Draft
8 July 2024
Editors:
-
IMG - Incident Mini Group
Additional artifacts:
-
STIX™ Version 2.1 - OS
Related work:
-
Incident Core Extension Version 1.0 for STIXTM Version 2.1
- 1. Incidents in STIX
- 2. Extensions
- 3. Additional Sub-Objects Types
- 4. Vocabularies
- 4.1. Asset Type Vocabulary
- 4.2. Detection Methods Vocabulary
- 4.3. Entity Type Vocabulary
- 4.4. Event Type Vocabulary
- 4.5. External Impact Vocabulary
- 4.6. Incident Investigation Open Vocabulary
- 4.7. Information Type Vocabulary
- 4.8. Monetary Impact Type Vocabulary
- 4.9. State Change Type Vocabulary
- 4.10. Task Type Vocabulary
- 5. Enumerations
- 5.1. Event Status Enumeration
- 5.2. Incident Confidentiality Loss Enumeration
- 5.3. Incident Determination Enumeration
- 5.4. Integrity Alteration Enumeration
- 5.5. Physical Impact Enumeration
- 5.6. Recoverability Enumeration
- 5.7. Task Outcome Enumeration
- 5.8. Timestamp Fidelity Enumeration
- 5.9. Traceability Enumeration
- 6. Relationship Summary Table
- Appendix A. Incident Availability Impact Mapping
- Appendix B. Incident Criticality Mapping
- Appendix C. Acknowledgements
- Appendix D. Revision History
Abstract:
The current STIX 2.1 Incident object was defined as a stub with the expectation that it would be fleshed out using extensions, and that in time either a set of core features would be integrated into a future version of the STIX or that the community would arrive at the consensus to continue to use these extensions.
In the 1.0 version of the core incident extension, information on impact, events, and tasks were embedded within the Incident object itself, however this was found to have limitations. Therefore, the 2.0 version of this extension has been created in which these components have been separated into independent SDOs for more complex incidents to be accurately modeled.
These extensions allow incidents to be tracked across their life cycle where events are first flagged for investigation resulting in incidents with tasks being worked to resolve them. Incidents have impacts that change over time. events can cause or influence these impacts which are in turn mitigated and potentially resolved by tasks performed as part of the incident response process. Both events and tasks can exist independently of incidents and in most workflows will occur prior to an incident being declared.
1. Incidents in STIX
Incident objects represent cases composed of events and tasks as well as actual or potential impacts. An Incident SDO can be created prior to a formal determination that the incident has an impact as a way to logically track case work in an attempt to investigate events or lower level alerts.
The Incident object should have sufficient properties to represent the current state of the incident or investigation while serving as an anchor point to record both related activities and the impact to an organization.
2. Extensions
2.1. Incident Core
The properties and additional types within the Incident Core Extension are defined below. As this is an extension of a top-level object, common properties such as id are not present, but are present in the incident object stub . This extension MUST use extension-definition—ef765651-680c-498d-9894-99799f2fa126 as its extension ID.
