示例#1
0
def main():

    data = json.load(open("data.json"))

    stix_package = STIXPackage(stix_header=STIXHeader(
        title=data['title'], package_intents='Incident'))

    ttps = {}

    for info in data['ips']:
        if info['bot'] not in ttps:
            ttps[info['bot']] = TTP(title=info['bot'])
            stix_package.add_ttp(ttps[info['bot']])

        incident = Incident(title=info['ip'])
        incident.time = Time()
        incident.time.first_malicious_action = info['first_seen']

        addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
        observable = Observable(item=addr)
        stix_package.add_observable(observable)

        related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_),
                                 relationship="Used Malware")
        incident.leveraged_ttps.append(related_ttp)

        related_observable = RelatedObservable(
            Observable(idref=observable.id_))
        incident.related_observables.append(related_observable)

        stix_package.add_incident(incident)

    print(stix_package.to_xml(encoding=None))
def main():

    data = json.load(open("data.json"))

    stix_package = STIXPackage(stix_header=STIXHeader(title=data['title'], package_intents='Incident'))

    ttps = {}

    for info in data['ips']:
        if info['bot'] not in ttps:
            ttps[info['bot']] = TTP(title=info['bot'])
            stix_package.add_ttp(ttps[info['bot']])

        incident = Incident(title=info['ip'])
        incident.time = Time()
        incident.time.first_malicious_action = info['first_seen']

        addr = Address(address_value=info['ip'], category=Address.CAT_IPV4)
        observable = Observable(item=addr)
        stix_package.add_observable(observable)

        related_ttp = RelatedTTP(TTP(idref=ttps[info['bot']].id_), relationship="Used Malware")
        incident.leveraged_ttps.append(related_ttp)

        related_observable = RelatedObservable(Observable(idref=observable.id_))
        incident.related_observables.append(related_observable)

        stix_package.add_incident(incident)

    print(stix_package.to_xml(encoding=None))
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
    # IMPLEMENTATION WORKAROUND - 
    # restConfid --> header.description
    # resteffect --> breach.description
    # resttype --> reporter.description
    # restasset --> reporter.identity.name 
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = restconfid # "Example description"
    stix_package.stix_header = stix_header
    # add incident and confidence
    breach = Incident(id_=ident)
    breach.description = resteffect # "Intrusion into enterprise network"
    breach.confidence = Confidence()
    breach.confidence.value=confid
    breach._binding_class.xml_type = typeIncident
    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = resttype #"The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = restasset # "Sample Investigations, LLC"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of CyberTech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") 
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") 
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") 
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") 

    # add the impact
    #impact = ImpactAssessment()
    #impact.add_effect("Unintended Access")
    #breach.impact_assessment = impact
    affected_asset = AffectedAsset()
    affected_asset.description = "Database server at hr-data1.example.com" 
    affected_asset.type_ = asset
    
    breach.affected_assets = affected_asset
    #print("asset type: %s"%(breach.affected_assets[0].type_))
    # add the victim
    breach.add_victim (hashPkg)

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(effect)
    breach.impact_assessment = impact

    stix_package.add_incident(breach)
    #print("hey, I've got an incident! list size=%s"%(len(stix_package._incidents)))

    # Print the XML!
    #print(stix_package.to_xml())
    return stix_package
示例#4
0
def build_stix( input_dict ):
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()

    stix_header.description = "Incident report for " + input_dict['organization']
    stix_header.add_package_intent ("Incident")

    # Add handling requirements if needed
    if input_dict['sensitive'] == "True":
        mark = SimpleMarkingStructure()
        mark.statement = "Sensitive"
        mark_spec = MarkingSpecification()
        mark_spec.marking_structures.append(mark)
        stix_header.handling = Marking(mark_spec)


    stix_package.stix_header = stix_header

    # add incident and confidence
    incident = Incident()
    incident.description = input_dict['description']
    incident.confidence = input_dict['confidence']

    # add incident reporter
    incident.reporter = InformationSource()
    incident.reporter.description = "Person who reported the incident"

    incident.reporter.time = Time()
    incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    incident.reporter.identity = Identity()
    incident.reporter.identity.name = input_dict['submitter']

