def handle_non_indicator_attribute(self, incident, tags, attribute): attribute_type = attribute.type attribute_category = attribute.category if attribute_type == "vulnerability": self.generate_vulnerability(incident, tags, attribute) elif attribute_type == "link": if attribute_category == "Payload delivery": self.handle_indicator_attribute(incident, tags, attribute) else: self.add_reference(incident, attribute.value) elif attribute_type in ('comment', 'text', 'other'): if attribute_category == "Payload type": self.generate_ttp(incident, tags, attribute) elif attribute_category == "Attribution": ta = self.generate_threat_actor(attribute) rta = RelatedThreatActor(ta, relationship="Attribution") incident.attributed_threat_actors.append(rta) else: entry_line = "attribute[{}][{}]: {}".format(attribute_category, attribute_type, attribute.value) self.add_journal_entry(incident, entry_line) elif attribute_type == "target-machine": aa = AffectedAsset() description = attribute.value if attribute.comment: description += " ({})".format(attribute.comment) aa.description = description incident.affected_assets.append(aa) elif attribute_type.startswith('target-'): self.resolve_identity_attribute(incident, attribute) elif attribute_type == "attachment": observable = self.return_attachment_composition(attribute) related_observable = RelatedObservable(observable, relationship=attribute.category) incident.related_observables.append(related_observable)
def handleNonIndicatorAttribute(incident, ttps, attribute, eventTags, org): if attribute["type"] in ("comment", "text", "other"): if attribute["category"] == "Payload type": generateTTP(incident, attribute, ttps, eventTags) elif attribute["category"] == "Attribution": ta = generateThreatActor(attribute) rta = RelatedThreatActor(ta, relationship="Attribution") incident.attributed_threat_actors.append(rta) else: entry_line = "attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"] addJournalEntry(incident, entry_line) elif attribute["type"] == "target-machine": aa = AffectedAsset() if attribute["comment"] != "": aa.description = attribute["value"] + " (" + attribute["comment"] + ")" else: aa.description = attribute["value"] incident.affected_assets.append(aa) elif attribute["type"] == "vulnerability": generateTTP(incident, attribute, ttps, eventTags) elif attribute["type"] == "link": if attribute["category"] == "Payload delivery": handleIndicatorAttribute(incident, ttps, attribute, eventTags, org) else: addReference(incident, attribute["value"]) elif attribute["type"].startswith('target-'): resolveIdentityAttribute(incident, attribute, namespace[1]) elif attribute["type"] == "attachment": observable = returnAttachmentComposition(attribute) related_observable = RelatedObservable(observable, relationship=attribute["category"]) incident.related_observables.append(related_observable) return [incident, ttps]
def handleNonIndicatorAttribute(incident, ttps, attribute): if attribute["type"] in ("comment", "text", "other"): if attribute["category"] == "Payload type": generateTTP(incident, attribute, ttps) elif attribute["category"] == "Attribution": ta = generateThreatActor(attribute) rta = RelatedThreatActor(ta, relationship="Attribution") incident.attributed_threat_actors.append(rta) else: entry_line = "attribute[" + attribute["category"] + "][" + attribute["type"] + "]: " + attribute["value"] addJournalEntry(incident, entry_line) elif attribute["type"] == "target-machine": aa = AffectedAsset() if attribute["comment"] != "": aa.description = attribute["value"] + " (" + attribute["comment"] + ")" else: aa.description = attribute["value"] incident.affected_assets.append(aa) elif attribute["type"] == "vulnerability": generateTTP(incident, attribute, ttps) elif attribute["type"] == "link": if attribute["category"] == "Payload delivery": handleIndicatorAttribute(incident, ttps, attribute) else: addReference(incident, attribute["value"]) elif attribute["type"].startswith("target-"): resolveIdentityAttribute(incident, attribute, namespace[1]) elif attribute["type"] == "attachment": observable = returnAttachmentComposition(attribute) related_observable = RelatedObservable(observable, relationship=attribute["category"]) incident.related_observables.append(related_observable) return [incident, ttps]
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value=confid breach._binding_class.xml_type = typeIncident # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # "Sample Investigations, LLC" # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of CyberTech Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") # add the impact #impact = ImpactAssessment() #impact.add_effect("Unintended Access") #breach.impact_assessment = impact affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset #print("asset type: %s"%(breach.affected_assets[0].type_)) # add the victim breach.add_victim (hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) #print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents))) # Print the XML! #print(stix_package.to_xml()) return stix_package
def main(): pkg = STIXPackage() affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = "Database" affected_asset.type_.count_affected = 1 affected_asset.business_function_or_role = "Hosts the database for example.com" affected_asset.ownership_class = "Internally-Owned" affected_asset.management_class = "Internally-Managed" affected_asset.location_class = "Internally-Located" property_affected = PropertyAffected() property_affected.property_ = "Confidentiality" property_affected.description_of_effect = "Data was exfiltrated, has not been determined which data or how." property_affected.non_public_data_compromised = "Yes" property_affected.non_public_data_compromised.data_encrypted = False security_effect_nature = NatureOfSecurityEffect() security_effect_nature.append(property_affected) affected_asset.nature_of_security_effect = security_effect_nature affected_assets = AffectedAssets() affected_assets.append(affected_asset) incident = Incident(title="Exfiltration from hr-data1.example.com") incident.affected_assets = affected_assets pkg.add_incident(incident) print(pkg.to_xml(encoding=None))
