def rel_mem_store():
cam = Campaign(id=CAMPAIGN_ID, **CAMPAIGN_KWARGS)
idy = Identity(id=IDENTITY_ID, **IDENTITY_KWARGS)
ind = Indicator(id=INDICATOR_ID, **INDICATOR_KWARGS)
mal = Malware(id=MALWARE_ID, **MALWARE_KWARGS)
rel1 = Relationship(ind, 'indicates', mal, id=RELATIONSHIP_IDS[0])
rel2 = Relationship(mal, 'targets', idy, id=RELATIONSHIP_IDS[1])
rel3 = Relationship(cam, 'uses', mal, id=RELATIONSHIP_IDS[2])
stix_objs = [cam, idy, ind, mal, rel1, rel2, rel3]
yield MemoryStore(stix_objs)
def test_memory_store_object_creator_of_present(mem_store):
camp = Campaign(
name="Scipio Africanus",
objective="Defeat the Carthaginians",
created_by_ref=IDENTITY_ID,
x_empire="Roman",
allow_custom=True,
)
iden = Identity(
id=IDENTITY_ID,
name="Foo Corp.",
identity_class="corporation",
)
mem_store.add(camp)
mem_store.add(iden)
camp_r = mem_store.get(camp.id)
assert camp_r.id == camp.id
assert camp_r.x_empire == camp.x_empire
assert mem_store.creator_of(camp_r) == iden
id="threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500",
created="2016-08-08T15:50:10.983Z",
modified="2016-08-08T15:50:10.983Z",
name="Fake BPP (Branistan Peoples Party)",
threat_actor_types=["nation-state"],
roles=["director"],
goals=["Influence the election in Branistan"],
resource_level="government",
primary_motivation="ideology",
secondary_motivations=["dominance"],
sophistication="strategic")
identity1 = Identity(type="identity",
spec_version="2.1",
id="identity--8c6af861-7b20-41ef-9b59-6344fd872a8f",
created="2016-08-08T15:50:10.983Z",
modified="2016-08-08T15:50:10.983Z",
name="Franistan Intelligence",
identity_class="organization")
ref_bpp = ExternalReference(source_name="website", url="http://www.bpp.bn")
identity2 = Identity(type="identity",
spec_version="2.1",
id="identity--ddfe7140-2ba4-48e4-b19a-df069432103b",
created="2016-08-08T15:50:10.983Z",
modified="2016-08-08T15:50:10.983Z",
name="Branistan Peoples Party",
identity_class="organization",
external_references=[ref_bpp])
from stix2.v21 import (Identity, MarkingDefinition, Indicator,
StatementMarking, Bundle)
identity = Identity(id="identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
created="2017-04-14T13:07:49.812Z",
modified="2017-04-14T13:07:49.812Z",
name="Stark Industries",
contact_information="*****@*****.**",
identity_class="organization",
sectors=["defence"])
marking_def_amber = MarkingDefinition(
id="marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
created="2017-01-20T00:00:00.000Z",
definition_type="tlp",
definition={"tlp": "amber"})
marking_def_statement = MarkingDefinition(
id="marking-definition--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
created="2017-04-14T13:07:49.812Z",
definition_type="statement",
definition=StatementMarking("Copyright (c) Stark Industries 2017."))
indicator = Indicator(
id="indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
created="2017-04-14T13:07:49.812Z",
modified="2017-04-14T13:07:49.812Z",
created_by_ref="identity--611d9d41-dba5-4e13-9b29-e22488058ffc",
name="Known malicious IP Address",
indicator_types=["malicious-activity"],
pattern="[ipv4-addr:value = '10.0.0.0']",
threat_actor = ThreatActor(
id="threat-actor--9a8a0d25-7636-429b-a99e-b2a73cd0f11f",
created="2015-05-07T14:22:14.760Z",
modified="2015-05-07T14:22:14.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.",
threat_actor_types=["spy", "criminal"],
spec_version="2.1",
type="threat-actor")
identity = Identity(
id="identity--1621d4d4-b67d-41e3-9670-f01faf20d111",
created="2015-05-10T16:27:17.760Z",
modified="2015-05-10T16:27:17.760Z",
name="Adversary Bravo",
description=
"Adversary Bravo is a threat actor that utilizes phishing attacks.",
identity_class="unknown",
spec_version="2.1",
type="identity")
init_comp = KillChainPhase(kill_chain_name="mandiant-attack-lifecycle-model",
phase_name="initial-compromise")
malware = Malware(id="malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
created="2015-04-23T11:12:34.760Z",
modified="2015-04-23T11:12:34.760Z",
name="Poison Ivy Variant d1c6",
malware_types=["remote-access-trojan"],
kill_chain_phases=[init_comp],
spec_version="2.1",
from stix2.v21 import (File, Identity, Malware, ObservedData, Sighting,
WindowsRegistryKey, Bundle)
identityOscorp = Identity(id="identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c",
created="2017-01-14T13:07:49.812Z",
modified="2017-01-14T13:07:49.812Z",
name="Oscorp Industries",
identity_class="organization",
contact_information="*****@*****.**",
sectors=["technology"],
spec_version="2.1",
type="identity")
identityPym = Identity(id="identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
created="2013-04-14T13:07:49.812Z",
modified="2013-04-14T13:07:49.812Z",
name="Pym Technologies",
identity_class="organization",
contact_information="*****@*****.**",
sectors=["technology"],
spec_version="2.1",
type="identity")
malware = Malware(
