def handle_non_indicator_attribute(self, incident, tags, attribute):
attribute_type = attribute.type
attribute_category = attribute.category
if attribute_type == "vulnerability":
self.generate_vulnerability(incident, tags, attribute)
elif attribute_type == "link":
if attribute_category == "Payload delivery":
self.handle_indicator_attribute(incident, tags, attribute)
else:
self.add_reference(incident, attribute.value)
elif attribute_type in ('comment', 'text', 'other'):
if attribute_category == "Payload type":
self.generate_ttp(incident, tags, attribute)
elif attribute_category == "Attribution":
ta = self.generate_threat_actor(attribute)
rta = RelatedThreatActor(ta, relationship="Attribution")
incident.attributed_threat_actors.append(rta)
else:
entry_line = "attribute[{}][{}]: {}".format(attribute_category, attribute_type, attribute.value)
self.add_journal_entry(incident, entry_line)
elif attribute_type == "target-machine":
aa = AffectedAsset()
description = attribute.value
if attribute.comment:
description += " ({})".format(attribute.comment)
aa.description = description
incident.affected_assets.append(aa)
elif attribute_type.startswith('target-'):
self.resolve_identity_attribute(incident, attribute)
elif attribute_type == "attachment":
observable = self.return_attachment_composition(attribute)
related_observable = RelatedObservable(observable, relationship=attribute.category)
incident.related_observables.append(related_observable)
def handleNonIndicatorAttribute(incident, ttps, attribute, eventTags, org):
if attribute["type"] in ("comment", "text", "other"):
if attribute["category"] == "Payload type":
generateTTP(incident, attribute, ttps, eventTags)
elif attribute["category"] == "Attribution":
ta = generateThreatActor(attribute)
rta = RelatedThreatActor(ta, relationship="Attribution")
incident.attributed_threat_actors.append(rta)
else:
entry_line = "attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"]
addJournalEntry(incident, entry_line)
elif attribute["type"] == "target-machine":
aa = AffectedAsset()
if attribute["comment"] != "":
aa.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
aa.description = attribute["value"]
incident.affected_assets.append(aa)
elif attribute["type"] == "vulnerability":
generateTTP(incident, attribute, ttps, eventTags)
elif attribute["type"] == "link":
if attribute["category"] == "Payload delivery":
handleIndicatorAttribute(incident, ttps, attribute, eventTags, org)
else:
addReference(incident, attribute["value"])
elif attribute["type"].startswith('target-'):
resolveIdentityAttribute(incident, attribute, namespace[1])
elif attribute["type"] == "attachment":
observable = returnAttachmentComposition(attribute)
related_observable = RelatedObservable(observable, relationship=attribute["category"])
incident.related_observables.append(related_observable)
return [incident, ttps]
def handleNonIndicatorAttribute(incident, ttps, attribute):
if attribute["type"] in ("comment", "text", "other"):
if attribute["category"] == "Payload type":
generateTTP(incident, attribute, ttps)
elif attribute["category"] == "Attribution":
ta = generateThreatActor(attribute)
rta = RelatedThreatActor(ta, relationship="Attribution")
incident.attributed_threat_actors.append(rta)
else:
entry_line = "attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"]
addJournalEntry(incident, entry_line)
elif attribute["type"] == "target-machine":
aa = AffectedAsset()
if attribute["comment"] != "":
aa.description = attribute["value"] + " (" + attribute["comment"] + ")"
else:
aa.description = attribute["value"]
incident.affected_assets.append(aa)
elif attribute["type"] == "vulnerability":
generateTTP(incident, attribute, ttps)
elif attribute["type"] == "link":
if attribute["category"] == "Payload delivery":
handleIndicatorAttribute(incident, ttps, attribute)
else:
addReference(incident, attribute["value"])
elif attribute["type"].startswith("target-"):
resolveIdentityAttribute(incident, attribute, namespace[1])
elif attribute["type"] == "attachment":
observable = returnAttachmentComposition(attribute)
related_observable = RelatedObservable(observable, relationship=attribute["category"])
incident.related_observables.append(related_observable)
return [incident, ttps]
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
breach._binding_class.xml_type = typeIncident
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset # "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
#impact = ImpactAssessment()
#impact.add_effect("Unintended Access")
#breach.impact_assessment = impact
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
#print("asset type: %s"%(breach.affected_assets[0].type_))
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
#print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents)))
