-
Notifications
You must be signed in to change notification settings - Fork 21
Proposal: Add Technical_Targeting field to TTP Victim_Targeting
Status: Open
Comment Period Closes: 12/6/2013
Affects Backwards Compatibility: NO
Relevant Issue: https://github.com/STIXProject/schemas/issues/27
The TTP/Victim_Targeting element, defined by the ttp:VictimTargetingType, is used to capture information about the victim targeting of a TTP. It currently captures information about targeting of identity characteristics, types of systems, and types of information. It does not, however, have any ability to capture technical targeting details, such as particular operating systems or applications that are targeted.
This proposal suggests adding a field to ttp:VictimTargetingType called Technical_Targeting in order to enable the capture of technical targeting information. This field would be implemented in a similar way to adversary infrastructure, allowing both a prose description and an observable characterization using CybOX.
As an example of this capability:
<stix:TTP xsi:type="ttp:TTPType" id="example-1">
<ttp:Title>Targets Linux Systems</ttp:Title>
<ttp:Victim_Targeting>
<ttp:Technical_Targeting>
<ttp:Observable_Characterization cybox_major_version="2" cybox_minor_version="0" cybox_update_version="1">
<cybox:Observable id="example-2">
<cybox:Object id="example-3">
<cybox:Properties xsi:type="SystemObj:SystemObjectType">
<SystemObj:OS>
<SystemObj:Platform>
<SystemObj:Identifier>cpe:\o:linux</SystemObj:Identifier>
</SystemObj:Platform>
</SystemObj:OS>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
</ttp:Observable_Characterization>
</ttp:Technical_Targeting>
</ttp:Victim_Targeting>
</stix:TTP>
There is no expected compatibility impact. Producers will have the option to use this new field and consumers can choose to handle or not handle the field as with any other field in STIX.
- Should this capability be added to STIX?
- Is the manner in which the proposal suggests adding it correct?