STIX 2.0 Proposal13 : Refactor Kill Chain Types (#117, #191, #241, #190, #47) - STIXProject/specifications GitHub Wiki
Issue Summary
The current implementation in STIX 1.2.1 for specifying kill chains and referencing relevant kill chain phases is kind of a mess.
- Kill chains can currently be specified either within TTPs or within TTP.
- The current structure makes it difficult for a given kill chain phase to be specified as part of multiple kill chains (something common in the real world).
- The KillChainPhaseReferenceType should not extend from KillChainPhaseType and should not allow duplicate information from the kill chain definitions. It simply reference a kill chain phase by ID (and, potentially, a kill chain by ID if kill chain phases can be included in multiple kill chains). See #41 for an explanation as to why.
- The @phase_id attribute could be better named as @id and the reference attributes as @phase_idref, @kill_chain_idref (if phases may be present in multiple kill chains) or simply as @idref (if they cannot, because the only valid reference would be to a phase). The current attribute names are technically correct but are not consistent with the rest of STIX.
- The fact that the @phase_id and @kill_chain_id attributes in KillChainPhaseReferenceType are optional is confusing. If these attributes are omitted, the reference is invalid. What does this mean? These attributes should be required or the expectation when they are omitted should be defined.
- KillChainType contains an attribute called @number_of_phases. The number of phases can be calculated automatically, however, so the attribute is probably not necessary.
Proposed
Completely refactor how kill chains and kill chain phases are defined and used by making KillChainType and KillChainPhaseType IDable constructs and defining independent specialized relationship types for specifying kill chains or referencing kill chain phases.
Actions
- Make KillChainType a specialization of TTPType
- Remove all properties from KillChainType except "definer" and "reference"
- Make KillChainPhaseType a specialization of TTPType
- Remove all native properties from KillChainPhaseType
- Create a new RelatedKillChainPhaseType relationship type with the To property constrained to KillChainPhaseType
- Create a new ContainedKillChainPhaseType relationship type that:
- is a specialization of RelatedKillChainPhaseType
- has a single required property "ordinality" : NonNegativeInteger [1]
- has its From property constrained to KillChainType
With this proposed solution:
- kill chains can be simply and unambiguously specified by specifying an instance of KillChainType, separate instances of KillChainPhaseType for each kill chain phase and then instances of ContainedKillChainPhaseType for each kill chain phase specifying its ordinality within the kill chain being specified.
- related kill chain phases can easily and unambiguously be specified for any Indicators or TTPs using instances of RelatedKillChainPhaseType
- there are no longer unnecessary or overlapping properties
- kill chain phases can now easily be leveraged across multiple kill chains without conflict.
Proposed Model
Examples
Example #1: specifying the LM kill chain
Example #2: simple indicator with simple RelatedKillChainPhase relationship to phase in LM kill chain
Example #3: simple TTP with simple RelatedKillChainPhase relationship to phase in LM kill chain
JSON Serialization example snippets
Example #1:
{
"id": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"type": "killchain",
"timestamp": {"value": "2014-12-21T18:49:08.000134+00:00"},
"title": "Lockheed Martin Kill Chain",
"definer": "LMCO"
}
{
"id": "example:ttp-af1016d6-a744-4ed7-ac91-00fe2272185a",
"type": "killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000167+00:00"},
"title": "Reconnaissance"
}
{
"id": "example:ttp-445b4827-3cca-42bd-8421-f2e947133c16",
"type": "killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000245+00:00"},
"title": "Weaponization"
}
{
"id": "example:ttp-79a0e041-9d5f-49bb-ada4-8322622b162d",
"type": "killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000355+00:00"},
"title": "Delivery"
}
{
"id": "example:ttp-f706e4e7-53d8-44ef-967f-81535c9db7d0",
"type": "killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000578+00:00"},
