Home - STIXProject/use-cases GitHub Wiki
High Level Use cases identified for STIX include:
- Analyzing Cyber Threats
- Incident Analysis
- TTP Analysis 1. Attack Pattern Analysis and Characterization 1. Malware Analysis and Characterization 1. Exploit Analysis and Characterization 1. Attack Tool Analysis and Characterization 1. Attack Infrastructure Analysis and Characterization 1. Victim Targeting Analysis and Characterization
- Indicator Analysis 1. Indicator Extraction 1. Specifying Indicator Patterns for Cyber Threats 1. Indicator Contextualization 1. COA Selection 1. Sighting Analysis (replaces Indicator Sighting Analysis) 1. Indicator Comparative Analysis
- Threat Actor Characterization
- Campaign Analysis
- Exploit Target Analysis
- COA Analysis
- CTI Report Scoping and Aggregation
- Identifying Relationships Between Content
- Asserting Relationships Between Content
- Cyber Breach Analysis and Categorization
- Managing Cyber Threat Response Activities
- Cyber Threat Prevention
- Cyber Threat Detection
- Incident Response
- Prioritizing Cyber Threats
- Managing Situational Awareness
- Management of Content Over Time
- Create new content
- Update content
- Share Cyber Threat Information
- Negotiation/Agreement on Technical Factors for Cyber Threat Information Exchange
- Management of Content Sharing Over Time 1. Publish content 1. Receive content 1. Content Comparative Analysis 1. Reshare content
- Cyber Threat Indicator Sharing
- Indicator Sighting Reporting
- Malware Analysis Sharing
- Holistic Threat Intelligence Report Sharing
- Shared Content Source Assessment
- Managing Content Control
- Security Tool Integration
Detailed Use cases identified for STIX include:
- Analyzing Cyber Threats
- Threat Actor Characterization 1. Threat Actor Identity Analysis 1. Threat Actor Motivation Analysis 1. Threat Actor Capability Analysis 1. Threat Actor Modus Operandi Analysis
- TTP Analysis
1. Attack Pattern Analysis and Characterization
- Attack Pattern Comparative Analysis 1. Malware Analysis and Characterization
- Malware structural analysis
- Malware behavioral analysis
- Malware Reverse Engineering
- Malware Comparative Analysis
- Malware Family/Lineage Analysis
- Collaborative Malware Analysis 1. Exploit Analysis and Characterization
- Exploit Reverse Engineering 1. Attack Tool Analysis and Characterization
- Attack Tool Characterization
- Attack Tool Attribution Analysis
- Attack Tool Comparative Analysis
- Attack Tool Family/Lineage Analysis 1. Attack Infrastructure Analysis and Characterization
- Attack Infrastructure Characterization
- Attack Infrastructure Attribution Analysis
- Attack Infrastructure Comparative Analysis
- Attack Infrastructure Family/Lineage Analysis 1. Attacker Persona Analysis and Characterization 1. Victim Targeting Analysis and Characterization
- Victim Targeting by Identity Characterization
- Victim Targeting by System Type Characterization
- Victim Targeting by Information Type Characterization
- Victim Targeting by Technical Context Characterization 1. TTP Exploit Targeting Analysis and Characterization
- TTP Targeted Vulnerability Identification
- TTP Targeted Weakness Identification
- TTP Targeted Confifguration Identification 1. Kill Chain Analysis
- Kill Chain Characterization
- Kill Chain Temporal Analysis
- TTP-to-KillChain Mapping Analysis
- Indicator Analysis 1. Indicator Extraction from Digital Forensics Analysis 1. Indicator Extraction from Malware Analysis 1. Indicator Extraction from Sensor or Log Data 1. Indicator Extraction from CTI 1. Indicator Composition Analysis 1. Indicator-to-KillChain Mapping Analysis 1. Indicator Comparative Analysis
- Campaign Analysis 1. Campaign TTP Mapping Analysis 1. Campaign Incident Mapping Analysis 1. Campaign Attribution Analysis 1. Campaign Motivation Analysis 1. Campaign Victim Targeting Analysis
- Incident Analysis
1. Incident Timeline Analysis
1. Incident Categorization Analysis
1. Asset Risk Analysis
- Asset Risk Characterization 1. Incident Impact Assessment 1. Incident Victim Targeting Analysis 1. Incident Indicator Analysis
- Indicator Extraction
- Indicator Efficacy Analysis 1. Incident TTP Analysis 1. Incident Attribution Analysis 1. Intended Effect Analysis 1. Incident Comparative Analysis 1. COA Selection
- Exploit Target Analysis 1. Vulnerability Characterization 1. Weakness Characterization 1. Configuration Characterization 1. Exploit Target Susceptibility Analysis 1. COA Selection
- COA Analysis 1. COA Characterization
- CTI Report Scoping and Aggregation
- Identifying Relationships Between Content 1. Identifying Duplicate Content
- Asserting Relationships Between Content 1. Qualifying Asserted Relationship Confidence
- Cyber Breach Analysis and Categorization
- Specifying Indicator Patterns for Cyber Threats
