STIX 2.0 Proposal18: Abstract Victim to top level construct rather than embedded only within Incident and TTP (#149) - STIXProject/specifications GitHub Wiki

Issue Summary

Victim information is currently represented in two places:

  • In an Incident, you can describe the actual victims that were impacted by the incident.
  • In a TTP, you can describe abstract victim targeting information, such as across several incidents or within a campaign or threat actor.

These are very similar constructs and it seems redundant and confusing to define them separately.

Proposed

Create a new Victim class as a specialization of the IdentityType class to yield the ability to specify the identity of a specific victim or about targeting of particular victims.

Create a new VictimTargeting class as a specialization of both VictimType and TTPType with the following native properties from the current VictimTargeting structure:

  • Targeted_Systems
  • Targeted_Information
  • Technical_Targeting_Details

Utilize new Related_Victim relationship type to associate Incidents with particular Victims and enable VictimTargetingType to be leveraged independently as a type of TTP.

Proposed Model

Examples

Example #1: simple incident with associated victim and associated victim targeting

JSON Serialization example snippets

    {
        "id": "example:inc-6ea30b3a-dce5-44a9-9257-9f245168f0ed",
        "type": "incident",
        "timestamp": {"value": "2015-08-04T21:28:00.000000-07:00"},
        "title": "Capstone Turbine Corporation Watering Hole Attack",
        "status": {
            "value": "Incident Reported",
            "vocab": "incident-status-vocab-1.0"
        }
    }

    {
        "id": "example:victim-b438717c-eb0c-451c-8948-b83fffcd9f21",
        "type": "victim",
        "timestamp": {"value": "2015-08-04T21:28:00.000103-07:00"},
        "name": "Capstone Turbine Corporation",
        
    }

    {
        "id": "example:ttp-22251550-f5f9-4359-8b02-bcc3179b52dd",
        "type": "victim-targeting",
        "timestamp": {"value": "2015-08-04T21:28:00.000103-07:00"},
        "targeted_systems": {"value": "Web application"} 
    }

    {
        "id": "example:rel-0ec67774-3dc1-4886-85ee-e3f8288f9d85",
        "type": "related-victim",
        "timestamp": {"value": "2015-08-04T21:28:00.000348-07:00"},
        "relationship_nature": {"value": "Involved Victim"},
        "from": "example:inc-6ea30b3a-dce5-44a9-9257-9f245168f0ed",
        "to": "example:victim-b438717c-eb0c-451c-8948-b83fffcd9f21"
    }

    {
        "id": "example-rel-71418e00-08a1-46fe-82e1-ad95f81f769e",
        "type": "related-ttp",
        "timestamp": {"value": "2015-08-04T21:29:00.000103-07:00"},
        "relationship_nature": {"value": "Victim Targeting"},
        "from": "example:inc-6ea30b3a-dce5-44a9-9257-9f245168f0ed",
        "to": "example:ttp-22251550-f5f9-4359-8b02-bcc3179b52dd"
    }

JSON Schema Serialization snippets

Open Questions