Merge pull request #29 from opencybersecurityalliance/revision-3

adding revision 3 updates
opencybersecurityalliance · Apr 22, 2024 · f5821b3 · f5821b3
2 parents 52f635a + f955667
commit f5821b3
Show file tree

Hide file tree

Showing 12 changed files with 3,993 additions and 0 deletions.
diff --git a/apl_reference_implementation_bundle/revision_3/BehaviorBundle.json b/apl_reference_implementation_bundle/revision_3/BehaviorBundle.json
diff --git a/...on_bundle/revision_3/Overview of Machine Readable Adverary Behavior Object Revision 3.pdf b/...on_bundle/revision_3/Overview of Machine Readable Adverary Behavior Object Revision 3.pdf
diff --git a/apl_reference_implementation_bundle/revision_3/README.md b/apl_reference_implementation_bundle/revision_3/README.md
@@ -0,0 +1,25 @@
+# Revision 3 Adversary Behavior STIX Bundle
+
+## Overview
+This is the revision 3 STIX bundle and documentation of the Johns Hopkins University Applied Physics Laboratory (APL) research for representing cyber adversary behavior in a Structured Threat Information eXchange (STIX) 2.1 bundle. This research was conducted for the Cybersecurity and Infrastructure Security Agency (CISA). 
+
+## Disclaimer
+
+The views and conclusions contained in this document are those of the author and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security / Cybersecurity and Infrastructure Security Agency.
+
+## Changelog
+
+- Updated MITRE SDOs to most recent version
+- Converted Detection Grouping SDO to grouping SDO
+- Updated the SCOs extension field names
+- Added Correlate and Score Behaviors Playbook SDO
+- Added Correlate and Score Behaviors Course of Action SDO
+- Updated relationships to refer to Grouping SDO instead of Detection Grouping SDO
+- Added “Uses” Relationship SRO between Detection SDOs and Correlate and Score Behaviors Course of Action SDO
+- Fixed typo in Playbook descriptions
+
+
+The bundle developed by APL is for the demonstration of the adversary behavior concept and is not “turn key” and is not safe for deployment without being tailored to production infrastructure. These files are not being delivered as software and are not appropriate for direct use on any production networks. APL assumes no liability for the direct use of these files and they are provided strictly as a reference implementation. 
+
+NO WARRANTY, NO LIABILITY. THIS MATERIAL IS PROVIDED “AS IS.” APL MAKES NO REPRESENTATION OR WARRANTY WITH RESPECT TO THE PERFORMANCE OF THE MATERIALS, INCLUDING
+THEIR SAFETY, EFFECTIVENESS, OR COMMERCIAL VIABILITY, AND DISCLAIMS ALL WARRANTIES IN THE MATERIAL, WHETHER EXPRESS OR IMPLIED, INCLUDING (BUT NOT LIMITED TO) ANY AND ALL IMPLIED WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY OR OTHER THIRD PARTY RIGHTS. ANY USER OF THE MATERIAL ASSUMES THE ENTIRE RISK AND LIABILITY FOR USING THE MATERIAL. IN NO EVENT SHALL APL BE LIABLE TO ANY USER OF THE MATERIAL FOR ANY ACTUAL, INDIRECT, CONSEQUENTIAL, SPECIAL OR OTHER DAMAGES ARISING FROM THE USE OF, OR INABILITY TO USE, THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, ANY DAMAGES FOR LOST PROFITS.
diff --git a/apl_reference_implementation_bundle/revision_3/schemas/README.md b/apl_reference_implementation_bundle/revision_3/schemas/README.md
@@ -0,0 +1,3 @@
+# Schemas for Bundle Extensions
+
+The schemas reference schemas from the OASIS STIX2 repository located [here](https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas)
diff --git a/...erence_implementation_bundle/revision_3/schemas/observables/extended-network-traffic.json b/...erence_implementation_bundle/revision_3/schemas/observables/extended-network-traffic.json
@@ -0,0 +1,54 @@
+{
+  "$id": "https://raw.githubusercontent.com/opencybersecurityalliance/oca-iob/main/apl_reference_implementation_bundle/revision_2/schemas/observables/extended-network-traffic.json",
+  "$schema": "http://json-schema.org/draft/2020-12/schema#",
+  "title": "extended network traffic",
+  "description": "This extended network traffic object contains fields from Real Intelligence Threat Analytics (RITA) for additional context regarding beaconing likelihood.",
+  "type": "object",
+  "allOf": [
+    {
+      "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/observables/network-traffic.json"
+    },
+    {
+      "properties": {
+        "extensions": {
+          "type": "object",
+          "properties": {
+            "extension-definition--3b7505ce-2a18-496e-aa58-311dac6c1473": {
+              "type": "object",
+              "properties": {
+                "extension_type": {
+                  "type": "string",
+                  "description": "extension_type, which MUST be the literal `property-extension`",
+                  "enum": [
+                    "property-extension"
+                  ]
+                },
+                "connections": {
+                  "type": "number",
+                  "description": "Number of connections reported by RITA."
