STIX has three types for creating and referencing kill chains and kill chain phases:
KillChainType
KillChainPhaseType
KillChainPhaseReferenceType
KillChainType is used to define kill chains and contains, embedded, 0 or more KillChainPhase elements, of type KillChainPhaseType. It has an @id attribute for identifying the kill chain.
KillChainPhaseType is used to define kill chain phases within the context of a specific kill chain. The @phase_id attribute identifies the kill chain phase and parent kill chain is determined by virtue of the phase definition being inside the kill chain definition.
KillChainPhaseReferenceType is used to reference kill chain phases and extends from KillChainPhaseType. It adds attributes for @kill_chain_id, referencing a kill chain, and @kill_chain_name, referencing a kill chain's name.
Issues #40 and #41 dealt with documenting how the current structures should be used and were closed in v1.1. This ticket suggests refactoring these types to achieve better consistency and ease of use.
There is still one major unanswered question: may a kill chain phase be a part of multiple kill chains? If so, the current structure, where a kill chain phase is literally included in a kill chain, may not be appropriate. Instead phases should be defined outside of the context of any specific kill chain so they may be referenced from multiple kill chains. If not, the current structure is fine but the KillChainPhaseReferenceType does not need to include the @kill_chain_id attribute.
There are also several obvious changes:
The KillChainPhaseReferenceType should not extend from KillChainPhaseType and should not allow duplicate information from the kill chain definitions. It simply reference a kill chain phase by ID (and, potentially, a kill chain by ID if kill chain phases can be included in multiple kill chains). See #41 for an explanation as to why.
The @phase_id attribute could be better named as @id and the reference attributes as @phase_idref, @kill_chain_idref (if phases may be present in multiple kill chains) or simply as @idref (if they cannot, because the only valid reference would be to a phase). The current attribute names are technically correct but are not consistent with the rest of STIX.
The fact that the @phase_id and @kill_chain_id attributes in KillChainPhaseReferenceType are optional is confusing. If these attributes are omitted, the reference is invalid. What does this mean? These attributes should be required or the expectation when they are omitted should be defined.
STIX has three types for creating and referencing kill chains and kill chain phases:
KillChainType
KillChainPhaseType
KillChainPhaseReferenceType
KillChainType
is used to define kill chains and contains, embedded, 0 or moreKillChainPhase
elements, of typeKillChainPhaseType
. It has an@id
attribute for identifying the kill chain.KillChainPhaseType
is used to define kill chain phases within the context of a specific kill chain. The@phase_id
attribute identifies the kill chain phase and parent kill chain is determined by virtue of the phase definition being inside the kill chain definition.KillChainPhaseReferenceType
is used to reference kill chain phases and extends fromKillChainPhaseType
. It adds attributes for@kill_chain_id
, referencing a kill chain, and@kill_chain_name
, referencing a kill chain's name.Issues #40 and #41 dealt with documenting how the current structures should be used and were closed in v1.1. This ticket suggests refactoring these types to achieve better consistency and ease of use.
There is still one major unanswered question: may a kill chain phase be a part of multiple kill chains? If so, the current structure, where a kill chain phase is literally included in a kill chain, may not be appropriate. Instead phases should be defined outside of the context of any specific kill chain so they may be referenced from multiple kill chains. If not, the current structure is fine but the
KillChainPhaseReferenceType
does not need to include the@kill_chain_id
attribute.There are also several obvious changes:
KillChainPhaseReferenceType
should not extend fromKillChainPhaseType
and should not allow duplicate information from the kill chain definitions. It simply reference a kill chain phase by ID (and, potentially, a kill chain by ID if kill chain phases can be included in multiple kill chains). See #41 for an explanation as to why.@phase_id
attribute could be better named as@id
and the reference attributes as@phase_idref
,@kill_chain_idref
(if phases may be present in multiple kill chains) or simply as@idref
(if they cannot, because the only valid reference would be to a phase). The current attribute names are technically correct but are not consistent with the rest of STIX.@phase_id
and@kill_chain_id
attributes inKillChainPhaseReferenceType
are optional is confusing. If these attributes are omitted, the reference is invalid. What does this mean? These attributes should be required or the expectation when they are omitted should be defined.