    # incident time is a complex object with support for a bunch of different "when stuff happened" items
    incident.time = incidentTime()
    incident.title = "Breach of " + input_dict['organization']
    incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(input_dict['damage'])
    incident.impact_assessment = impact

    #Add the thing that was stolen
    jewels = AffectedAsset()
    jewels.type_ = input_dict['asset']
    incident.add_affected_asset (jewels)

    # add the victim
    incident.add_victim (input_dict['organization'])

    stix_package.add_incident(incident)

    return stix_package
示例#5
0
def buildSTIX(ident,confid,restconfid, effect, resteffect,typeIncident,resttype,asset,restasset,hashPkg):
    # IMPLEMENTATION WORKAROUND - 
    # restConfid --> header.description
    # resteffect --> breach.description
    # resttype --> reporter.description
    # restasset --> reporter.identity.name 
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()
    stix_header.description = restconfid # "Example description"
    stix_package.stix_header = stix_header
    # add incident and confidence
    breach = Incident(id_=ident)
    breach.description = resteffect # "Intrusion into enterprise network"
    breach.confidence = Confidence()
    breach.confidence.value=confid
    print("confidence set to %s"%(str(breach.confidence.value)))
    breach._binding_class.xml_type = typeIncident
    print("incident set to %s"%(str(breach._binding_class.xml_type)))
    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = resttype #"The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = restasset 

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of Company Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") 
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") 
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") 
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") 

    affected_asset = AffectedAsset()
    affected_asset.description = "Database server at hr-data1.example.com" 
    affected_asset.type_ = asset
    
    breach.affected_assets = affected_asset
    # add the victim
    breach.add_victim (hashPkg)

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(effect)
    breach.impact_assessment = impact


    stix_package.add_incident(breach)
 
    return stix_package
示例#6
0
def buildIncident(input_dict):
    # add incident and confidence
    incident = Incident()
    incident.description = input_dict['description']
    if input_dict['confidence']:
        incident.confidence = input_dict['confidence']

    # add incident reporter
    incident.reporter = InformationSource()
    incident.reporter.description = "Person who reported the incident"

    incident.reporter.time = Time()
    incident.reporter.time.produced_time = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    incident.reporter.identity = Identity()
    incident.reporter.identity.name = input_dict['submitter']

    # incident time is a complex object with support for a bunch of different "when stuff happened" items
    incident.time = incidentTime()
    incident.title = "Breach of " + input_dict['organization']
    incident.time.incident_discovery = datetime.strptime(input_dict['timestamp'], "%Y-%m-%d") # when they submitted it

    if input_dict['responder']:
        incident.responders = input_dict['responder']
    if input_dict['coordinator']:
        incident.coordinators = input_dict['coordinator']
    if input_dict['intent']:
        incident.intended_effects = input_dict['intent']
    if input_dict['discovery']:
        incident.discovery_methods = input_dict['discovery']
    if input_dict['status']:
        incident.status = input_dict['status']
    if input_dict['compromise']:
        incident.security_compromise = input_dict['compromise']

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect(input_dict['damage'])
    incident.impact_assessment = impact

    if input_dict['asset']:
        asset = AffectedAsset()
        asset.type_ = input_dict['asset']
        incident.add_affected_asset (asset)

    # add the victim
    incident.add_victim (input_dict['organization'])

    return incident
示例#7
0
def build_stix():
    # setup stix document
    stix_package = STIXPackage()

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime(
        "2014-03-11", "%Y-%m-%d")  # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "Sample Investigations, LLC"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of CyberTech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30",
                                                       "%Y-%m-%d")
    breach.time.incident_discovery = datetime.strptime("2012-05-10",
                                                       "%Y-%m-%d")
    breach.time.restoration_achieved = datetime.strptime(
        "2012-08-10", "%Y-%m-%d")
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Unintended Access")
    breach.impact_assessment = impact

    # add the victim
    victim = Identity()
    victim.name = "CyberTech Dynamics"
    breach.add_victim(victim)

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Financial Loss")
    breach.impact_assessment = impact

    stix_package.add_incident(breach)

    return stix_package
示例#8
0
def getSTIXObject():
    # setup stix document
    stix_package = STIXPackage()

