STIX 2.0 Proposal9 : Abstract relationships as top level constructs rather than embedded within other constructs (#291) - STIXProject/specifications GitHub Wiki

Issue Summary

In STIX 1.2.1 relationships between IDable content are conveyed either implicitly through embedding of content or explicitly through a reference to the related content specified within the content at the origination/root of the relationship.

This brings with it several limitations:

  • If you want to assert a relationship you must actually change the content at the root of the relationship. This is likely to lead to very high rates of versioning churn that could be avoided with a different approach. It also leads to situation where Party B wishes to assert a relationship on content from Party A but must modify the content from Party A (and thus now issuing it as sourced from Party B) just to do this.
  • You cannot currently 'agree' with a relationship that someone has asserted between objects they have published. In some cases it is extremely valuable for someone to say they also think that object A and Object B are related. Currently you would need to produce your own object and assert the relationship from your own object to that object.
  • It is currently difficult to assert agreement with an object that someone else sent.

Proposed

Create new relationship types derived from AssertionType which is in turn derived from IDableConstructType and then remove all relationship-based properties from inside of IDable constructs.

  • Create a new AssertionType class within stixCommon that is a specialization of the IDableConstructType class and currently has a single property "Confidence" of ConfidenceType [0..1].
  • Create a new "relationship" package/namespace within the STIX model.
  • Create a new abstract RelationshipBaseType class within the "relationship" package that is a specialization of AssertionType and has the following properties:
    • Is_Bidirectional : Boolean [1]
      • this property specifies whether or not the assertion relationship should be interpreted in both directions
    • Relationship_Nature : ControlledVocabularyStringType [0..1]
      • this property allows characterization of the nature of the relationship being asserted (e.g., "AKA/Alias" between to Threat Actors)
    • To : IDableConstructType [1]
      • this property asserts the identifier of the target construct instance for the asserted relationship
    • From : IDableConstructType [1]
      • this property asserts the identifier of the source construct instance for the asserted relationship
  • Create new classes for each specific type of CTI relationship (e.g., "RelatedTTPType") within the "relationship" package as a specialization of RelationshipBaseType. For now, start with a general "Related" type for each IDableConstruct class (RelatedTTPType, RelatedObservationType, RelatedIndicatorType, etc.) where the new "Related" relationship type constrains the To end of the relationship to be an IDable construct of the type appropriate for that relationship.

Proposed Model

Examples

Example #1: simple TTP, simple Indicator, and simple Related_TTP relationship from the Indicator to the TTP

Example #2: simple indicator, simple Source, and simple Related_Source relationship from Indicator to Source

Example #3: simple Threat Actor, simple TTP, simple Related_TTP relationship from TA to TTP

Example #4: simple Report with Source and containing a TTP, an Indicator and a Campaign

JSON Serialization example snippets

Example #1:

{
	"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
	"type": "malware-instance",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"title": "Sakurel Malware"
}

{
	"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
	"type": "indicator",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"title": "Sakurel Malware",
	"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
	"indicator_type": [
		{
			"value": "File Hash Watchlist",
			"vocab": "indicator-type-vocab-1.1"			
		}
	]
}

{
	"id": "example:rel-fd81e9fb-5c3b-4922-9307-dd226079c00f",
	"type": "related-ttp",
	"timestamp": { "value" : "2015-12-21T19:59:12.000000+00:00" },
	"confidence": {
		"value": {
			"value": "High",
			"vocab": "high-medium-low-vocab-1.0"
		}
	},
	"from" : "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
	"to": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
	"relationship_nature": {
		"value": "Indicated TTP"
	}
}

Example #2:

{
	"id": "example:src-83dc6b53-ac3d-40e0-82ef-eab173c7ee1e",
	"type": "source",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"name": "US-CERT"
}

{
	"id": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
	"type": "indicator",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"title": "Sakurel Malware",
	"indicator_expression": "this would be an observable pattern for a particular file hash using the new CybOX patterning language under consideration",
	"indicator_type": [
		{
			"value": "File Hash Watchlist",
			"vocab": "indicator-type-vocab-1.1"			
		}
	]
}