def build_stix( input_dict ): # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = "Incident report for " + input_dict['organization'] stix_header.add_package_intent ("Incident") # Add handling requirements if needed if input_dict['sensitive'] == "True": mark = SimpleMarkingStructure() mark.statement = "Sensitive" mark_spec = MarkingSpecification() mark_spec.marking_structures.append(mark) stix_header.handling = Marking(mark_spec) stix_package.stix_header = stix_header # add incident and confidence incident = Incident() incident.description = input_dict['description'] incident.confidence = input_dict['confidence'] # add incident reporter incident.reporter = InformationSource() incident.reporter.description = "Person who reported the incident" incident.reporter.time = Time() incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it incident.reporter.identity = Identity() incident.reporter.identity.name = input_dict['submitter'] # incident time is a complex object with support for a bunch of different "when stuff happened" items incident.time = incidentTime() incident.title = "Breach of " + input_dict['organization'] incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it # add the impact impact = ImpactAssessment() impact.add_effect(input_dict['damage']) incident.impact_assessment = impact #Add the thing that was stolen jewels = AffectedAsset() jewels.type_ = input_dict['asset'] incident.add_affected_asset (jewels) # add the victim incident.add_victim (input_dict['organization']) stix_package.add_incident(incident) return stix_package
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg): # IMPLEMENTATION WORKAROUND - # restConfid --> header.description # resteffect --> breach.description # resttype --> reporter.description # restasset --> reporter.identity.name # setup stix document stix_package = STIXPackage() stix_header = STIXHeader() stix_header.description = restconfid # "Example description" stix_package.stix_header = stix_header # add incident and confidence breach = Incident(id_=ident) breach.description = resteffect # "Intrusion into enterprise network" breach.confidence = Confidence() breach.confidence.value=confid print("confidence set to %s"%(str(breach.confidence.value))) breach._binding_class.xml_type = typeIncident print("incident set to %s"%(str(breach._binding_class.xml_type))) # stamp with reporter breach.reporter = InformationSource() breach.reporter.description = resttype #"The person who reported it" breach.reporter.time = Time() breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it breach.reporter.identity = Identity() breach.reporter.identity.name = restasset # set incident-specific timestamps breach.time = incidentTime() breach.title = "Breach of Company Dynamics" breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") affected_asset = AffectedAsset() affected_asset.description = "Database server at hr-data1.example.com" affected_asset.type_ = asset breach.affected_assets = affected_asset # add the victim breach.add_victim (hashPkg) # add the impact impact = ImpactAssessment() impact.add_effect(effect) breach.impact_assessment = impact stix_package.add_incident(breach) return stix_package
def buildIncident(input_dict): # add incident and confidence incident = Incident() incident.description = input_dict['description'] if input_dict['confidence']: incident.confidence = input_dict['confidence'] # add incident reporter incident.reporter = InformationSource() incident.reporter.description = "Person who reported the incident" incident.reporter.time = Time() incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it incident.reporter.identity = Identity() incident.reporter.identity.name = input_dict['submitter'] # incident time is a complex object with support for a bunch of different "when stuff happened" items incident.time = incidentTime() incident.title = "Breach of " + input_dict['organization'] incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it if input_dict['responder']: incident.responders = input_dict['responder'] if input_dict['coordinator']: incident.coordinators = input_dict['coordinator'] if input_dict['intent']: incident.intended_effects = input_dict['intent'] if input_dict['discovery']: incident.discovery_methods = input_dict['discovery'] if input_dict['status']: incident.status = input_dict['status'] if input_dict['compromise']: incident.security_compromise = input_dict['compromise'] # add the impact impact = ImpactAssessment() impact.add_effect(input_dict['damage']) incident.impact_assessment = impact if input_dict['asset']: asset = AffectedAsset() asset.type_ = input_dict['asset'] incident.add_affected_asset (asset) # add the victim incident.add_victim (input_dict['organization']) return incident
def add_asset_item(asset_item, attribute_item, incident): assets_item = asset_item.get("assets") if not assets_item: error("VERIS warning: 'assets' item is missing in 'asset' item") else: notes_item = asset_item.get('notes') management_item = asset_item.get('management') if management_item: managementClass = map_management_item_to_management_class(management_item) ownership_item = asset_item.get('ownership') if ownership_item: ownershipClass = map_ownership_item_to_ownership_class(ownership_item) hosting_item = asset_item.get("hosting") if hosting_item: locationClass = map_hosting_item_to_location_class(hosting_item) # cloud for item in assets_item: aa = AffectedAsset() variety_item = item.get('variety') if not variety_item: error("Required 'variety' item is missing in 'asset/assets' item") else: aa.type_ = map_variety_item_to_asset_type(variety_item) asset_description = "" if notes_item: asset_description += "General Notes: " + notes_item amount_item = item.get('amount') if amount_item: asset_description += "Number of Assets: " + str(amount_item) aa.description = escape(asset_description) # same locationClass, managementClass and ownershipClass for each asset if management_item: aa.management_class = managementClass if ownership_item: aa.ownership_class = ownershipClass if hosting_item: aa.location_class = locationClass if attribute_item: # consider not recomputing this for each asset add_attribute_item(attribute_item, aa) incident.add_affected_asset(aa)