", "vulnerability:CVE-2020-1967", "vendor:Juniper Networks", "vulnerability:CVE-2018-0732", "vulnerability:CVE-2018-20843", "vulnerability:CVE-2019-15903" ], "lang": "en", "external_references": [ { "source_name": "sa83669", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA83669"; }, { "source_name": "sa89677", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA89677"; }, { "source_name": "sa90843", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA90843"; }, { "source_name": "sa91027", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA91027"; }, { "source_name": "sa94476", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA94476"; }, { "source_name": "juniper (1517427)", "description": "External Reference objects from Flexera", "url": "https://kb.juniper.net/InfoCenter/JSA11074"; }, { "source_name": "cve", "description": "External Reference objects from Flexera", "external_id": "CVE-2019-1563" } ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "x_ctix_advisory_id": "SA98310", "x_ctix_credibility": "5 - Verified", "x_ctix_criticality": "3 - Moderately critical", "x_ctix_cves": [ "CVE-2019-1563", "CVE-2018-0732", "CVE-2018-20843", "CVE-2020-1967", "CVE-2019-15903" ], "x_ctix_cvss_info": { "cvss_base_score": 7.5, "cvss_overall_score": 6.5, "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" }, "x_ctix_impacts": [ "DoS", "Exposure of sensitive information" ], "x_ctix_products": [ "Juniper SBR Carrier" ], "x_ctix_response_action": "Update to version 8.5.0-R17 or 8.6.0-R12.", "x_ctix_revisions": [ { "description": "Initial release", "released_date": "2020-10-15T21:10:10Z" } ], "x_ctix_risk": "6", "x_ctix_severity": "3 - Moderate Impact", "x_ctix_source": "Secunia Research from Flexera", "x_ctix_urgency": "3 - Action Highly Recommended" }] ''') #Example STIX object with custom properies using Option 1 option1_json=json.loads(''' [{ "type": "stix-extension", "spec_version": "2.1", "id": "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "FS-ISAC CTIX Vulnerability Extension", "created_by_ref": "identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "schema": "https://www.fsisac.com/stixtaxii/schemas/ctix-vuln/v1/";, "version": "1.0", "extension_types": [ "property-extension" ], "extension_properties": ["advisory_id","credibility","criticality","cves","cvss_info","impacts","products","response_action","revisions","risk","severity","source","urgency"] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--55574b84-2f9e-48de-97f7-9b5cc6711f09", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "Juniper SBR Carrier Multiple Vulnerabilities", "description": "Multiple vulnerabilities have been reported in Juniper SBR Carrier, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). For more information: SA83669 (#1) SA89677 (#1) SA90843 (#1) SA91027 (#1) SA94476 (#1) The vulnerabilities are reported in versions prior to 8.5.0-R17 and prior to 8.6.0-R12. Secunia CVSS Scores: Base: 7.5 Overall: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)<div> Advisory ID: SA98310</div>", "labels": [ "vulnerability:CVE-2019-1563", "vulnerability:CVE-2020-1967", "vendor:Juniper Networks", "vulnerability:CVE-2018-0732", "vulnerability:CVE-2018-20843", "vulnerability:CVE-2019-15903" ], "lang": "en", "external_references": [ { "source_name": "sa83669", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA83669"; }, { "source_name": "sa89677", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA89677"; }, { "source_name": "sa90843", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA90843"; }, { "source_name": "sa91027", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA91027"; }, { "source_name": "sa94476", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA94476"; }, { "source_name": "juniper (1517427)", "description": "External Reference objects from Flexera", "url": "https://kb.juniper.net/InfoCenter/JSA11074"; }, { "source_name": "cve", "description": "External Reference objects from Flexera", "external_id": "CVE-2019-1563" } ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "extensions": { "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08" : { "advisory_id": "SA98310", "credibility": "5 - Verified", "criticality": "3 - Moderately critical", "cves": [ "CVE-2019-1563", "CVE-2018-0732", "CVE-2018-20843", "CVE-2020-1967", "CVE-2019-15903" ], "cvss_info": { "cvss_base_score": 7.5, "cvss_overall_score": 6.5, "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" }, "impacts": [ "DoS", "Exposure of sensitive information" ], "products": [ "Juniper SBR Carrier" ], "response_action": "Update to version 8.5.0-R17 or 8.6.0-R12.", "revisions": [ { "description": "Initial release", "released_date": "2020-10-15T21:10:10Z" } ], "risk": "6", "severity": "3 - Moderate Impact", "source": "Secunia Research from Flexera", "urgency": "3 - Action Highly