def add_external_or_partner_actor_ttem(item, pkg):
ta = ThreatActor()
ta.identity = CIQIdentity3_0Instance()
identity_spec = STIXCIQIdentity3_0()
country_item = item.get('country')
if not country_item:
error("Required 'country' item is missing in 'actor/external' or 'actor/partner' item")
else:
for c in country_item:
address = Address()
address.country = Country()
address.country.add_name_element(c)
identity_spec.add_address(address)
ta.identity.specification = identity_spec
motive_item = item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/external' or 'actor/partner' item")
else:
for m in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(m)
ta.add_motivation(motivation)
variety_item = item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/external' or 'actor/partner' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = map_actor_variety_item_to_threat_actor_type(v)
ta.add_type(ta_type)
notes_item = item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
def _get_threat_actor_object(value,
description=None,
crowd_strike_motivations=[]):
# 攻撃者情報作成
organisation_name = OrganisationName(value)
party_name = PartyName()
party_name.add_organisation_name(organisation_name)
identity_specification = STIXCIQIdentity3_0()
identity_specification.party_name = party_name
identity = CIQIdentity3_0Instance()
# ThreatActor
ta = ThreatActor()
ta.identity = identity
ta.identity.specification = identity_specification
# Title に抽出した Threat Actor 名前
ta.title = value
ta.description = description
ta.short_description = description
ta.identity = identity
# motivations 作成
for crowd_strike_motivation in crowd_strike_motivations:
ta_motivation = Statement(crowd_strike_motivation['value'])
# motivation 追加
ta.add_motivation(ta_motivation)
return ta
def convert_threat_actor(ta20):
ta1x = ThreatActor(id_=convert_id20(ta20["id"]),
timestamp=text_type(ta20["modified"]))
ta1x.title = ta20["name"]
types = convert_open_vocabs_to_controlled_vocabs(ta20["labels"],
THREAT_ACTOR_LABEL_MAP)
for t in types:
ta1x.add_type(t)
if "description" in ta20:
ta1x.add_description(ta20["description"])
if "aliases" in ta20:
add_missing_list_property_to_description(ta1x, "aliases",
ta20["aliases"])
if "roles" in ta20:
add_missing_list_property_to_description(ta1x, "roles", ta20["roles"])
if "goals" in ta20:
for g in ta20["goals"]:
ta1x.add_intended_effect(g)
if "sophistication" in ta20:
sophistications = convert_open_vocabs_to_controlled_vocabs(
[ta20["sophistication"]], THREAT_ACTOR_SOPHISTICATION_MAP)
for s in sophistications:
ta1x.add_sophistication(s)
if "resource_level" in ta20:
add_missing_list_property_to_description(ta1x, "resource_level",
ta20["resource_level"])
all_motivations = []
if "primary_motivation" in ta20:
all_motivations = [ta20["primary_motivation"]]
if "secondary_motivation" in ta20:
all_motivations.extend(ta20["secondary_motivation"])
if "personal_motivation" in ta20:
all_motivations.extend(ta20["personal_motivation"])
motivations = convert_open_vocabs_to_controlled_vocabs(
all_motivations, ATTACK_MOTIVATION_MAP)
for m in motivations:
ta1x.add_motivation(m)
if "object_marking_refs" in ta20:
for m_id in ta20["object_marking_refs"]:
ms = create_marking_specification(m_id)
if ms:
CONTAINER.add_marking(ta1x, ms, descendants=True)
if "granular_markings" in ta20:
error(
"Granular Markings present in '%s' are not supported by stix2slider",
604, ta20["id"])
record_id_object_mapping(ta20["id"], ta1x)
return ta1x
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
def to_stix_actor(obj):
"""
Create a STIX Actor.
"""
ta = ThreatActor()
ta.title = obj.name
ta.description = obj.description
for tt in obj.threat_types:
ta.add_type(tt)
for m in obj.motivations:
ta.add_motivation(m)
for ie in obj.intended_effects:
ta.add_intended_effect(ie)
for s in obj.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, obj.releasability)
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
def to_stix_actor(self):
"""
Create a STIX Actor.
"""
from stix.threat_actor import ThreatActor
ta = ThreatActor()
ta.title = self.name
ta.description = self.description
for tt in self.threat_types:
ta.add_type(tt)
for m in self.motivations:
ta.add_motivation(m)
for ie in self.intended_effects:
ta.add_intended_effect(ie)
for s in self.sophistications:
ta.add_sophistication(s)
#for i in self.identifiers:
return (ta, self.releasability)
def buildThreatActor(input_dict):
threatActor = ThreatActor()
threatActor.title = input_dict["title"]
threatActor.description = input_dict["description"]
if input_dict["identity"]:
threatActor.identity = Identity(input_dict["identity"])
if input_dict["type"]:
threatActor.add_type(input_dict["type"])
if input_dict["motivation"]:
threatActor.add_motivation(input_dict["motivation"])
if input_dict["sophistication"]:
threatActor.add_sophistication(input_dict["sophistication"])
if input_dict["intendedEffect"]:
threatActor.add_intended_effect(input_dict["intendedEffect"])
if input_dict["support"]:
threatActor.add_planning_and_operational_support(input_dict["support"])
if input_dict["confidence"]:
threatActor.confidence = Confidence(input_dict["confidence"])
if input_dict["informationSource"]:
threatActor.information_source = InformationSource(input_dict["informationSource"])
return threatActor
def add_internal_actor_item(internal_item, pkg):
ta = ThreatActor()
motive_item = internal_item.get('motive')
if not motive_item:
error("Required 'motive' item is missing in 'actor/internal' item")
else:
for item in motive_item:
motivation = Statement()
motivation.value = map_motive_item_to_motivation(item)
ta.add_motivation(motivation)
# job_change added in 1.3
variety_item = internal_item.get('variety')
if not variety_item:
error("Required 'variety' item is missing in 'actor/internal' item")
else:
for v in variety_item:
ta_type = Statement()
ta_type.value = ThreatActorType(ThreatActorType.TERM_INSIDER_THREAT)
ta_type.description = v
ta.add_type(ta_type)
notes_item = internal_item.get('notes')
if notes_item:
ta.description = "Notes: " + escape(notes_item)
pkg.add_threat_actor(ta)
