STIX 2.0 Proposal8 : Remove either embedded or referenced relationships (#201) - STIXProject/specifications GitHub Wiki
Issue Summary
STIX IDable content can currently be specified separately and referenced from within other IDable content or can be specified inline embedded within other IDable content.
However, this capability brings with it some complexities in structure and some ambiguities and complexities in parsing and interpretation of the content by consumers. This capability is the reason behind the id/idref combination which confuses some, brings some confusion and complexity to versioning and data markings and has the potential to lead to very deep nesting of content.
Referenced relationships between content are necessary to support evolution of content, versioning and pivoting. Embedding of content was included for ease of producers specifying simple content and for human perception when reading the content neither of which justify significant added complexity for consumers.
Proposed
Remove ability to specify IDable constructs embedded/nested within other IDable constructs except for PackageType which can embed other IDable constructs within it. Require these sorts of relationships to be explicitly specified using appropriate relationship types.
Proposed Model
Examples
Example #1a: A stix 1.2 example of indicator with embedded TTP
Example #1b: New stix 2.0 example of indicator with embedded TTP
JSON Serialization example snippets
Example #1a:
{
"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"type": "indicator",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Indicator for Sakurel Malware",
"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
"indicator_type": [
{
"value": "File Hash Watchlist",
"vocab": "indicator-type-vocab-1.1"
}
],
"indicated_ttp": [
{
"confidence": {
"value": {
"value": "High",
"vocab": "high-medium-low-vocab-1.0"
}
},
"ttp": {
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "ttp",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"Behavior" : {
"Malware" : {
"Malware_Instance" : {
"title": "Sakurel Malware"
}
}
}
}
}
]
}
Example #1b:
{
"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"type": "malware-instance",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Sakurel Malware"
}
{
"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"type": "indicator",
"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
"title": "Sakurel Malware",
"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
"indicator_type": [
{
"value": "File Hash Watchlist",
"vocab": "indicator-type-vocab-1.1"
}
]
}
{
"id": "example:rel-fd81e9fb-5c3b-4922-9307-dd226079c00f",
"type": "related-ttp",
"timestamp": { "value" : "2015-12-21T19:59:12.000000+00:00" },
"confidence": {
"value": {
"value": "High",
"vocab": "high-medium-low-vocab-1.0"
}
},
"from" : "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
"to": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
"relationship_nature": {
"value": "Indicated TTP"
}
}