    # add incident and confidence
    breach = Incident()
    breach.description = "Parity Wallet Hacked"
    breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "https://paritytech.io/blog/security-alert.html"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "parity technologies ltd"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "The Multi-sig Hack"
    breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
    breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
    #breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
    breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Estimated Loss of $280m in Ether")
    breach.impact_assessment = impact

    # add the victim
    victim = Identity()
    victim.name = "Cappasity"
    breach.add_victim(victim)
    victim2 = Identity()
    victim2.name = "Who else ?"
    breach.add_victim(victim2)

    # add Information Sources
    infoSource = InformationSource();
    infoSource.add_description("https://news.ycombinator.com/item?id=15642856")
    infoSource.add_description("https://www.theregister.co.uk/2017/11/10/parity_280m_ethereum_wallet_lockdown_hack/")
    breach.Information_Source = infoSource;

    stix_package.add_incident(breach)
    return stix_package
def build_stix():
    # setup stix document
    stix_package = STIXPackage()

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11", "%Y-%m-%d")  # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "Sample Investigations, LLC"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of CyberTech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d")
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d")
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d")

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Unintended Access")
    breach.impact_assessment = impact

    # add the victim
    victim = Identity()
    victim.name = "CyberTech Dynamics"
    breach.add_victim(victim)

    # add the impact
    impact = ImpactAssessment()
    impact.effects = Effects("Financial Loss")
    breach.impact_assessment = impact

    stix_package.add_incident(breach)

    return stix_package
def build_stix( ):
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()

    stix_header.description = "Sample breach report" 
    stix_header.add_package_intent ("Incident")

    stix_package.stix_header = stix_header

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # stamp with reporter
    breach.reporter = InformationSource()
    breach.reporter.description = "The person who reported it"

    breach.reporter.time = Time()
    breach.reporter.time.produced_time = datetime.strptime("2014-03-11","%Y-%m-%d") # when they submitted it

    breach.reporter.identity = Identity()
    breach.reporter.identity.name = "Sample Investigations, LLC"


    # incident time is a complex object with support for a bunch of different "when stuff happened" items
    breach.time = incidentTime()
    breach.title = "Breach of Canary Corp"
    breach.time.incident_discovery = datetime.strptime("2013-01-13", "%Y-%m-%d") # when they submitted it

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect("Financial Loss")
    breach.impact_assessment = impact

    # add the victim
    breach.add_victim ("Canary Corp")

    stix_package.add_incident(breach)

    return stix_package
def build_stix( ):
    # setup stix document
    stix_package = STIXPackage()
    stix_header = STIXHeader()

    stix_header.description = "Sample breach report" 
    stix_header.add_package_intent ("Incident")

    # stamp with creator
    stix_header.information_source = InformationSource()
    stix_header.information_source.description = "The person who reported it"

    stix_header.information_source.identity = Identity()
    stix_header.information_source.identity.name = "Infosec Operations Team"

    stix_package.stix_header = stix_header

    # add incident and confidence
    breach = Incident()
    breach.description = "Intrusion into enterprise network"
    breach.confidence = "High"

    # set incident-specific timestamps
    breach.time = incidentTime()
    breach.title = "Breach of Cyber Tech Dynamics"
    breach.time.initial_compromise = datetime.strptime("2012-01-30", "%Y-%m-%d") 
    breach.time.incident_discovery = datetime.strptime("2012-05-10", "%Y-%m-%d") 
    breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d") 
    breach.time.incident_reported = datetime.strptime("2012-12-10", "%Y-%m-%d") 

    # add the impact
    impact = ImpactAssessment()
    impact.add_effect("Unintended Access")
    breach.impact_assessment = impact