- Specifying Network Indicator Patterns for Cyber Threats
- Specifying Host/Endpoint Indicator Patterns for Cyber Threats
- Specifying Composite/Complex Indicator Patterns for Cyber Threats 1. Specifying Relational Composite/Complex Indicator Patterns for Cyber Threats 1. Specifying Logical Composite/Complex Indicator Patterns for Cyber Threats
- CES-21 MMATRS project
- Managing Cyber Threat Response Activities
- Cyber Threat Prevention 1. Deploying Indicator Patterns for Cyber Threats
- Cyber Threat Detection 1. Deploying Indicator Patterns for Cyber Threats
- Incident Response
1. Incident Analysis
1. Digital Forensics Investigation
- Digital Forensic Information Containment
- Forensic examination
- Network forensic examination
- System forensic examination 1. File forensic examination 1. Memory forensic examination
- Media forensic examination
- Digital Trace Analysis and Capture
- Digital Forensic Information Provenance and Context Capture and Management
- Digital Forensic Tool Interoperability, Integration and Verification
- Forensic analysis and interpretation
- Digital Forensics Correlation and Differential Analysis
- Human Behavior Characterization via Digital Traces
- Digital Forensic Information Exchange
- Digital Forensics Archival 1. Malware Analysis and Characterization 1. Attack Pattern Extraction 1. Cyber Incident Reporting
- Cyber Incident Breach Reporting 1. Incident Management
- Incident Response Timeline Management
- Incident Response Contributor Tracking
- Prioritizing Cyber Threats 1. Prioritizing Cyber Threats based on Motivation 1. Prioritizing Cyber Threats based on Intended Effect 1. Prioritizing Cyber Threats based on Victim Targeting 1. Prioritizing Cyber Threats based on Technical Capability for Detection 1. Prioritizing Cyber Threats based on Tempo of Activity
- Managing Situational Awareness
- CTI SA Visualization
- Mapping CTI to Asset Posture and General SA Information
- Management of Content Over Time
- Create new content 1. Assert confidence in content based on context
- Update content 1. Refine/enhance content
- Share Cyber Threat Information
- Negotiation/Agreement on Technical Factors for Cyber Threat Information Exchange 1. Negotiation/Agreement on Information Semantics and Structure 1. Negotiation/Agreement on Information Serialization Format 1. Negotiation/Agreement on Protocols for Exchange 1. Negotiation/Agreement on Commitments regarding Managing Content Control
- Management of Content Sharing Over Time
1. Publish content
- Publish new content
- Publish updated content (from originator)
- Publish refined/enhanced content (from originator) 1. Publish refined/enhanced content with additional content (from originator) 1. Publish refined/enhanced content with additional context (from originator)
- Publish corrected content (from originator)
- Publish updated content (from non-originator)
- Assert Low Confidence in Content (from non-originator)
- Revoke previously published content 1. Receive content
- Receive new content (from originator)
- Receive new content (from non-originator)
- Receive updated content (from originator)
- Receive updated content (from non-originator) 1. Content Comparative Analysis
- Content Duplication Identification
- Content Deduplication 1. Reshare content
- Cyber Threat Indicator Sharing
- Indicator Sighting Reporting 1. Simple Indicator Sighting Reporting (+1) 1. Anonymized Indicator Sighting Reporting 1. Indicator Sighting Reporting with Count 1. Indicator Sighting Reporting with Specific Observation
- Malware Analysis Sharing
- Holistic Threat Intelligence Report Sharing
- Shared Content Source Assessment 1. Assessing/Managing Trust for CTI Sources 1. Assessing/Asserting Confidence in Shared Content
- Managing Content Control 1. Asserting Data Markings on Content
To propose a new use case please:
- create a new wiki page
- title the page "Use Case:" followed by your use case title
- copy and paste the following outline into the new page
- fill in the appropriate content
- edit this page and add your new use case to the list as a link to your new use case page
Use case title (replace with your title)
Pre-1.2.1 Use Case (True/False): False (replace with your value)
Relevant to which SCs (STIX/TAXII/CybOX): STIX (replace with your values)
Abstraction Level (High, Medium or Low): High (replace with your value)
Related Use Cases: Related use case (replace with your content)
Description: Use case objective and flow description (replace with your content)
Stakeholders/Goals:
- Stakeholder: Stakeholder description (replace with your content)
- Goal: Goal description (replace with your content)
Preconditions:
- Precondition description (replace with your content)
Dependencies:
- Dependency description (replace with your content)
Main Success Scenario:
- Scenario description (replace with your content)