Exemplo n.º 1
0
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
    # IMPLEMENTATION WORKAROUND - 
    # restConfid --> header.description
    # resteffect --> breach.description
    # resttype --> reporter.description
    # restasset --> reporter.identity.name 
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = restconfid # "Example description"
    stix_package.stix_header = stix_header
    # add incident and confidence
    breach = Incident(id_=ident)
    breach.description = resteffect # "Intrusion into enterprise network"
    breach.confidence = Confidence()
    breach.confidence.value=confid
    breach._binding_class.xml_type = typeIncident
    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = resttype #"The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = restasset # "Sample Investigations, LLC"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of CyberTech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") 
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") 
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") 
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") 

    # add the impact
    #impact = ImpactAssessment()
    #impact.add_effect("Unintended Access")
    #breach.impact_assessment = impact
    affected_asset = AffectedAsset()
    affected_asset.description = "Database server at hr-data1.example.com" 
    affected_asset.type_ = asset
    
    breach.affected_assets = affected_asset
    #print("asset type: %s"%(breach.affected_assets[0].type_))
    # add the victim
    breach.add_victim (hashPkg)

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(effect)
    breach.impact_assessment = impact

    stix_package.add_incident(breach)
    #print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents)))

    # Print the XML!
    #print(stix_package.to_xml())
    return stix_package
Exemplo n.º 2
0
def build_stix( input_dict ):
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()

    stix_header.description = "Incident report for " + input_dict['organization']
    stix_header.add_package_intent ("Incident")

    # Add handling requirements if needed
    if input_dict['sensitive'] == "True":
        mark = SimpleMarkingStructure()
        mark.statement = "Sensitive"
        mark_spec = MarkingSpecification()
        mark_spec.marking_structures.append(mark)
        stix_header.handling = Marking(mark_spec)


    stix_package.stix_header = stix_header

    # add incident and confidence
    incident = Incident()
    incident.description = input_dict['description']
    incident.confidence = input_dict['confidence']

    # add incident reporter
    incident.reporter = InformationSource()
    incident.reporter.description = "Person who reported the incident"

    incident.reporter.time = Time()
    incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    incident.reporter.identity = Identity()
    incident.reporter.identity.name = input_dict['submitter']

    # incident time is a complex object with support for a bunch of different "when stuff happened" items
    incident.time = incidentTime()
    incident.title = "Breach of " + input_dict['organization']
    incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(input_dict['damage'])
    incident.impact_assessment = impact

    #Add the thing that was stolen
    jewels = AffectedAsset()
    jewels.type_ = input_dict['asset']
    incident.add_affected_asset (jewels)

    # add the victim
    incident.add_victim (input_dict['organization'])

    stix_package.add_incident(incident)

    return stix_package
Exemplo n.º 3
0
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
    # IMPLEMENTATION WORKAROUND - 
    # restConfid --> header.description
    # resteffect --> breach.description
    # resttype --> reporter.description
    # restasset --> reporter.identity.name 
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = restconfid # "Example description"
    stix_package.stix_header = stix_header
    # add incident and confidence
    breach = Incident(id_=ident)
    breach.description = resteffect # "Intrusion into enterprise network"
    breach.confidence = Confidence()
    breach.confidence.value=confid
    print("confidence set to %s"%(str(breach.confidence.value)))
    breach._binding_class.xml_type = typeIncident
    print("incident set to %s"%(str(breach._binding_class.xml_type)))
    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = resttype #"The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = restasset 

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of Company Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") 
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") 
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") 
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") 

    affected_asset = AffectedAsset()
    affected_asset.description = "Database server at hr-data1.example.com" 
    affected_asset.type_ = asset
    
    breach.affected_assets = affected_asset
    # add the victim
    breach.add_victim (hashPkg)

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(effect)
    breach.impact_assessment = impact


    stix_package.add_incident(breach)
 
    return stix_package
Exemplo n.º 4
0
def buildIncident(input_dict):
    # add incident and confidence
    incident = Incident()
    incident.description = input_dict['description']
    if input_dict['confidence']:
        incident.confidence = input_dict['confidence']

    # add incident reporter
    incident.reporter = InformationSource()
    incident.reporter.description = "Person who reported the incident"

    incident.reporter.time = Time()
    incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    incident.reporter.identity = Identity()
    incident.reporter.identity.name = input_dict['submitter']