    # add the victim
    breach.add_victim ("Cyber Tech Dynamics")

    stix_package.add_incident(breach)

    return stix_package
示例#12
0
    def transform(self, event):
        self._set_namespace(self.config['contact_domain'], self.config['contact_name'])
        stix_package = STIXPackage()
        self._add_header(stix_package, "Unauthorized traffic to honeypot", "Describes one or more honeypot incidents")

        incident = Incident(id_="%s:%s-%s" % (self.config['contact_name'], 'incident', event['session_id']))
        initial_time = StixTime()
        initial_time.initial_compromise = event['timestamp'].isoformat()
        incident.time = initial_time
        incident.title = "Conpot Event"
        incident.short_description = "Traffic to Conpot ICS honeypot"
        incident.add_category(VocabString(value='Scans/Probes/Attempted Access'))

        tool_list = ToolInformationList()
        tool_list.append(ToolInformation.from_dict({
            'name': "Conpot",
            'vendor': "Conpot Team",
            'version': conpot.__version__,
            'description': textwrap.dedent('Conpot is a low interactive server side Industrial Control Systems '
                                           'honeypot designed to be easy to deploy, modify and extend.')
        }))
        incident.reporter = InformationSource(tools=tool_list)

        incident.add_discovery_method("Monitoring Service")
        incident.confidence = "High"

        # Victim Targeting by Sector
        ciq_identity = CIQIdentity3_0Instance()
        #identity_spec = STIXCIQIdentity3_0()
        #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
        #ciq_identity.specification = identity_spec
        ttp = TTP(title="Victim Targeting: Electricity Sector and Industrial Control System Sector")
        ttp.victim_targeting = VictimTargeting()
        ttp.victim_targeting.identity = ciq_identity

        incident.leveraged_ttps.append(ttp)

        indicator = Indicator(title="Conpot Event")
        indicator.description = "Conpot network event"
        indicator.confidence = "High"
        source_port = Port.from_dict({'port_value': event['remote'][1], 'layer4_protocol': 'tcp'})
        dest_port = Port.from_dict({'port_value': self.protocol_to_port_mapping[event['data_type']],
                                    'layer4_protocol': 'tcp'})
        source_ip = Address.from_dict({'address_value': event['remote'][0], 'category': Address.CAT_IPV4})
        dest_ip = Address.from_dict({'address_value': event['public_ip'], 'category': Address.CAT_IPV4})
        source_address = SocketAddress.from_dict({'ip_address': source_ip.to_dict(), 'port': source_port.to_dict()})
        dest_address = SocketAddress.from_dict({'ip_address': dest_ip.to_dict(), 'port': dest_port.to_dict()})
        network_connection = NetworkConnection.from_dict(
            {'source_socket_address': source_address.to_dict(),
             'destination_socket_address': dest_address.to_dict(),
             'layer3_protocol': u"IPv4",
             'layer4_protocol': u"TCP",
             'layer7_protocol': event['data_type'],
             'source_tcp_state': u"ESTABLISHED",
             'destination_tcp_state': u"ESTABLISHED",
             }
        )
        indicator.add_observable(Observable(network_connection))

        artifact = Artifact()
        artifact.data = json.dumps(event['data'])
        artifact.packaging.append(ZlibCompression())
        artifact.packaging.append(Base64Encoding())
        indicator.add_observable(Observable(artifact))

        incident.related_indicators.append(indicator)
        stix_package.add_incident(incident)

        stix_package_xml = stix_package.to_xml()
        return stix_package_xml
示例#13
0
	def parse(self, argument_log):

		"""
		Parses Suricata IDS log lines into STIX/CybOX format.

		:param argument_log: The log line to try and identify
		:return: STIX Incident 
			
		"""
		argument_log = " ".join(argument_log.split(" ")[5:])
		parsed_suricata_log = {}

		for regex in self._regex:

			try:
				parsed_suricata_log[regex] = re.match(self._regex[regex], argument_log).group(1)
			except:
				print "Failed to parse %s" % (regex)
				return False

		#TODO: Time Zones
		parsed_suricata_log["unix_timestamp"] = time.mktime(datetime.datetime.strptime(parsed_suricata_log["time"], "%m/%d/%Y-%H:%M:%S").timetuple())

		# Find IP's of interest
		if IPAddress(parsed_suricata_log["source_ip"]).is_private() == False or IPAddress(parsed_suricata_log["destination_ip"]).is_private() == False:

			# Name Space
			stix.utils.idgen.set_id_namespace(Namespace(self._config["NAMESPACE"]["url"], self._config["NAMESPACE"]["name"],""))

			stix_package = STIXPackage()

			# If the source is public
			if not IPAddress(parsed_suricata_log["source_ip"]).is_private() and IPAddress(parsed_suricata_log["destination_ip"]).is_private():

				incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" From "+ parsed_suricata_log["source_ip"])

				addr = Address(address_value=parsed_suricata_log["source_ip"], category=Address.CAT_IPV4)

			elif IPAddress(parsed_suricata_log["source_ip"]).is_private() and not IPAddress(parsed_suricata_log["destination_ip"]).is_private():

				incident = Incident(title="[IDS Alert] "+parsed_suricata_log["text"]+" To "+ parsed_suricata_log["destination_ip"])

				addr = Address(address_value=parsed_suricata_log["destination_ip"], category=Address.CAT_IPV4)
			
			else:

				#public to public - i can't tell who the bad guy is
				return False

			observable = Observable(item=addr,
									title="[IP Associated To IDS Alert] "+parsed_suricata_log["text"],
									description="""This ip address was seen to be involved in triggering the IDS alert %s if 
seen from multiple sources, this is a good indicator of a potential threat actor or compromised host""" % (parsed_suricata_log["text"]))
			stix_package.add_observable(observable)

			incident.time = Time()
			incident.time.first_malicious_action = parsed_suricata_log["time"]

			related_observable = RelatedObservable(Observable(idref=observable.id_))
			incident.related_observables.append(related_observable)

			stix_package.add_incident(incident)

		return stix_package.to_xml()
breach = Incident()
breach.description = "Parity Wallet Hacked"
breach.confidence = "High" # investigators were able to thoroughly validate the incident, Low means not yet validated

# stamp with reporter
breach.reporter = InformationSource()
breach.reporter.description = "https://paritytech.io/blog/security-alert.html"

breach.reporter.time = Time()
breach.reporter.time.produced_time = datetime.strptime("2017-11-08","%Y-%m-%d") # when they submitted it

breach.reporter.identity = Identity()
breach.reporter.identity.name = "parity technologies ltd"

# set incident-specific timestamps
breach.time = incidentTime()
breach.title = "The Multi-sig Hack"
breach.time.initial_compromise = datetime.strptime("2017-11-06", "%Y-%m-%d")
breach.time.incident_discovery = datetime.strptime("2017-11-08", "%Y-%m-%d")
#breach.time.restoration_achieved = datetime.strptime("2012-08-10", "%Y-%m-%d")
breach.time.incident_reported = datetime.strptime("2017-11-08", "%Y-%m-%d")

# add the impact
impact = ImpactAssessment()
impact.effects = Effects("Estimated Loss of $280m in Ether")
breach.impact_assessment = impact

# add the victim
victim = Identity()
victim.name = "Cappasity"
breach.add_victim(victim)
示例#15
0
activity.description = 'Foo'
campaign.add_activity(activity)
campaign.add_intended_effect(IntendedEffect('Extortion'))
campaign.status = CampaignStatus('Ongoing')
campaign.confidence = HighMediumLow('Medium')

# Related TTP (basic; by id)
ttp = TTP(title="Malware Variant XYZ")
related_ttp = RelatedTTP(TTP(idref=ttp.id_))
campaign.related_ttps.append(related_ttp)

# Related Incident (basic; by id)
incident = Incident(title='We got hacked')
t = Time()
t.incident_opened = '2018-09-11'
incident.time = t
related_incident = RelatedIncident(Incident(idref=incident.id_))
campaign.related_incidents.append(related_incident)

# Related Indicator (by id)
fake = Faker()
indicator = Indicator()
addr2 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4)
indicator.add_observable(addr2)
related_indicator = RelatedIndicator(Indicator(idref=indicator.id_))
campaign.related_indicators.append(related_indicator)

# Related Threat Actor (by id)
ta = ThreatActor(title='Albino Rhino')
attrib_ta = Attribution()
attrib_ta.append(ThreatActor(idref=ta.id_))
示例#16
0
    def transform(self, event):
        stix_package = STIXPackage()
        self._add_header(stix_package, "Unauthorized traffic to honeypot",
                         "Describes one or more honeypot incidents")

        incident = Incident(
            id_="%s:%s-%s" %
            (CONPOT_NAMESPACE, 'incident', event['session_id']))
        initial_time = StixTime()
        initial_time.initial_compromise = event['timestamp'].isoformat()
        incident.time = initial_time
        incident.title = "Conpot Event"
        incident.short_description = "Traffic to Conpot ICS honeypot"
        incident.add_category(
            VocabString(value='Scans/Probes/Attempted Access'))