{
	"id": "example:rel-9d0c539e-a874-42c7-a055-3e900b98724f",
	"type": "related-source",
	"timestamp": { "value" : "2015-12-21T19:59:12.000000+00:00" },
	"from": "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
	"to": "example:src-83dc6b53-ac3d-40e0-82ef-eab173c7ee1e",
	"relationship_nature": {
		"value": "Has Source"
	}
}

Example #3:

{
	"id": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
	"type": "threat-actor",
	"timestamp": {"value" : "2015-12-21T21:54:19.000000+00:00"},
	"name": "Black Vine"
}

{
	"id": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
	"type": "malware-instance",
	"timestamp": { "value" : "2015-12-21T19:59:11.000000+00:00" },
	"title": "Sakurel Malware"
}

{
	"id": "example:rel-9d0c539e-a874-42c7-a055-3e900b98724f",
	"type": "related-ttp",
	"timestamp": { "value" : "2015-12-21T19:59:12.000000+00:00" },
	"confidence": {
		"value": {
			"value": "High",
			"vocab": "high-medium-low-vocab-1.0"
		}
	},
	"from": "example:ta-5971dd17-9930-45c9-9346-f33359fda030",
	"to": "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
	"relationship_nature": {
		"value": "Observed TTP"
	}
}

Example #4:

{
    "id": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
    "type": "report",
    "timestamp": {
            "value": "2015-07-28T00:00:00.000000+00:00", 
            "timestamp_precision": "day"
        },
    "title": "The Black Vine Cyberespionage Group",
    "description": "...",
    "intent": [
        {
            "value": "Threat Report", 
            "vocab": "report-intent-vocab-1.0"
        }
    ],
    "confidence": {
        "value": {
            "value": "High", 
            "vocab": "high-medium-low-vocab-1.0"
        }
    }
}

{
    "id": "example:src-a463ffb3-1bd9-4d94-b02d-74e4f1658283",
    "type": "source",
    "timestamp": {"value": "2015-12-21T19:59:11.000000+00:00"},
    "name": "Symantec",
    "role": {
        "value": "Initial Author", 
        "vocab": "information-source-role-vocab-1.0"
    },
    "references": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf"]
}

{
    "id": "example:rel-a05d8c6a-ccea-4a0a-a8e0-68dfe85fbfa9",
    "type": "contributing-source",
    "timestamp": {"value": "2015-12-21T19:59:14.000000+00:00"},
    "from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
    "to": "example:src-a463ffb3-1bd9-4d94-b02d-74e4f1658283",
    "relationship_nature": {"value": "Contributing Source"}
}

{
    "id": "example:rel-f82356ae-fe6c-437c-9c24-6b64314ae68a",
    "type": "related-ttp",
    "timestamp": {"value": "2015-12-21T19:59:17.000000+00:00"},
    "from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
    "to": [
        "example:ttp-6796e1db-a84d-4017-87d5-cdebfe4303be",
    ],
    "relationship_nature": "Report Contains"
}

{
    "id": "example:rel-f82356ae-fe6c-437c-9c24-6b64314ae68a",
    "type": "related-indicator",
    "timestamp": {"value": "2015-12-21T19:59:17.000000+00:00"},
    "from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
    "to": [
        "example:ind-b8e37090-5d62-45a1-ac2e-a88601b08432",
    ],
    "relationship_nature": "Report Contains"
}

{
    "id": "example:rel-72f666b6-f1db-4b2c-82e3-71ab49a84be1",
    "type": "related-campaign",
    "timestamp": {"value": "2015-12-21T19:59:17.000000+00:00"},
    "from": "example:rep-84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
    "to": [
        "example:cam-83422c77-904c-4dc1-aff5-5c38f3a2c55c",
    ],
    "relationship_nature": "Report Contains"
}

JSON Schema Serialization snippets

Open Questions