Property Name | Type | Description |
---|---|---|
determination (required) |
A high-level determination on the status of this incident. The value of this property SHOULD be suspected until enough information is available to provide a well researched result. Some automated tools may flag results as blocked or low-value automatically depending on the tool type or activity. For example, a tool that blocks a series of phishing emails may create an incident with a blocked determination automatically. The values of this property MUST come from the incident-determination-enum enumeration. |
|
extension_type (required) |
The value of this property MUST be property-extension |
|
investigation_status (required) |
The current status of the incident investigation. The values of this property SHOULD come from the incident-investigation-ov open vocabulary. |
|
criticality (optional) |
The criticality of the incident. If present, this value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix B. |
|
detection_methods (optional) |
list of type open-vocab |
A list of strings corresponding to the methods used to detect the activity, e.g., commercial tool names, techniques associated with proprietary solutions, human review, external sources, or other methods. These values SHOULD be selected from the detection-methods-ov open vocabulary. |
event_refs (optional) |
list of type identifier |
A list of events tied to this incident. It MUST contain references to one or more event objects. Events can be grouped into sequences based on the next_events_refs property of the relevant event objects. Events that are the first in a sequence are not referenced by the next_event_refs property of any other event object. |
impact_refs (optional) |
list of type identifier |
A list of the impacts of this incident. All objects referenced in this list MUST be an impact object. |
incident_types (optional) |
list of type open-vocab |
A list of incident types of incident that occurred, if applicable. The values of this property SHOULD come from the event-type-ov open vocabulary. |
recoverability (optional) |
The recoverability of this particular Incident with respect to feasibility and required time and resources. The value of this property MUST come from the recoverability-enum enumeration. |
|
scores (optional) |
list of type incident-score |
A list of scores from various automated or manual mechanisms along with optional descriptions. |
task_refs (optional) |
list of type identifier |
A list of tasks tied to this incident. It MUST contain references to one or more task objects. Tasks can be grouped into sequences based on the next_tasks_refs property of the relevant task objects. Tasks that are the first in a sequence are not referenced by the next_tasks_refs property of any other task object. |
2.1.1. Relationships
These are the relationships explicitly defined between the Incident object and other STIX Objects. The table identifies the relationships that can be made from this object type to another object type by way of the Relationship object.
The reverse relationships section illustrates the relationships targeting this object type from another object type.
Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.
Because of this, these relationships can be used with the Incident object as defined in the STIX 2.1 specification.
Common Relationships | |||
---|---|---|---|
derived-from, duplicate-of, related-to |
|||
Source |
Type |
Target |
Description |
led-to |
One incident led to another. |
||
impacts |
The incident has an impact on the victim or specific infrastructure. |
||
attributed-to |
The incident has been attributed to the intrusion set or threat actor. |
||
targets |
The incident targets the identity or infrastructure. |
||
located-at |
The incident occurred at a specific location. |
||
Reverse Relationships |
|||
associated-with |
The incident is associated with the campaign. |
||
contact-for |
The identity should be considered a point of contact for an incident. This relationship is different from the created_by_ref property, which is the creator of the STIX Incident object. Additionally, this can be used to supplement the created_by_ref property in cases where external authorship would prevent using it for this purpose. |
||
detected |
The indicator detected the incident. |
2.1.2. Example
{
"type": "incident",
"id": "incident--b0e7e6a5-6e2c-4a0b-8d5a-8a5e92a5a5bc",
"created": "2023-11-22T15:30:00.000Z",
"modified": "2023-11-22T15:30:00.000Z",
"spec_version": "2.1",
"name": "incident-2173",
"extensions": {
"extension-definition--ef765651-680c-498d-9894-99799f2fa126": {
"extension_type": "property-extension",
"determination": "confirmed",
"investigation_status": "open",
"criticality": 70,
"detection_methods": [
"automated-tools",
"human-review"
],
"event_refs": [
"event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
"event--193a3ea2-32ae-4bfd-b353-16836ab70788",
"event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a",
"event--9ca38544-c247-45d9-9e33-957ba7c9e119"
],
"impact_refs": [
"impact--7a5806e4-0f37-4c48-9a50-7301bff4b195"
],
"impacted_entity_counts": {
"individual": 100,
"employee": 70,
"customer-individual": 30
},
"incident_types": [
"hosting-phishing-sites"
],
"recoverability": "regular",
"scores": [
{
"name": "ExampleSystem Automated Exposure Score",
"value": 75.5,
"description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
}
],
"task_refs": [
"task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c",
"task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7"
]
}
}
}
2.2. Event
An Event is an activity that has a harmful effect or which will be investigated or already has been investigated as potentially having a harmful effect. The activity is not necessarily performed by an attacker. For example, an event could result from a user or system administrator’s mistake. Events can be used to further enrich and explain Sightings by allowing analysts to indicate if these sightings are part of a potential threat, and if so how they connects to a larger incident. Some activity, described in an Event, will be found to be not harmful when investigated.
This new SDO extension MUST use extension-definition—4ca6de00-5b0d-45ef-a1dc-ea7279ea910e as its extension ID.
As a new SDO extension it must follow the requirements as described in section 7.3.2.2 of the STIX 2.1 specification.
