def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
breach._binding_class.xml_type = typeIncident
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset # "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
#impact = ImpactAssessment()
#impact.add_effect("Unintended Access")
#breach.impact_assessment = impact
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
#print("asset type: %s"%(breach.affected_assets[0].type_))
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
#print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents)))
# Print the XML!
#print(stix_package.to_xml())
return stix_package
def build_stix( input_dict ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Incident report for " + input_dict['organization']
stix_header.add_package_intent ("Incident")
# Add handling requirements if needed
if input_dict['sensitive'] == "True":
mark = SimpleMarkingStructure()
mark.statement = "Sensitive"
mark_spec = MarkingSpecification()
mark_spec.marking_structures.append(mark)
stix_header.handling = Marking(mark_spec)
stix_package.stix_header = stix_header
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
#Add the thing that was stolen
jewels = AffectedAsset()
jewels.type_ = input_dict['asset']
incident.add_affected_asset (jewels)
# add the victim
incident.add_victim (input_dict['organization'])
stix_package.add_incident(incident)
return stix_package
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
# IMPLEMENTATION WORKAROUND -
# restConfid --> header.description
# resteffect --> breach.description
# resttype --> reporter.description
# restasset --> reporter.identity.name
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = restconfid # "Example description"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident(id_=ident)
breach.description = resteffect # "Intrusion into enterprise network"
breach.confidence = Confidence()
breach.confidence.value=confid
print("confidence set to %s"%(str(breach.confidence.value)))
breach._binding_class.xml_type = typeIncident
print("incident set to %s"%(str(breach._binding_class.xml_type)))
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = resttype #"The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = restasset
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Company Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
affected_asset = AffectedAsset()
affected_asset.description = "Database server at hr-data1.example.com"
affected_asset.type_ = asset
breach.affected_assets = affected_asset
# add the victim
breach.add_victim (hashPkg)
# add the impact
impact = ImpactAssessment()
impact.add_effect(effect)
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def build_stix():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime(
"2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30",
"%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10",
"%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime(
"2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Unintended Access")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "CyberTech Dynamics"
breach.add_victim(victim)
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Financial Loss")
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def buildIncident(input_dict):
# add incident and confidence
incident = Incident()
incident.description = input_dict['description']
if input_dict['confidence']:
incident.confidence = input_dict['confidence']
# add incident reporter
incident.reporter = InformationSource()
incident.reporter.description = "Person who reported the incident"
incident.reporter.time = Time()
incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
incident.reporter.identity = Identity()
incident.reporter.identity.name = input_dict['submitter']
# incident time is a complex object with support for a bunch of different "when stuff happened" items
incident.time = incidentTime()
incident.title = "Breach of " + input_dict['organization']
incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it
if input_dict['responder']:
incident.responders = input_dict['responder']
if input_dict['coordinator']:
incident.coordinators = input_dict['coordinator']
if input_dict['intent']:
incident.intended_effects = input_dict['intent']
if input_dict['discovery']:
incident.discovery_methods = input_dict['discovery']
if input_dict['status']:
incident.status = input_dict['status']
if input_dict['compromise']:
incident.security_compromise = input_dict['compromise']
# add the impact
impact = ImpactAssessment()
impact.add_effect(input_dict['damage'])
incident.impact_assessment = impact
if input_dict['asset']:
asset = AffectedAsset()
asset.type_ = input_dict['asset']
incident.add_affected_asset (asset)
# add the victim
incident.add_victim (input_dict['organization'])
return incident
def getSTIXObject():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Parity Wallet Hacked"
breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "https://paritytech.io/blog/security-alert.html"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "parity technologies ltd"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "The Multi-sig Hack"
breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
#breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Estimated Loss of $280m in Ether")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "Cappasity"
breach.add_victim(victim)
victim2 = Identity()
victim2.name = "Who else ?"
breach.add_victim(victim2)
# add Information Sources
infoSource = InformationSource();
infoSource.add_description("https://news.ycombinator.com/item?id=15642856")
infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/")
breach.Information_Source = infoSource;
stix_package.add_incident(breach)
return stix_package
def build_stix():
# setup stix document
stix_package = STIXPackage()
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11", "%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of CyberTech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Unintended Access")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "CyberTech Dynamics"
breach.add_victim(victim)
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Financial Loss")
breach.impact_assessment = impact
stix_package.add_incident(breach)
return stix_package
def build_stix( ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Sample breach report"
stix_header.add_package_intent ("Incident")
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "The person who reported it"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "Sample Investigations, LLC"
# incident time is a complex object with support for a bunch of different "when stuff happened" items
breach.time = incidentTime()
breach.title = "Breach of Canary Corp"
breach.time.incident_discovery = datetime.strptime("2013-01-13", "%Y-%m-%d") # when they submitted it
# add the impact
impact = ImpactAssessment()
impact.add_effect("Financial Loss")
breach.impact_assessment = impact
# add the victim
breach.add_victim ("Canary Corp")
stix_package.add_incident(breach)
return stix_package
def build_stix( ):
# setup stix document
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.description = "Sample breach report"
stix_header.add_package_intent ("Incident")
# stamp with creator
stix_header.information_source = InformationSource()
stix_header.information_source.description = "The person who reported it"
stix_header.information_source.identity = Identity()
stix_header.information_source.identity.name = "Infosec Operations Team"
stix_package.stix_header = stix_header
# add incident and confidence
breach = Incident()
breach.description = "Intrusion into enterprise network"
breach.confidence = "High"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "Breach of Cyber Tech Dynamics"
breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.add_effect("Unintended Access")
breach.impact_assessment = impact
# add the victim
breach.add_victim ("Cyber Tech Dynamics")
stix_package.add_incident(breach)
return stix_package
breach = Incident()
breach.description = "Parity Wallet Hacked"
breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated
# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "https://paritytech.io/blog/security-alert.html"
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it
breach.reporter.identity = Identity()
breach.reporter.identity.name = "parity technologies ltd"
# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "The Multi-sig Hack"
breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
#breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")
# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Estimated Loss of $280m in Ether")
breach.impact_assessment = impact
# add the victim
victim = Identity()
victim.name = "Cappasity"
breach.add_victim(victim)