Recommended" } } }, { "id":"identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "identity_class":"organization", "lang":"en", "name":"FS-ISAC", "type":"identity", "spec_version":"2.1", "created":"2020-10-15T23:40:56.152Z", "modified":"2020-10-15T23:40:56.152Z" }] ''') #Example STIX object with custom properies using Option 2 option2_json=json.loads(''' [{ "type": "stix-extension", "spec_version": "2.1", "id": "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "FS-ISAC CTIX Vulnerability Extension", "created_by_ref": "identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "schema": "https://www.fsisac.com/stixtaxii/schemas/ctix-vuln/v1/";, "version": "1.0", "extension_types": [ "toplevel-property-extension" ], "extension_properties": ["advisory_id","credibility","criticality","cves","cvss_info","impacts","products","response_action","revisions","risk","severity","source","urgency"] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--55574b84-2f9e-48de-97f7-9b5cc6711f09", "created": "2020-10-15T21:40:52.746Z", "modified": "2020-10-15T21:40:52.746Z", "name": "Juniper SBR Carrier Multiple Vulnerabilities", "description": "Multiple vulnerabilities have been reported in Juniper SBR Carrier, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). For more information: SA83669 (#1) SA89677 (#1) SA90843 (#1) SA91027 (#1) SA94476 (#1) The vulnerabilities are reported in versions prior to 8.5.0-R17 and prior to 8.6.0-R12. Secunia CVSS Scores: Base: 7.5 Overall: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)<div> Advisory ID: SA98310</div>", "labels": [ "vulnerability:CVE-2019-1563", "vulnerability:CVE-2020-1967", "vendor:Juniper Networks", "vulnerability:CVE-2018-0732", "vulnerability:CVE-2018-20843", "vulnerability:CVE-2019-15903" ], "lang": "en", "external_references": [ { "source_name": "sa83669", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA83669"; }, { "source_name": "sa89677", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA89677"; }, { "source_name": "sa90843", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA90843"; }, { "source_name": "sa91027", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA91027"; }, { "source_name": "sa94476", "description": "External Reference objects from Flexera", "url": "https://app.flexerasoftware.com/#/vt/advisory-database/advisories/?advisory_id=SA94476"; }, { "source_name": "juniper (1517427)", "description": "External Reference objects from Flexera", "url": "https://kb.juniper.net/InfoCenter/JSA11074"; }, { "source_name": "cve", "description": "External Reference objects from Flexera", "external_id": "CVE-2019-1563" } ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ], "advisory_id": "SA98310", "credibility": "5 - Verified", "criticality": "3 - Moderately critical", "cves": [ "CVE-2019-1563", "CVE-2018-0732", "CVE-2018-20843", "CVE-2020-1967", "CVE-2019-15903" ], "cvss_info": { "cvss_base_score": 7.5, "cvss_overall_score": 6.5, "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" }, "impacts": [ "DoS", "Exposure of sensitive information" ], "products": [ "Juniper SBR Carrier" ], "response_action": "Update to version 8.5.0-R17 or 8.6.0-R12.", "revisions": [ { "description": "Initial release", "released_date": "2020-10-15T21:10:10Z" } ], "risk": "6", "severity": "3 - Moderate Impact", "source": "Secunia Research from Flexera", "urgency": "3 - Action Highly Recommended", "extensions": { "stix-extension--55574b84-2f9e-48de-97f7-9b5cc6711f08" : { "extends_stix_object_definition": true } } }, { "id":"identity--eafca5be-e6f2-4ef4-ba3e-7f0eb1b55d28", "identity_class":"organization", "lang":"en", "name":"FS-ISAC", "type":"identity", "spec_version":"2.1", "created":"2020-10-15T23:40:56.152Z", "modified":"2020-10-15T23:40:56.152Z" }] ''') #Prints the title and CVSS score def printVulnTitleAndCvssScore(title,score): print('%s:%s' % (title,score)) return True ################################## # Original - native and custom properties are all top-level, custom properties are namespaced. for obj in original_json: if obj['type']=='vulnerability': result=printVulnTitleAndCvssScore(obj['name'],obj['x_ctix_cvss_info']['cvss_base_score']) # Option 2 - native and custom properties are all top-level for obj in option2_json: if obj['type']=='vulnerability': result=printVulnTitleAndCvssScore(obj['name'],obj['cvss_info']['cvss_base_score']) #Option 1: native properties are top-level, custom properties are nested under the "extensions" property. So the custom properties must be wrangled out of the extensions property. for obj in option1_json: if obj['type']=='vulnerability': #wrangle the custom properties out of the "extensions" property cust_properties={} extensions=obj['extensions'] for custs in obj['extensions'].values(): for (k,v) in custs.items(): cust_properties[k]=v result=printVulnTitleAndCvssScore(obj['name'],cust_properties['cvss_info']['cvss_base_score'])