    # incident time is a complex object with support for a bunch of different "when stuff happened" items
    incident.time = incidentTime()
    incident.title = "Breach of " + input_dict['organization']
    incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    if input_dict['responder']:
        incident.responders = input_dict['responder']
    if input_dict['coordinator']:
        incident.coordinators = input_dict['coordinator']
    if input_dict['intent']:
        incident.intended_effects = input_dict['intent']
    if input_dict['discovery']:
        incident.discovery_methods = input_dict['discovery']
    if input_dict['status']:
        incident.status = input_dict['status']
    if input_dict['compromise']:
        incident.security_compromise = input_dict['compromise']

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(input_dict['damage'])
    incident.impact_assessment = impact

    if input_dict['asset']:
        asset = AffectedAsset()
        asset.type_ = input_dict['asset']
        incident.add_affected_asset (asset)

    # add the victim
    incident.add_victim (input_dict['organization'])

    return incident
Exemplo n.º 5
0
def getSTIXObject():
    # setup stix document
    stix_package = STIXPackage()

    # add incident and confidence
    breach = Incident()
    breach.description = "Parity Wallet Hacked"
    breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "https://paritytech.io/blog/security-alert.html"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "parity technologies ltd"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "The Multi-sig Hack"
    breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
    breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
    #breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
    breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Estimated Loss of $280m in Ether")
    breach.impact_assessment = impact

    # add the victim
    victim = Identity()
    victim.name = "Cappasity"
    breach.add_victim(victim)
    victim2 = Identity()
    victim2.name = "Who else ?"
    breach.add_victim(victim2)

    # add Information Sources
    infoSource = InformationSource();
    infoSource.add_description("https://news.ycombinator.com/item?id=15642856")
    infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/")
    breach.Information_Source = infoSource;

    stix_package.add_incident(breach)
    return stix_package
def build_stix():
    # setup stix document
    stix_package = STIXPackage()

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11", "%Y-%m-%d")  # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "Sample Investigations, LLC"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of CyberTech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Unintended Access")
    breach.impact_assessment = impact

    # add the victim
    victim = Identity()
    victim.name = "CyberTech Dynamics"
    breach.add_victim(victim)

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Financial Loss")
    breach.impact_assessment = impact

    stix_package.add_incident(breach)

    return stix_package
Exemplo n.º 7
0
def build_stix( ):
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()

    stix_header.description = "Sample breach report" 
    stix_header.add_package_intent ("Incident")

    stix_package.stix_header = stix_header

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "Sample Investigations, LLC"


    # incident time is a complex object with support for a bunch of different "when stuff happened" items
    breach.time = incidentTime()
    breach.title = "Breach of Canary Corp"
    breach.time.incident_discovery = datetime.strptime("2013-01-13", "%Y-%m-%d") # when they submitted it

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect("Financial Loss")
    breach.impact_assessment = impact

    # add the victim
    breach.add_victim ("Canary Corp")

    stix_package.add_incident(breach)

    return stix_package
def build_stix( ):
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()

    stix_header.description = "Sample breach report" 
    stix_header.add_package_intent ("Incident")

    # stamp with creator
    stix_header.information_source = InformationSource()
    stix_header.information_source.description = "The person who reported it"

    stix_header.information_source.identity = Identity()
    stix_header.information_source.identity.name = "Infosec Operations Team"

    stix_package.stix_header = stix_header

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of Cyber Tech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") 
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") 
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") 
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") 

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect("Unintended Access")
    breach.impact_assessment = impact

    # add the victim
    breach.add_victim ("Cyber Tech Dynamics")

    stix_package.add_incident(breach)

    return stix_package
def build_stix():
    # setup stix document
    stix_package = STIXPackage()

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime(
        "2014-03-11", "%Y-%m-%d")  # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "Sample Investigations, LLC"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of CyberTech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30",
                                                       "%Y-%m-%d")
    breach.time.incident_discovery = datetime.strptime("2012-05-10",
                                                       "%Y-%m-%d")
    breach.time.restoration_achieved = datetime.strptime(
        "2012-08-10", "%Y-%m-%d")
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect("Unintended Access")
    breach.impact_assessment = impact

    # add the victim
    breach.add_victim("CyberTech Dynamics")

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect("Financial Loss")
    breach.impact_assessment = impact

    stix_package.add_incident(breach)

    return stix_package
Exemplo n.º 10
0
breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it

breach.reporter.identity = Identity()
breach.reporter.identity.name = "parity technologies ltd"

# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "The Multi-sig Hack"
breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
#breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")

# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Estimated Loss of $280m in Ether")
breach.impact_assessment = impact

# add the victim
victim = Identity()
victim.name = "Cappasity"
breach.add_victim(victim)
victim2 = Identity()
victim2.name = "Who else ?"
breach.add_victim(victim2)

# add Information Sources
infoSource = InformationSource();
infoSource.add_description("https://news.ycombinator.com/item?id=15642856")
infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/")