+                },
+                "score": {
+                  "type": "number",
+                  "description": "Beaconing score reported by RITA."
+                },
+                "computer": {
+                  "type": "string",
+                  "description": "Computer hostname associated with the process."
+                }
+              },
+              "required": [
+                "extension_type"
+              ]
+            }
+          },
+          "required": [
+            "extension-definition--3b7505ce-2a18-496e-aa58-311dac6c1473"
+          ]
+        }
+      }
+    }
+  ],
+  "required": [
+    "extensions"
+  ]
+}
diff --git a/apl_reference_implementation_bundle/revision_3/schemas/observables/extended-process.json b/apl_reference_implementation_bundle/revision_3/schemas/observables/extended-process.json
@@ -0,0 +1,62 @@
+{
+  "$id": "https://raw.githubusercontent.com/opencybersecurityalliance/oca-iob/main/apl_reference_implementation_bundle/revision_2/schemas/observables/extended-process.json",
+  "$schema": "http://json-schema.org/draft/2020-12/schema#",
+  "title": "extended process",
+  "description": "This extended process object contains fields from Windows Security Event 4688 (new process created) for additional context.",
+  "type": "object",
+  "allOf": [
+    {
+      "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/observables/process.json"
+    },
+    {
+      "properties": {
+        "extensions": {
+          "type": "object",
+          "properties": {
+            "extension-definition--f9dbe89c-0030-4a9d-8b78-0dcd0a0de874": {
+              "type": "object",
+              "properties": {
+                "extension_type": {
+                  "type": "string",
+                  "description": "extension_type, which MUST be the literal `property-extension`",
+                  "enum": [
+                    "property-extension"
+                  ]
+                },
+                "operation_type": {
+                  "type": "string",
+                  "description": "Operation associated with the process. For Windows Event 4688, this should be the literal `created`, signifying that a new process has been created."
+                },
+                "computer": {
+                  "type": "string",
+                  "description": "Computer hostname associated with the process."
+                },
+                "name": {
+                  "type": "string",
+                  "description": "Process name or REGEX pattern to match against."
+                },
+                "win_event_code": {
+                  "type": "integer",
+                  "description": "Windows Event Code number."
+                },
+                "creator_user": {
+                  "type": "string",
+                  "description": "User account associated with the process."
+                }
+              },
+              "required": [
+                "extension_type"
+              ]
+            }
+          },
+          "required": [
+            "extension-definition--f9dbe89c-0030-4a9d-8b78-0dcd0a0de874"
+          ]
+        }
+      }
+    }
+  ],
+  "required": [
+    "extensions"
+  ]
+}
diff --git a/...e_implementation_bundle/revision_3/schemas/observables/extended-windows-registry-key.json b/...e_implementation_bundle/revision_3/schemas/observables/extended-windows-registry-key.json
@@ -0,0 +1,66 @@
+{
+  "$id": "https://raw.githubusercontent.com/opencybersecurityalliance/oca-iob/main/apl_reference_implementation_bundle/revision_2/schemas/observables/extended-windows-registry-key.json",
+  "$schema": "http://json-schema.org/draft/2020-12/schema#",
+  "title": "extended Windows registry key",
+  "description": "This extended Windows registry key object contains fields from Windows Security Event 4657 (registry value modified) for additional context.",
+  "type": "object",
+  "allOf": [
+    {
+      "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/observables/windows-registry-key.json"
+    },
+    {
+      "properties": {
+        "extensions": {
+          "type": "object",
+          "properties": {
+            "extension-definition--2cf8c8c2-69f5-40f7-aa34-efcef2b912b1": {
+              "type": "object",
+              "properties": {
+                "extension_type": {
+                  "type": "string",
+                  "description": "extension_type, which MUST be the literal `property-extension`",
+                  "enum": [
+                    "property-extension"
+                  ]
+                },
+                "operation_type": {
+                  "type": "string",
+                  "description": "Operation performed on the registry key."
+                },
+                "user": {
+                  "type": "string",
+                  "description": "User account associated with the process."
+                },
+                "computer": {
+                  "type": "string",
+                  "description": "Computer hostname associated with the process."
+                },
+                "new_value": {
+                  "type": "string",
+                  "description": "New value of the registry key if a change has been made."
+                },
+                "process_id": {
+                  "type": "string",
+                  "description": "Process ID of the process that modified the registry."