id="malware--ae560258-a5cb-4be8-8f05-013d6712295f",
created="2014-02-20T09:16:08.989Z",
modified="2014-02-20T09:16:08.989Z",
created_by_ref=identityPym.id,
name="Online Job Site Trojan",
description=
"Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.",
from stix2.v21 import (Identity, Indicator, Sighting, Bundle)
identityAlpha = Identity(
id="identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
created="2017-02-24T15:50:10.564Z",
modified="2017-02-24T15:50:10.564Z",
name="Alpha Threat Analysis Org.",
identity_class="organization",
contact_information="*****@*****.**",
roles=["Cyber Security"],
sectors=["technology"],
spec_version="2.1",
type="identity"
)
identityBeta = Identity(
id="identity--5206ba14-478f-4b0b-9a48-395f690c20a2",
created="2017-02-26T17:55:10.442Z",
modified="2017-02-26T17:55:10.442Z",
name="Beta Cyber Intelligence Company",
identity_class="organization",
contact_information="*****@*****.**",
roles=["Cyber Security"],
sectors=["technology"],
spec_version="2.1",
type="identity"
)
indicator = Indicator(
id="indicator--9299f726-ce06-492e-8472-2b52ccb53191",
created_by_ref="identity--39012926-a052-44c4-ae48-caaf4a10ee6e",
from stix2.v21 import (ThreatActor, Identity, Relationship, Bundle)
threat_actor = ThreatActor(
id="threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
created="2014-11-19T23:39:03.893Z",
modified="2014-11-19T23:39:03.893Z",
name="Disco Team Threat Actor Group",
description=
"This organized threat actor group operates to create profit from all types of crime.",
threat_actor_types=["crime-syndicate"],
aliases=["Equipo del Discoteca"],
roles=["agent"],
goals=["Steal Credit Card Information"],
sophistication="expert",
resource_level="organization",
primary_motivation="personal-gain")
identity = Identity(
id="identity--733c5838-34d9-4fbf-949c-62aba761184c",
created="2016-08-23T18:05:49.307Z",
modified="2016-08-23T18:05:49.307Z",
name="Disco Team",
description=
"Disco Team is the name of an organized threat actor crime-syndicate.",
identity_class="organization",
contact_information="*****@*****.**")
relationship = Relationship(threat_actor, 'attributed-to', identity)
bundle = Bundle(objects=[threat_actor, identity, relationship])
def create_organization(stix, fs, country, org_names, assessment):
"""
Generate a company profile and save to the STIX data store
Parameters
----------
stix : dictionary
Seed vocabulary for organization profiles
fs : FileSystemStore object
Data store to save organization information
country : string
Name of country with which to associate organization
org_names : list
organization names to choose from
assessment : dictionary
representation of NIST 800-171 assessment table
"""
name = np.random.choice(org_names)
revenue = int(np.random.chisquare(1) * 10000)
while revenue == 0:
revenue = int(np.random.chisquare(1) * 10000)
sector = np.random.choice(stix['sectors'])
description = {
"Background": {
"headquarters": country.name,
"number of employees": "{:,}".format(
np.random.randint(500, 15000)),
"annual revenue": "$"+"{:,}".format(revenue)+" million"
},
"Network": {
"size": np.random.randint(1, 100)
}
}
score = 0
vulns = []
dist = np.random.beta(2, 2) # overall scoring distribution
while dist == 0:
dist = np.random.beta(2, 2)
for cat in assessment:
for r in assessment[cat]:
pf = np.random.choice(a=['Yes', 'No'], p=[dist, 1-dist])
if pf == 'Yes':
score += r['Value']
else:
vulns.append(r['Requirement'])
description["Security Posture"] = {
"vulnerability": int(score/313 * 100),
"vulns": vulns
}
# Add asset to the STIX data store
organization = Identity(
name=name,
identity_class='organization',
sectors=sector,
description=json.dumps(description)
)
fs.add(organization)
# Tie organization to country (headquarters)
country_id = fs.query([
Filter('type', '=', 'location'), Filter("name", "=", country.name)])[0].id
fs.add(Relationship(organization, 'located-at', country_id))
granular_red = GranularMarking(marking_ref=TLP_RED.id,
selectors=["description"])
granular_amber = GranularMarking(marking_ref=TLP_AMBER.id,
selectors=["indicator_types.[1]"])
granular_green = GranularMarking(
marking_ref=TLP_GREEN.id,
selectors=["indicator_types.[0]", "name", "pattern"])
identity = Identity(id="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
name="Gotham National Bank",
contact_information="*****@*****.**",
identity_class="organization",
sectors=["financial-services"],
spec_version="2.1",
type="identity")
threat_actor = ThreatActor(
id="threat-actor--8b6297fe-cae7-47c6-9256-5584b417849c",
created="2017-04-27T16:18:24.318Z",
modified="2017-04-27T16:18:24.318Z",
created_by_ref="identity--b38dfe21-7477-40d1-aa90-5c8671ce51ca",
name="The Joker",
threat_actor_types=["terrorist", "criminal"],
aliases=["Joe Kerr", "The Clown Prince of Crime"],
roles=["director"],
resource_level="team",
def setUp(self):
self.ident = Identity(name="Testing", identity_class="organization")