Support for Indicators of Behavior (IoBs) and OCA IoB Extensions in OpenCTI

[CTIBurn0ut]

Support for Indicators of Behavior (IoBs) and OCA IoB Extensions in OpenCTI

Description

OpenCTI currently supports STIX 2.1 Indicators (indicator objects), which are primarily used for Indicators of Compromise (IoCs)—atomic artifacts such as IP addresses, domains, hashes, and URLs. However, modern threat detection requires tracking adversary behaviors (IoBs) rather than just static IoCs.

This issue proposes adding support for Indicators of Behavior (IoBs) in OpenCTI, following the Open Cybersecurity Alliance (OCA) IoB Sub-Project, which extends STIX 2.1 to model repeatable adversary behaviors, detection correlation, and response playbooks.

---

Problem Statement

• IoCs are not enough: Traditional IoCs (IP, hash, domain) have short lifespans and are easy for adversaries to evade.
• Behavior-based detection (IoBs) is needed: IoBs define sequences of actions rather than static artifacts, allowing for better detection and correlation.
• OpenCTI does not currently support IoB-specific structures:
  • No support for IoB correlation workflows
  • No structured way to define Detection Groups
  • No automation linking IoBs to response actions (COAs & Playbooks)

---

Proposed Solution

Enhance OpenCTI’s STIX 2.1 Indicator capabilities to support IoBs using OCA IoB extensions.

1. Adopt STIX 2.1 Indicators for Behavior-Based Patterns

• Allow indicator objects to store complex behavioral patterns instead of just static artifacts.
• Example IoB STIX pattern:

  {
    "type": "indicator",
    "id": "indicator--5678",
    "name": "Suspicious PowerShell Execution",
    "pattern": "[process:name = 'powershell.exe' AND process:command_line MATCHES '.*-enc.*']",
    "pattern_type": "stix",
    "valid_from": "2025-02-20T21:00:00.000Z",
    "labels": ["execution", "suspicious-activity"],
    "confidence": 85
  }
  

• Benefit: Enables behavior-based detections in SIEMs/XDRs pulling data from OpenCTI.

2. Integrate OCA IoB Extensions for Detection Correlation

• Detection Group Object: Correlate multiple detections into a single IoB.
• Correlation Workflow Object: Model how detections should be linked together over time to reduce false positives.
• Detection Extension: Allow IoBs to map to Sigma rules, STIX Patterns, or SQL queries for real-world enforcement.

3. Add Relationships Between IoBs, MITRE ATT&CK, and Courses of Action

• IoBs should be linked to MITRE ATT&CK TTPs (attack-pattern) to improve intelligence mapping.
• IoBs should trigger Courses of Action (course-of-action) for automated response.
• Example IoB → ATT&CK → Response Playbook workflow:

IoB: Suspicious PowerShell Execution  
→ Mapped to ATT&CK Technique `T1059 - Command and Scripting Interpreter`  
→ Triggers a SOAR Playbook to isolate the affected endpoint 

Resources

• OCA IoB Sub-Project Overview: https://opencybersecurityalliance.org/iob/
• GitHub Repo for IoB Extensions: https://github.com/opencybersecurityalliance/oca-iob
• STIX 2.1 Documentation: https://oasis-open.github.io/cti-documentation/

Conclusion

Supporting Indicators of Behavior (IoBs) in OpenCTI will significantly improve threat intelligence correlation, behavior-based detection, and automated response. This aligns with industry trends towards behavioral analytics over static IoCs and enhances OpenCTI’s capability to provide actionable, real-world intelligence.