# Print the XML!
#print(stix_package.to_xml())
return stix_package
def main():
pkg = STIXPackage()
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = "Database"
affected_asset.type_.count_affected = 1
affected_asset.business_function_or_role = "Hosts the database for example.com"
affected_asset.ownership_class = "Internally-Owned"
affected_asset.management_class = "Internally-Managed"
affected_asset.location_class = "Internally-Located"
property_affected = PropertyAffected()
property_affected.property_ = "Confidentiality"
property_affected.description_of_effect = "Data was exfiltrated, has not been determined which data or how."
property_affected.non_public_data_compromised = "Yes"
property_affected.non_public_data_compromised.data_encrypted = False
security_effect_nature = NatureOfSecurityEffect()
security_effect_nature.append(property_affected)
affected_asset.nature_of_security_effect = security_effect_nature
affected_assets = AffectedAssets()
affected_assets.append(affected_asset)
incident = Incident(title="Exfiltration from hr-data1.example.com")
incident.affected_assets = affected_assets
pkg.add_incident(incident)
print(pkg.to_xml(encoding=None))
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Incident report for " + input_dict['organization']
stix_header.add_package_intent ("Incident")
# Add handling requirements if needed
if input_dict['sensitive'] == "True":
mark = SimpleMarkingStructure()
mark.statement = "Sensitive"
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
#Add the thing that was stolen
jewels = AffectedAsset()
jewels.type_ = input_dict['asset']
incident.add_affected_asset (jewels)
# add the victim
incident.add_victim (input_dict['organization'])
stix_package.add_incident(incident)
return stix_package
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
print("confidence set to %s"%(str(breach.confidence.value)))
breach._binding_class.xml_type = typeIncident
print("incident set to %s"%(str(breach._binding_class.xml_type)))
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Company Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def buildIncident(input_dict):
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
if input_dict['confidence']:
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
if input_dict['responder']:
incident.responders = input_dict['responder']
if input_dict['coordinator']:
incident.coordinators = input_dict['coordinator']
if input_dict['intent']:
incident.intended_effects = input_dict['intent']
if input_dict['discovery']:
incident.discovery_methods = input_dict['discovery']
if input_dict['status']:
incident.status = input_dict['status']
if input_dict['compromise']:
incident.security_compromise = input_dict['compromise']
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
if input_dict['asset']:
asset = AffectedAsset()
asset.type_ = input_dict['asset']
incident.add_affected_asset (asset)
# add the victim
incident.add_victim (input_dict['organization'])
return incident
def add_asset_item(asset_item, attribute_item, incident):
assets_item = asset_item.get("assets")
if not assets_item:
error("VERIS warning: 'assets' item is missing in 'asset' item")
else:
notes_item = asset_item.get('notes')
management_item = asset_item.get('management')
if management_item:
managementClass = map_management_item_to_management_class(management_item)
ownership_item = asset_item.get('ownership')
if ownership_item:
ownershipClass = map_ownership_item_to_ownership_class(ownership_item)
hosting_item = asset_item.get("hosting")
if hosting_item:
locationClass = map_hosting_item_to_location_class(hosting_item)
# cloud
for item in assets_item:
aa = AffectedAsset()
variety_item = item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'asset/assets' item")
else:
aa.type_ = map_variety_item_to_asset_type(variety_item)
asset_description = ""
if notes_item:
asset_description += "General Notes: " + notes_item
amount_item = item.get('amount')
if amount_item:
asset_description += "Number of Assets: " + str(amount_item)
aa.description = escape(asset_description)
# same locationClass, managementClass and ownershipClass for each asset
if management_item:
aa.management_class = managementClass
if ownership_item:
aa.ownership_class = ownershipClass
if hosting_item:
aa.location_class = locationClass
if attribute_item:
# consider not recomputing this for each asset
add_attribute_item(attribute_item, aa)
incident.add_affected_asset(aa)
