Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: add :targeted_{countries,industries} to Actor #447

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP: add :targeted_{countries,industries} to Actor #447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion doc/json/actor.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{
"confidence" : "string",
"tlp" : "string",
"targeted_industries" : [ "string" ],
"aliases" : [ "string" ],
"id" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
Expand Down Expand Up @@ -38,5 +39,6 @@
} ],
"motivation" : "string",
"description" : "string",
"external_ids" : [ "string" ]
"external_ids" : [ "string" ],
"targeted_countries" : [ "string" ]
}
4 changes: 3 additions & 1 deletion doc/json/bundle.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -802,6 +802,7 @@
"actors" : [ {
"confidence" : "string",
"tlp" : "string",
"targeted_industries" : [ "string" ],
"aliases" : [ "string" ],
"id" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
Expand Down Expand Up @@ -839,7 +840,8 @@
} ],
"motivation" : "string",
"description" : "string",
"external_ids" : [ "string" ]
"external_ids" : [ "string" ],
"targeted_countries" : [ "string" ]
} ],
"indicator_refs" : [ "string" ],
"schema_version" : "string",
Expand Down
4 changes: 3 additions & 1 deletion doc/json/casebook.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -816,6 +816,7 @@
"actors" : [ {
"confidence" : "string",
"tlp" : "string",
"targeted_industries" : [ "string" ],
"aliases" : [ "string" ],
"id" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
Expand Down Expand Up @@ -853,7 +854,8 @@
} ],
"motivation" : "string",
"description" : "string",
"external_ids" : [ "string" ]
"external_ids" : [ "string" ],
"targeted_countries" : [ "string" ]
} ],
"indicator_refs" : [ "string" ],
"schema_version" : "string",
Expand Down
24 changes: 24 additions & 0 deletions doc/structures/actor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@
|[revision](#propertyrevision-integer)|Integer|A monotonically increasing revision, incremented each time the object is changed.||
|[sophistication](#propertysophistication-sophisticationstring)|SophisticationString|Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.||
|[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
|[targeted_countries](#propertytargeted_countries-shortstringstringlist)|ShortStringString List|A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.||
|[targeted_industries](#propertytargeted_industries-shortstringstringlist)|ShortStringString List|A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.||
|[timestamp](#propertytimestamp-instdate)|Inst (Date)|The time this object was created at, or last modified.||
|[tlp](#propertytlp-tlpstring)|TLPString|TLP stands for [Traffic Light Protocol](https://www.us-cert.gov/tlp), which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as `red`, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as `amber` or `green`, indicating that it can be shared more broadly within an organization.||

Expand Down Expand Up @@ -304,6 +306,28 @@ URI of the source of the intelligence that led to the creation of the entity.

* A URI

<a id="propertytargeted_countries-shortstringstringlist"></a>
## Property targeted_countries ∷ ShortStringString List

A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.

* This entry is optional
* This entry's type is sequential (allows zero or more values)


* *ShortString* String with at most 1024 characters.

<a id="propertytargeted_industries-shortstringstringlist"></a>
## Property targeted_industries ∷ ShortStringString List

A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.

* This entry is optional
* This entry's type is sequential (allows zero or more values)


* *ShortString* String with at most 1024 characters.

<a id="propertytimestamp-instdate"></a>
## Property timestamp ∷ Inst (Date)

Expand Down
32 changes: 32 additions & 0 deletions doc/structures/bundle.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -810,6 +810,8 @@ A URL reference to an external resource.
|[revision](#propertyrevision-integer)|Integer|A monotonically increasing revision, incremented each time the object is changed.||
|[sophistication](#propertysophistication-sophisticationstring)|SophisticationString|Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.||
|[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
|[targeted_countries](#propertytargeted_countries-shortstringstringlist)|ShortStringString List|A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.||
|[targeted_industries](#propertytargeted_industries-shortstringstringlist)|ShortStringString List|A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.||
|[timestamp](#propertytimestamp-instdate)|Inst (Date)|The time this object was created at, or last modified.||
|[tlp](#propertytlp-tlpstring)|TLPString|TLP stands for [Traffic Light Protocol](https://www.us-cert.gov/tlp), which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as `red`, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as `amber` or `green`, indicating that it can be shared more broadly within an organization.||

Expand Down Expand Up @@ -1088,6 +1090,28 @@ URI of the source of the intelligence that led to the creation of the entity.

* A URI

<a id="propertytargeted_countries-shortstringstringlist"></a>
## Property targeted_countries ∷ ShortStringString List

A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.

* This entry is optional
* This entry's type is sequential (allows zero or more values)


* *ShortString* String with at most 1024 characters.

<a id="propertytargeted_industries-shortstringstringlist"></a>
## Property targeted_industries ∷ ShortStringString List

A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.

* This entry is optional
* This entry's type is sequential (allows zero or more values)


* *ShortString* String with at most 1024 characters.

