Having this Victim Targeting information embedded within the TTP object restricts users from being able to document the Victim Targeting independently of the TTP object. This means that information about a Victim being targeted cannot be shared unless a TTP object is generated. If the Victim doesn’t know any details about how they were hacked they would need to release a TTP empty except for their victim details.
The TTP appears to be focused on the general victim info.
POTENTIAL ANSWER
Specific Victim Info
By pulling out the Victim Targeting into its own object we enable the information about the Victim to be shared without knowledge of how they were hacked/affected. It means that someone can effectively notify they were targeted, and can then fill out and relate the TTP when they learn more. The producer can create a TTP later and relate them together when they learn how the attack took place.
APT Threat Actors often target Organizations based on the type of work they do, their position in the Defense Industrial base, Intellectual Property that they have, customers they may have, infrastructure they run or any other feature about them that is useful to the Threat Actor.
PROBLEM
There are two types of information related to the Victim that are useful for defenders to have:
Details about the Victim Organization are currently embedded within the TTP object. http://stixproject.github.io/data-model/1.2/ttp/VictimTargetingType/
Having this Victim Targeting information embedded within the TTP object restricts users from being able to document the Victim Targeting independently of the TTP object. This means that information about a Victim being targeted cannot be shared unless a TTP object is generated. If the Victim doesn’t know any details about how they were hacked they would need to release a TTP empty except for their victim details.
The TTP appears to be focused on the general victim info.
POTENTIAL ANSWER
Specific Victim Info
By pulling out the Victim Targeting into its own object we enable the information about the Victim to be shared without knowledge of how they were hacked/affected. It means that someone can effectively notify they were targeted, and can then fill out and relate the TTP when they learn more. The producer can create a TTP later and relate them together when they learn how the attack took place.
APT Threat Actors often target Organizations based on the type of work they do, their position in the Defense Industrial base, Intellectual Property that they have, customers they may have, infrastructure they run or any other feature about them that is useful to the Threat Actor.