OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.52k stars 961 forks source link

Organizations and Individual roles #4757

Open iFrozenPhoenix opened 1 year ago

iFrozenPhoenix commented 1 year ago

Use case

Currently Organizations / Threat Actor Groups and Individuals / Threat Actor Individuals are tracked as different entities. This leads to inconsistencies due to the fact that they can have multiple roles. For example: We track corporations, government entities, international organizations (like UN, NATO, ...) as Organizations. Now the problem begins because e.g. the organization CIA is also known to be a Threat Actor itself. The only way to model this is to create it as a Threat Actor or Intrusion Set but then the rest of the relations (Located in the US, targeted by) are not obvious visible due to the fact that this entity is divided in 2 entities. If I also add it as an Intrustion Set or Threat Actor I can only relate the organization to the Threat Actor / Intrusion Set with the relation is targeted by which in this case would be wrong.

The same problem exists for individuals.

Current Workaround

None

Proposed Solution

Consolidate Threat Actors / Organizations and Threat Actor Individuals / Individuals into one entity (Organizations and Individuals), These entities should have extended attributes (For Individuals the Threat Actor Individuals demographic data), for organizations a type (Formal, informal; i.e. legal entity or an association), as well as roles that can be assigned. The role Threat Actor then provides additional attributes that can be assigned (i.e. The current Threat Actor / Threat Actor Individual) attributes. Additionally the relations must be extended to allow more relation types between organizations (Part of, targets) as well for the Intrusion Sets (Targets, uses). The role concept would also allow to add extensions easier in the future due to the fact that the roles provide additional attributes and that the original entity doesn't need to be modified anymore.

Additional Information

Jipegien commented 8 months ago

Not sure we will be able to do that while being compliant with STIX... even if I like the idea. @SamuelHassine your take on this?