STIX TTPs are not currently supported #302
Comments
|
If they're not supported you'll need to add code to support it. Or someone who actually uses STIX and TAXII might be inclined to add it. However, there's very few people I know who use it so activity might be limited. |
|
I'd be interested to know how you would like to see the TTP imported into CRITs. |
|
I understand that it's not supported based on https://github.com/crits/crits_services/blob/master/taxii_service/parsers.py. I'm not too familiar with STIX or TAXII either which is why I'm hoping to stay away from any code changes to their code. |
|
It is intentionally not supported because it's not obvious where that data should go in CRITs. |
|
Would likely go into the only place in CRITs that supports TTP data, and that's Campaigns. How you get it there I don't know, especially with organizations having their own internal name for a Campaign. |
|
How about in the 'Description' field, maybe as a checkbox option in the
feed config (kind of like the ability to set default confidence)?
…On 3/3/17 7:32 AM, Mike Goffin wrote:
Would likely go into the only place in CRITs that supports TTP data, and
that's Campaigns. How you get it there I don't know, especially with
organizations having their own internal name for a Campaign.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#302 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AD7PoqqNWcq-x1e-IpbD_TzDaC5RJJG9ks5riAhVgaJpZM4MRlJ->.
|
|
Well I'm thinking that if it scans and finds an IP, emails or etc, then they should be simply added to their respective categories. not sure why it's important that the ttp:TitlePhishing</ttp:Title> is not recognized. |
|
@mgoffin: That was my initial thought too, but rarely have I seen a STIX TTP linked to a STIX Threat Actor (let alone with a name you recognize), so typically you don't have any idea which Campaign to put the TTP data in. @chrisfry: I've also thought about putting it in the "Description" field, but I hate just dumping a bunch of text in there. Some TTP structures have quite a bit of text including things like malware descriptions, behavioral attributes, and victim target information. Perhaps putting it there, but making it optional, is the best way to handle it. @mokarimi: Have you looked at the STIX data model to see what a TTP type actually is? Things like IPs and Emails wouldn't typically be found within the TTP structure. There may be a couple things that can be broken out (like Exploit information to the CRITs Exploit TLO), but the rest of the data doesn't have an obvious place to go in CRITs. |
I'm trying to poll a Taxii request from an ISAC, however I get the error:
TTP (Phishing): STIX TTPs are not currently supported
I'm surprised that Phishing and many other TTPs are not already added. With that said, how can I go ahead and add it to my crits instance? I have created a campaign and added phishing to it, but it didn't help.
The text was updated successfully, but these errors were encountered: