Introducing STIX-TTP Taxonomy

The STIX-TTP taxonomy follows the STIX model to handle the classification of event TTPs.
This version covers both Victim Trageting by Sector and Victim Targeting by Information Type.
pull/54/head
Georges Bossert 2017-01-04 15:21:22 +01:00
parent 40d96b6f2d
commit 5ca99f3505
2 changed files with 120 additions and 0 deletions

View File

@ -33,6 +33,7 @@ The following taxonomies are described:
- [NATO Classification Marking](./nato) - [NATO Classification Marking](./nato)
- [Open Threat Taxonomy v1.1 (SANS)](./open_threat) - [Open Threat Taxonomy v1.1 (SANS)](./open_threat)
- [OSINT Open Source Intelligence - Classification](./osint) - [OSINT Open Source Intelligence - Classification](./osint)
- [STIX-TTP](./stix-ttp) - Represents the behavior or modus operandi of cyber adversaries as normalized in STIX
- [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware) - [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware)
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP) - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP)
- [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.](./targeted-threat-index) - [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.](./targeted-threat-index)
@ -124,6 +125,10 @@ Marking of Classified and Unclassified materials as described by the North Atlan
Open Threat Taxonomy v1.1 base on James Tarala of SANS [ref](http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf). Open Threat Taxonomy v1.1 base on James Tarala of SANS [ref](http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf).
### [STIX-TTP](./stix-ttp)
STIX-TTP exposes a set classification tools that represents the behavior or modus operandi of cyber adversaries as normalized in STIX. TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.
### [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.](./targeted-threat-index) ### [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.](./targeted-threat-index)
The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. [More info about TTI](https://citizenlab.org/2013/10/targeted-threat-index/). The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. [More info about TTI](https://citizenlab.org/2013/10/targeted-threat-index/).

115
stix-ttp/machinetag.json Normal file
View File

@ -0,0 +1,115 @@
{
"namespace": "stix-ttp",
"expanded": "STIX TTP",
"version": 1,
"description": "TTPs are representations of the behavior or modus operandi of cyber adversaries.",
"refs": [
"http://stixproject.github.io/documentation/idioms/industry-sector/"
],
"predicates": [
{
"value": "victim-targeting",
"expanded": "Victim Targeting"
}
],
"values": [
{
"predicate": "victim-targeting",
"entry": [
{
"value": "business-professional-sector",
"expanded": "Business & Professional Services Sector"
},
{
"value": "retail-sector",
"expanded": "Retail Sector"
},
{
"value": "financial-sector",
"expanded": "Financial Services Sector"
},
{
"value": "media-entertainment-sector",
"expanded": "Media & Entertainment Sector"
},
{
"value": "construction-engineering-sector",
"expanded": "Construction & Engineering Sector"
},
{
"value": "government-international-organizations-sector",
"expanded": "Goverment & International Organizations"
},
{
"value": "legal-sector",
"expanded": "Legal Services"
},
{
"value": "hightech-it-sector",
"expanded": "High-Tech & IT Sector"
},
{
"value": "healthcare-sector",
"expanded": "Healthcare Sector"
},
{
"value": "transportation-sector",
"expanded": "Transportation Sector"
},
{
"value": "aerospace-defence-sector",
"expanded": "Aerospace & Defense Sector"
},
{
"value": "energy-sector",
"expanded": "Energy Sector"
},
{
"value": "food-sector",
"expanded": "Food Sector"
},
{
"value": "natural-resources-sector",
"expanded": "Natural Resources Sector"
},
{
"value": "other-sector",
"expanded": "Other Sector"
},
{
"value": "corporate-employee-information",
"expanded": "Corporate Employee Information"
},
{
"value": "customer-pii",
"expanded": "Customer PII"
},
{
"value": "email-lists-archives",
"expanded": "Email Lists/Archives"
},
{
"value": "financial-data",
"expanded": "Financial Data"
},
{
"value": "intellectual-property",
"expanded": "Intellectual Property"
},
{
"value": "mobile-phone-contacts",
"expanded": "Mobile Phone Contacts"
},
{
"value": "user-credentials",
"expanded": "User Credentials"
},
{
"value": "authentification-cookies",
"expanded": "Authentication Cookies"
}
]
}
]
}