New entity type "exploit"

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform

https://opencti.io

Other

6.12k stars 907 forks source link

New entity type "exploit" #797

Open OzRex08 opened 4 years ago

OzRex08 commented 4 years ago

Problem to Solve

PoCs and Exploits, once developed and published can significantly change Vulnerability Assessments. There appears to be no dedicated area withing CVE 'Knowledge' to add information regarding a PoC or exploit (usually found as Python script).

Current Workaround

Added in Notes section of CVE, and Tagged as PoC or Exploit

Proposed Solution

Create an Entity type as PoC or Exploit and allow relationships with CVE's

Additional Information

The PoC/Exploit could be sourced from www.exploit-db.com (or elsewhere) as a Connector, or manually added. It could have the following properties:

External Reference
Format (Python, STIX etc)
Date published
Relationship to Threat Actors, Campaigns or Intrusion Sets
Relationship to Attack Pattern
Relationship to Detection and Course of Action

lightoyou commented 4 years ago

Yeah maybe it's not a bad idea. !

Relationship to Tool and Exploit like 'has'

I also propose this :

Problem to Solve

Import the CPE dictionnary inside openCTI. The goal behind is to map your internal assets to be proactive in case of new vulnerability and create alert in your SIEM for example.

Proposed Solution

Create a Connector able to :
- Import Vendors from CPE as Identity object.
- Import Products from CPE as Tool object.
- Add a new relation ship between Identity and Tools like 'owns'.
- Import relation ship between Tools and Vendors Identity.
- Import relation ship between Vulnerability and Tools.
Map your internal Assets with Infrastructure object:
- Import relation ship between Infrastructure 'hosts' and Tools .

STIX2_CVE(1)

richard-julien commented 4 years ago

@SamuelHassine any thoughts on that?

SamuelHassine commented 4 years ago

SamuelHassine commented 1 year ago

Create a new SDO "Exploit" to be displayed in the "Arsenal" section:

Exploit attributes:

Name
Description
Published (date)
Language = language_ov (already existing)

Relationships:

Exploit => targets => Vulnerability Threats => uses => Exploit Malware => uses => Exploit Exploit => uses => Attack Pattern

d1zanv commented 11 months ago

I have a project similar to this issue, so I was wondering if someone had started working on it?

iFrozenPhoenix commented 5 months ago

@Jipegien concerning the marking of exploited vulnerabilities the entity seems to be the way to go. Any ETA?

Jipegien commented 5 months ago

Hello @iFrozenPhoenix! Currently we are using Malware entity and the malware_type open vocab to identify "Exploits". We do not plan to develop a specific Exploit entity anytime soon. Is it not enough to cover your use case?