<a id="propertytimestamp-instdate"></a>
## Property timestamp ∷ Inst (Date)

Expand Down Expand Up @@ -9849,6 +9873,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -9930,6 +9955,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -10026,6 +10052,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -10234,6 +10261,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -10399,6 +10427,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -10990,6 +11019,7 @@ If not present, the valid time position of the indicator does not have an upper
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -11487,6 +11517,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -12091,6 +12122,7 @@ If not present, the valid time position of the indicator does not have an upper
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down
32 changes: 32 additions & 0 deletions doc/structures/casebook.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8267,6 +8267,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -8348,6 +8349,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -8444,6 +8446,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -8652,6 +8655,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -8817,6 +8821,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -10320,6 +10325,7 @@ If not present, the valid time position of the indicator does not have an upper
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -12794,6 +12800,7 @@ Observable types that can be acted upon.
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -14466,6 +14473,7 @@ For each asset, we allow for the assertion of time bound properties.This gives u
* process_hash
* process_name
* process_path
* process_uid
* process_username
* processor_id
* registry_key
Expand Down Expand Up @@ -14917,6 +14925,8 @@ A URL reference to an external resource.
|[revision](#propertyrevision-integer)|Integer|A monotonically increasing revision, incremented each time the object is changed.||
|[sophistication](#propertysophistication-sophisticationstring)|SophisticationString|Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.||
|[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
|[targeted_countries](#propertytargeted_countries-shortstringstringlist)|ShortStringString List|A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.||
|[targeted_industries](#propertytargeted_industries-shortstringstringlist)|ShortStringString List|A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.||
|[timestamp](#propertytimestamp-instdate)|Inst (Date)|The time this object was created at, or last modified.||
|[tlp](#propertytlp-tlpstring)|TLPString|TLP stands for [Traffic Light Protocol](https://www.us-cert.gov/tlp), which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as `red`, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as `amber` or `green`, indicating that it can be shared more broadly within an organization.||

Expand Down Expand Up @@ -15195,6 +15205,28 @@ URI of the source of the intelligence that led to the creation of the entity.

* A URI

<a id="propertytargeted_countries-shortstringstringlist"></a>
## Property targeted_countries ∷ ShortStringString List

A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.

* This entry is optional
* This entry's type is sequential (allows zero or more values)


* *ShortString* String with at most 1024 characters.

<a id="propertytargeted_industries-shortstringstringlist"></a>
## Property targeted_industries ∷ ShortStringString List

A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.

* This entry is optional
* This entry's type is sequential (allows zero or more values)


* *ShortString* String with at most 1024 characters.

<a id="propertytimestamp-instdate"></a>
## Property timestamp ∷ Inst (Date)

Expand Down
2 changes: 1 addition & 1 deletion doc/structures/judgement.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -391,8 +391,8 @@ A URL reference to an external resource.
* process_hash
* process_name
* process_path
* process_username
* process_uid
* process_username
* processor_id
* registry_key
* registry_name
Expand Down
4 changes: 3 additions & 1 deletion src/ctim/examples/actors.cljc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@
:valid_time {:start_time #inst "2016-02-11T00:40:48.212-00:00"
:end_time #inst "2016-07-11T00:40:48.212-00:00"}
:tlp "green"
:aliases ["alias 1" "alias 2"]})
:aliases ["alias 1" "alias 2"]
:targeted_countries ["840"]
Copy link
Contributor

@michaels-den michaels-den Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's us 3166-1 A2 codes, ie 2-letter country codes, see the following example:

  "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored     
threat group that specializes in financial cyber operations; it has been attributed to  
the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)     
Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted 
banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system          
endpoints, and ATMs in at least 38 countries worldwide. Significant operations include  
the 2016 Bank of Bangladesh heist, during which                                         
[APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks    
against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been     
destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38   
Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus    
Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have           
significant overlap, and some security researchers report all North Korean              
state-sponsored cyber activity under the name [Lazarus                                  
Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or           
subgroups.",                                                                            
  :aliases                                                                              
  ["APT38"                                                                              
   "NICKEL GLADSTONE"                                                                   
   "BeagleBoyz"                                                                         
   "Bluenoroff"                                                                         
   "Stardust Chollima"],                                                                
  :external_references                                                                  
  {:external_id "G0082",                                                                
   :source_name "mitre-attack",                                                         
   :url "https://attack.mitre.org/groups/G0082"},                                       
  :mitre_group_id "G0082",                                                              
  :targeted_industries ["financial-services", "government"]                             
  :targeted_countries ["BD", "MX", "CL"]}

:targeted_industries ["Goverment", "Defense", "Mining", "Technology"]})

(def actor-minimal
{:id "http://ex.tld/ctia/actor/actor-5023697b-3857-4652-9b53-ccda297f9c3e"
Expand Down
9 changes: 8 additions & 1 deletion src/ctim/schemas/actor.cljc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,14 @@
"evidence."))
(f/entry :aliases [c/ShortString]
:description (str "A list of other names that this Threat Actor is "
"believed to use.")))
"believed to use."))
(f/entry :targeted_countries [c/ShortString]
:description (str "A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is "
"believed to target."))
(f/entry :targeted_industries [c/ShortString]
:description (str "A list of STIX Industry Sectors that represent the industries this Threat Actor is "
"believed to target."))
)
;; Not provided: handling
;; Not provided: related_packages (deprecated)
)
Expand Down
Loading