        tool_list = ToolInformationList()
        tool_list.append(
            ToolInformation.from_dict({
                'name':
                "Conpot",
                'vendor':
                "Conpot Team",
                'version':
                conpot.__version__,
                'description':
                textwrap.dedent(
                    'Conpot is a low interactive server side Industrial Control Systems '
                    'honeypot designed to be easy to deploy, modify and extend.'
                )
            }))
        incident.reporter = InformationSource(tools=tool_list)

        incident.add_discovery_method("Monitoring Service")
        incident.confidence = "High"

        # Victim Targeting by Sector
        ciq_identity = CIQIdentity3_0Instance()
        #identity_spec = STIXCIQIdentity3_0()
        #identity_spec.organisation_info = OrganisationInfo(industry_type="Electricity, Industrial Control Systems")
        #ciq_identity.specification = identity_spec
        ttp = TTP(
            title=
            "Victim Targeting: Electricity Sector and Industrial Control System Sector"
        )
        ttp.victim_targeting = VictimTargeting()
        ttp.victim_targeting.identity = ciq_identity

        incident.leveraged_ttps.append(ttp)

        indicator = Indicator(title="Conpot Event")
        indicator.description = "Conpot network event"
        indicator.confidence = "High"
        source_port = Port.from_dict({
            'port_value': event['remote'][1],
            'layer4_protocol': 'tcp'
        })
        dest_port = Port.from_dict({
            'port_value':
            self.protocol_to_port_mapping[event['data_type']],
            'layer4_protocol':
            'tcp'
        })
        source_ip = Address.from_dict({
            'address_value': event['remote'][0],
            'category': Address.CAT_IPV4
        })
        dest_ip = Address.from_dict({
            'address_value': event['public_ip'],
            'category': Address.CAT_IPV4
        })
        source_address = SocketAddress.from_dict({
            'ip_address':
            source_ip.to_dict(),
            'port':
            source_port.to_dict()
        })
        dest_address = SocketAddress.from_dict({
            'ip_address': dest_ip.to_dict(),
            'port': dest_port.to_dict()
        })
        network_connection = NetworkConnection.from_dict({
            'source_socket_address':
            source_address.to_dict(),
            'destination_socket_address':
            dest_address.to_dict(),
            'layer3_protocol':
            "IPv4",
            'layer4_protocol':
            "TCP",
            'layer7_protocol':
            event['data_type'],
            'source_tcp_state':
            "ESTABLISHED",
            'destination_tcp_state':
            "ESTABLISHED",
        })
        indicator.add_observable(Observable(network_connection))

        artifact = Artifact()
        artifact.data = json.dumps(event['data'])
        artifact.packaging.append(ZlibCompression())
        artifact.packaging.append(Base64Encoding())
        indicator.add_observable(Observable(artifact))

        incident.related_indicators.append(indicator)
        stix_package.add_incident(incident)

        stix_package_xml = stix_package.to_xml()
        return stix_package_xml
示例#17
0
# Dates/Times
t1 = '2018-08-23T14:00:05.470947+00:00'
t2 = '2018-08-22T14:00:05.470947+00:00'
t3 = '2018-08-24T14:00:05.470947+00:00'
t = Time()
t.incident_opened = t1
t.incident_discovery = t1
t.incident_reported = t1
t.first_malicious_action = t2
t.initial_compromise = t2
t.first_data_exfiltration = t2
t.containment_achieved = t3
t.restoration_achieved = t3
t.incident_closed = t3
incident.time = t

# Additional Attributes
incident.add_category('Unauthorized Access')
incident.add_intended_effect('Destruction')
incident.confidence = 'High'
incident.add_discovery_method('NIDS')

# People
incident.add_coordinator(InformationSource(identity=Identity(name='Fred')))
incident.add_responder(InformationSource(identity=Identity(name='Frank')))
incident.reporter = InformationSource(identity=Identity(name='Alice'))
incident.add_victim(Identity(name='Bob'))

# Related Observable (by id)
addr1 = Address(address_value=fake.ipv4(), category=Address.CAT_IPV4)