"title": "Exploitation"
}
{
"id": "example:ttp-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f",
"type": "killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000601+00:00"},
"title": "Installation"
}
{
"id": "example:ttp-d6dc32b9-2538-4951-8733-3cb9ef1daae2",
"type": "killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000734+00:00"},
"title": "Command and Control"
}
{
"id": "example:ttp-786ca8f9-2d9a-4213-b38e-399af4a2e5d6",
"type": "killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000811+00:00"},
"title": "Actions on Objectives"
}
{
"id": "example:rel-b067ec9d-2bc4-4fd7-9c47-6acdcd6ba68b",
"type": "contained-killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000949+00:00"},
"relationship_nature": {"value": "Contained Killchain Phase"},
"from": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"to": ["example:ttp-af1016d6-a744-4ed7-ac91-00fe2272185a"],
"ordinality": "1"
}
{
"id": "example:rel-1addd4e5-f160-48e0-8fad-e5ade00764f9",
"type": "contained-killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000949+00:00"},
"relationship_nature": {"value": "Contained Killchain Phase"},
"from": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"to": ["example:ttp-445b4827-3cca-42bd-8421-f2e947133c16"],
"ordinality": "2"
}
{
"id": "example:rel-2f01e339-cccb-4874-a4c4-cc6e708f74b3",
"type": "contained-killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000949+00:00"},
"relationship_nature": {"value": "Contained Killchain Phase"},
"from": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"to": ["example:ttp-79a0e041-9d5f-49bb-ada4-8322622b162d"],
"ordinality": "3"
}
{
"id": "example:rel-0cebb76b-29d7-41c8-8e7b-5135bd894ba4",
"type": "contained-killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000949+00:00"},
"relationship_nature": {"value": "Contained Killchain Phase"},
"from": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"to": ["example:ttp-f706e4e7-53d8-44ef-967f-81535c9db7d0"],
"ordinality": "4"
}
{
"id": "example:rel-6dfc376a-b07b-4ee6-b4a6-e7cb492fa4d3",
"type": "contained-killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000949+00:00"},
"relationship_nature": {"value": "Contained Killchain Phase"},
"from": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"to": ["example:ttp-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f"],
"ordinality": "5"
}
{
"id": "example:rel-4472d7d7-10d1-4ce0-a157-83e30e109bab",
"type": "contained-killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000949+00:00"},
"relationship_nature": {"value": "Contained Killchain Phase"},
"from": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"to": ["example:ttp-d6dc32b9-2538-4951-8733-3cb9ef1daae2"],
"ordinality": "6"
}
{
"id": "example:rel-7fc79435-b4e0-4b55-ac3b-9fc6f2eb982c",
"type": "contained-killchain-phase",
"timestamp": {"value": "2014-12-21T18:49:08.000949+00:00"},
"relationship_nature": {"value": "Contained Killchain Phase"},
"from": "example:ttp-af3e707f-2fb9-49e5-8c37-14026ca0a5ff",
"to": ["example:ttp-786ca8f9-2d9a-4213-b38e-399af4a2e5d6"],
"ordinality": "7"
}
Example #2:
{
"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"type": "indicator",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Sakurel Malware",
"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
"indicator_type": [
{
"value": "File Hash Watchlist",
"vocab": "indicator-type-vocab-1.1"
}
]
}
{
"id": "example:rel-65a02cec-cf23-4dfe-a29b-986a392206c6",
"type": "related-killchain-phase",
"timestamp": {"value": "2015-12-21T19:59:50.000259+00:00"},
"from": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"to": "example:ttp-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f",
"relationship_nature": {"value": "Related Killchain Phase"}
}
Example #3:
{
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "malware-instance",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Sakurel Malware"
}
{
"id": "example:rel-65a02cec-cf23-4dfe-a29b-986a392206c6",
"type": "related-killchain-phase",
"timestamp": {"value": "2015-12-21T19:59:50.000259+00:00"},
"from": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"to": "example:ttp-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f",
"relationship_nature": {"value": "Related Killchain Phase"}
}