+                },
+                "process_name": {
+                  "type": "string",
+                  "description": "Name of the process that modified the registry."
+                }
+              },
+              "required": [
+                "extension_type"
+              ]
+            }
+          },
+          "required": [
+            "extension-definition--2cf8c8c2-69f5-40f7-aa34-efcef2b912b1"
+          ]
+        }
+      }
+    }
+  ],
+  "required": [
+    "extensions"
+  ]
+}
diff --git a/apl_reference_implementation_bundle/revision_3/schemas/sdos/behavior.json b/apl_reference_implementation_bundle/revision_3/schemas/sdos/behavior.json
@@ -0,0 +1,69 @@
+{
+  "$id": "https://raw.githubusercontent.com/opencybersecurityalliance/oca-iob/main/apl_reference_implementation_bundle/revision_2/schemas/sdos/behavior.json",
+  "$schema": "http://json-schema.org/draft/2020-12/schema#",
+  "title": "behavior",
+  "description": "Behavior objects define adversary behaviors associated with higher level MITRE ATT&CK tactics and techniques. The Attack Pattern SDO may have multiple behaviors associated with it. For example, a spearphishing attack may employ multiple behaviors (usage of email attachments, process modifying a registry key, network patterns, etc.).",
+  "type": "object",
+  "allOf": [
+    {
+      "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/common/core.json"
+    },
+    {
+      "properties": {
+        "type": {
+          "type": "string",
+          "description": "The type of this object, which MUST be the literal `x-oca-behavior`.",
+          "enum": [
+            "x-oca-behavior"
+          ]
+        },
+        "id": {
+          "title": "id",
+          "pattern": "^x-oca-behavior--"
+        },
+        "name": {
+          "type": "string",
+          "description": "The name used to identify the Behavior."
+        },
+        "description": {
+          "type": "string",
+          "description": "Description of Behavior."
+        },
+        "behavior_class": {
+          "type": "string",
+          "description": "The class of behavior. The value for this property SHOULD come from the behavior-class-ov open vocabulary."
+        },
+        "tactic": {
+          "type": "string",
+          "description": "MITRE ATT&CK tactic of the Behavior."
+        },
+        "technique": {
+          "type": "string",
+          "description": "MITRE ATT&CK technique of the Behavior."
+        },
+        "first_seen": {
+          "description": "The first_seen property represents the time that this behavior was first seen. The timstamp value MUST be precise to the nearest millisecond.",
+          "allOf": [
+            {
+              "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/common/timestamp.json"
+            },
+            {
+            "title": "timestamp_millis",
+            "pattern": "T\\d{2}:\\d{2}:\\d{2}\\.\\d{3,}Z$"
+            }
+          ]
+        },
+        "platforms": {
+          "type": "array",
+          "description": "Platforms the Behavior was seen on. Each entry may list contextual data about the platform such as the OS and OS version number.",
+          "items": {
+            "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/common/dictionary.json"
+          }
+        }
+      }
+    }
+  ],
+  "required": [
+    "name"
+  ]
+}
diff --git a/apl_reference_implementation_bundle/revision_3/schemas/sdos/detection.json b/apl_reference_implementation_bundle/revision_3/schemas/sdos/detection.json
@@ -0,0 +1,60 @@
+{
+  "$id": "https://raw.githubusercontent.com/opencybersecurityalliance/oca-iob/main/apl_reference_implementation_bundle/revision_2/schemas/sdos/detection.json",
+  "$schema": "http://json-schema.org/draft/2020-12/schema#",
+  "title": "detection",
+  "description": "Detections contain logic to detect an adversary behavior.",
+  "type": "object",
+  "allOf": [
+	{
+	  "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/common/core.json"
+	},
+	{
+      "properties": {
+        "type": {
+          "type": "string",
+          "description": "The type of this object, which MUST be the literal `x-oca-detection`.",
+          "enum": [
+             "x-oca-detection"
+          ]
+
+        },
+        "id": {
+          "type": "string",
+          "pattern": "^x-oca-detection--"
+        },
+        "name": {
+          "type": "string",
+          "description": "The name used to identify the detection."
+        },
+        "data_sources": {
+          "type": "array",
+          "description": "Information about the data event that the detection targets.",
+          "items": {
+              "$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/common/dictionary.json"
+          }
+        },
+        "analytic": {
+          "type": "object",
+          "description": "Base64 encoded logic defining the detection along with the type of rule (e.g. Sigma rule).",
+          "properties": {
+            "rule": {
+              "type": "string"
+            },
+            "type": {
+              "type": "string"
+            }
+          },
+          "required": [
+            "rule",
+            "type"
+          ]
+        }
+      }
+    }
+  ],
+  "required": [
+    "name",
+    "data_sources",
+    "analytic"
+  ]
+}