Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

STIX TTPs are not currently supported #302

Open
krispimk opened this issue Mar 2, 2017 · 8 comments
Open

STIX TTPs are not currently supported #302

krispimk opened this issue Mar 2, 2017 · 8 comments

Comments

@krispimk
Copy link

krispimk commented Mar 2, 2017

I'm trying to poll a Taxii request from an ISAC, however I get the error:

TTP (Phishing): STIX TTPs are not currently supported

I'm surprised that Phishing and many other TTPs are not already added. With that said, how can I go ahead and add it to my crits instance? I have created a campaign and added phishing to it, but it didn't help.

@mgoffin
Copy link
Contributor

mgoffin commented Mar 2, 2017

If they're not supported you'll need to add code to support it. Or someone who actually uses STIX and TAXII might be inclined to add it. However, there's very few people I know who use it so activity might be limited.

@brlogan
Copy link
Contributor

brlogan commented Mar 2, 2017

I'd be interested to know how you would like to see the TTP imported into CRITs.

@krispimk
Copy link
Author

krispimk commented Mar 3, 2017

I understand that it's not supported based on https://github.com/crits/crits_services/blob/master/taxii_service/parsers.py.

I'm not too familiar with STIX or TAXII either which is why I'm hoping to stay away from any code changes to their code.

@brlogan
Copy link
Contributor

brlogan commented Mar 3, 2017

It is intentionally not supported because it's not obvious where that data should go in CRITs.
I'm wondering how you envision the stix:TTP data being imported into CRITs. Like, if it were up to you, where in CRITs would you put that data?

@mgoffin
Copy link
Contributor

mgoffin commented Mar 3, 2017

Would likely go into the only place in CRITs that supports TTP data, and that's Campaigns. How you get it there I don't know, especially with organizations having their own internal name for a Campaign.

@chrisfry
Copy link

chrisfry commented Mar 3, 2017 via email

@krispimk
Copy link
Author

krispimk commented Mar 3, 2017

Well I'm thinking that if it scans and finds an IP, emails or etc, then they should be simply added to their respective categories. not sure why it's important that the ttp:TitlePhishing</ttp:Title> is not recognized.

@brlogan
Copy link
Contributor

brlogan commented Mar 3, 2017

@mgoffin: That was my initial thought too, but rarely have I seen a STIX TTP linked to a STIX Threat Actor (let alone with a name you recognize), so typically you don't have any idea which Campaign to put the TTP data in.

@chrisfry: I've also thought about putting it in the "Description" field, but I hate just dumping a bunch of text in there. Some TTP structures have quite a bit of text including things like malware descriptions, behavioral attributes, and victim target information. Perhaps putting it there, but making it optional, is the best way to handle it.

@mokarimi: Have you looked at the STIX data model to see what a TTP type actually is? Things like IPs and Emails wouldn't typically be found within the TTP structure. There may be a couple things that can be broken out (like Exploit information to the CRITs Exploit TLO), but the rest of the data doesn't have an obvious place to go in CRITs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants