Exemple #1
0
def setDates(incident, date, published):
    timestamp = getDateFromTimestamp(published)
    incident.timestamp = timestamp
    incident_time = Time()
    incident_time.incident_discovery = convertToStixDate(date)
    incident_time.incident_reported = timestamp
    incident.time = incident_time
Exemple #2
0
def setDates(incident, date, published):
    timestamp=getDateFromTimestamp(published)
    incident.timestamp=timestamp
    incident_time = Time()
    incident_time.incident_discovery = convertToStixDate(date)
    incident_time.incident_reported = timestamp
    incident.time = incident_time
Exemple #3
0
 def set_dates(self, incident, date, published):
     timestamp = published
     incident.timestamp = timestamp
     incident_time = Time()
     incident_time.incident_discovery = self.convert_to_stix_date(date)
     incident_time.incident_reported = timestamp
     incident.time = incident_time
Exemple #4
0
def main():

    data = json.load(open("data.json"))

    stix_package = STIXPackage(stix_header=STIXHeader(
        title=data['title'], package_intents='Incident'))

    ttps = {}

    for info in data['ips']:
        if info['bot'] not in ttps:
            ttps[info['bot']] = TTP(title=info['bot'])
            stix_package.add_ttp(ttps[info['bot']])

        incident = Incident(title=info['ip'])
        incident.time = Time()
        incident.time.first_malicious_action = info['first_seen']

        addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
        observable = Observable(item=addr)
        stix_package.add_observable(observable)

        related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_),
                                 relationship="Used Malware")
        incident.leveraged_ttps.append(related_ttp)

        related_observable = RelatedObservable(
            Observable(idref=observable.id_))
        incident.related_observables.append(related_observable)

        stix_package.add_incident(incident)

    print(stix_package.to_xml(encoding=None))
Exemple #5
0
def add_timeline_item(timeline_item, incident):
    incident_time_item = timeline_item.get('incident')
    if not incident_time_item:
        error("Required 'incident' item is missing in 'timeline' item, skipping item")
        return None 
    incident_date_time = convert_time_item_to_datetime(incident_time_item)
    if not incident_date_time:
        return None
    complete = 0
    time = Time() 
    time.initial_compromise = incident_date_time   
    complete += 1
    compromise_item = timeline_item.get('compromise')
    if compromise_item:
        dt = convert_value_unit_to_datetime(compromise_item, incident_date_time, 'compromise')
        if dt:
            complete += 1
        time.first_malicious_action = dt
    discovery_item = timeline_item.get('discovery')
    containment_item = timeline_item.get('containment')
    if discovery_item:
        dt = convert_value_unit_to_datetime(discovery_item, incident_date_time, 'discovery')
        if dt:
            complete += 1
        time.incident_discovery =  dt
    exfiltration_item = timeline_item.get('exfiltration')
    if exfiltration_item:
        dt = convert_value_unit_to_datetime(exfiltration_item, incident_date_time, 'exfiltration')
        if dt:
            complete += 1
        time.first_data_exfiltration = dt
    # according to Kevin Thompson (Verizon), containment starts at discovery.  Use others if it isn't available 
    if containment_item:
        if time.incident_discovery:
            timePoint = time.incident_discovery
        elif time.first_data_exfiltration:
            timePoint = time.first_data_exfiltration
            warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' item is missing or not usable. Using the exfiltration datetime")
        else:
            timePoint = incident_date_time
            warn("the 'containment' item is specified in the 'timeline' item, but the 'discovery' and 'exfitration' items are missing or not usable. Using the incident datetime")
        dt = convert_value_unit_to_datetime(containment_item, timePoint, 'containment')
        if dt:
            complete += 1
        time.containment_achieved = dt
    incident.time = time
    if complete > 3:
        error("Found a possible good timeline")
campaign.names = names
activity = Activity()
activity.description = 'Foo'
campaign.add_activity(activity)
campaign.add_intended_effect(IntendedEffect('Extortion'))
campaign.status = CampaignStatus('Ongoing')
campaign.confidence = HighMediumLow('Medium')

# Related TTP (basic; by id)
ttp = TTP(title="Malware Variant XYZ")
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
campaign.related_ttps.append(related_ttp)

# Related Incident (basic; by id)
incident = Incident(title='We got hacked')
t = Time()
t.incident_opened = '2018-09-11'
incident.time = t
related_incident = RelatedIncident(Incident(idref=incident.id_))
campaign.related_incidents.append(related_incident)

# Related Indicator (by id)
fake = Faker()
indicator = Indicator()
addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4)
indicator.add_observable(addr2)
related_indicator = RelatedIndicator(Indicator(idref=indicator.id_))
campaign.related_indicators.append(related_indicator)

# Related Threat Actor (by id)
ta = ThreatActor(title='Albino Rhino')
Exemple #7
0
from stix.threat_actor import ThreatActor
from stix.ttp import TTP, Behavior
from stix.ttp.behavior import AttackPattern
from stix.coa import CourseOfAction

fake = Faker()

# Basics
incident = Incident(title='We got hacked')
incident.description = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.'

# Dates/Times
t1 = '2018-08-23T14:00:05.470947+00:00'
t2 = '2018-08-22T14:00:05.470947+00:00'
t3 = '2018-08-24T14:00:05.470947+00:00'
t = Time()
t.incident_opened = t1
t.incident_discovery = t1
t.incident_reported = t1
t.first_malicious_action = t2
t.initial_compromise = t2
t.first_data_exfiltration = t2
t.containment_achieved = t3
t.restoration_achieved = t3
t.incident_closed = t3
incident.time = t

# Additional Attributes
incident.add_category('Unauthorized Access')
incident.add_intended_effect('Destruction')
incident.confidence = 'High'