athiasjerome
commented
10 years ago To consider: usage/mapping to Attack Execution Flow of CAPEC
Open johnwunder opened 10 years ago
athiasjerome
commented
10 years ago To consider: usage/mapping to Attack Execution Flow of CAPEC
STIX has three types for creating and referencing kill chains and kill chain phases:
KillChainTypeKillChainPhaseTypeKillChainPhaseReferenceTypeKillChainTypeis used to define kill chains and contains, embedded, 0 or moreKillChainPhaseelements, of typeKillChainPhaseType. It has an@idattribute for identifying the kill chain.KillChainPhaseTypeis used to define kill chain phases within the context of a specific kill chain. The@phase_idattribute identifies the kill chain phase and parent kill chain is determined by virtue of the phase definition being inside the kill chain definition.KillChainPhaseReferenceTypeis used to reference kill chain phases and extends fromKillChainPhaseType. It adds attributes for@kill_chain_id, referencing a kill chain, and@kill_chain_name, referencing a kill chain's name.Issues #40 and #41 dealt with documenting how the current structures should be used and were closed in v1.1. This ticket suggests refactoring these types to achieve better consistency and ease of use.
There is still one major unanswered question: may a kill chain phase be a part of multiple kill chains? If so, the current structure, where a kill chain phase is literally included in a kill chain, may not be appropriate. Instead phases should be defined outside of the context of any specific kill chain so they may be referenced from multiple kill chains. If not, the current structure is fine but the
KillChainPhaseReferenceTypedoes not need to include the@kill_chain_idattribute.There are also several obvious changes:
KillChainPhaseReferenceTypeshould not extend fromKillChainPhaseTypeand should not allow duplicate information from the kill chain definitions. It simply reference a kill chain phase by ID (and, potentially, a kill chain by ID if kill chain phases can be included in multiple kill chains). See #41 for an explanation as to why.@phase_idattribute could be better named as@idand the reference attributes as@phase_idref,@kill_chain_idref(if phases may be present in multiple kill chains) or simply as@idref(if they cannot, because the only valid reference would be to a phase). The current attribute names are technically correct but are not consistent with the rest of STIX.@phase_idand@kill_chain_idattributes inKillChainPhaseReferenceTypeare optional is confusing. If these attributes are omitted, the reference is invalid. What does this mean? These attributes should be required or the expectation when they are omitted should be defined.