Required Common Properties |
created, id, modified, spec_version, type |
Optional Common Properties |
created_by_ref, revoked, labels, confidence, lang, external_references, object_marking_refs, granular_markings, extensions |
Not Applicable Common Properties |
defanged |
Event Object Specific Properties |
changed_objects, description, end_time, end_time_fidelity, event_types, goal, name, next_events_refs, status, sighting_refs, start_time, start_time_fidelity |
Property Name | Type | Description |
---|---|---|
status (required) |
The current status of the event. The values of this property MUST come from the event-status-enum enumeration. |
|
type (required) |
The value of this property MUST be set to event. |
|
changed_objects (optional) |
list of type state-change |
A list of changes that this event has caused. This is typically used to indicate how an event has affected impacts. |
description (optional) |
A description of event that occurred. |
|
end_time (optional) |
The date and time the event was last recorded. If this is not present it is assumed to be unknown. If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value. |
|
end_time_fidelity (optional) |
The level of fidelity that the end_time property is recorded in. This value MUST come from timestamp-fidelity-enum enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. |
|
event_types (optional) |
list of type open-vocab |
High level types for the event to enable aggregation and summarization. The values of this property SHOULD come from the event-type-ov open vocabulary. |
goal (optional) |
The assumed goal, objective, desired outcome, or intended effect of this event. Not all events have goals. |
|
name (optional) |
A name for the event. |
|
next_events_refs (optional) |
list of type identifier |
|
sighting_refs (optional) |
list of type identifier |
A list of sighting objects that were related to this event. Sightings referenced in this SHOULD be based on attack-pattern, indicator, or malware SDOs. The sighting_refs property SHOULD be used to relate an event to an SDO, instead of using right an SRO. In some cases observed data may be present, but no indicator can be created. In these cases it is recommended to use an attack-pattern using the name or description of the behavior or rule that triggered the sighting. |
start_time (optional) |
The date and time the event was first recorded. If this is not present it is assumed to be unknown. This property SHOULD be populated. If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value. |
|
start_time_fidelity (optional) |
The level of fidelity that the start_time property is recorded in. This value MUST come from timestamp-fidelity-enum enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. |
2.2.1. Relationships
These are the relationships explicitly defined between the Event object and other STIX Objects. The table identifies the relationships that can be made from this object type to another object type by way of the Relationship object.
The reverse relationships section illustrates the relationships targeting this object type from another object type.
Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.
To relate events to an incident the event_refs property SHOULD be used. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.)
Common Relationships | |||
---|---|---|---|
derived-from, duplicate-of, related-to |
|||
Source |
Type |
Target |
Description |
causes |
The event caused the impact. |
||
led-to |
The event led to performing the task. |
||
impacts |
An event has an impact on specific infrastructure. While not all SCO types will make sense in this relationship, allowing any type of SCO prevents artificially restricting what could be used. |
||
located-at |
The event occurred at a specific location. |
Reverse Relationships | |||
---|---|---|---|
Source |
Type |
Target |
Description |
performed |
An identity performed a specific event. |
||
based-on |
An indicator is based on an event. |
||
performed |
Malware performed a specific event. |
||
performed |
A tool performed a specific event. |
||
uses |
An task uses a particular course of action. |
||
blocks |
A task was performed to block a potential event. |
||
causes |
A task was performed that caused an event, usually due to an error. |
2.2.2. Example
{
"type": "event",
"id": "event--68e1e976-7e3b-4233-8bde-1a5dbb17a9a6",
"created": "2023-11-22T15:30:00.000Z",
"modified": "2023-11-22T15:30:00.000Z",
"spec_version": "2.1",
"status": "ongoing",
"changed_objects": [
{
"state_change_type": "escalation",
"initial_ref": "impact--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
"result_ref": "impact--c1f2d3e4-5b6c-4a8d-9e0a-1b2c3d4e5f6d"
}
],
"description": "Phishing attack on company email accounts.",
"end_time": "2023-11-22T15:30:00Z",
"end_time_fidelity": "minute",
"event_types": [
"phishing"
],
"goal": "Gain unauthorized access to sensitive information.",
"name": "Phishing Attack",
"next_event_refs": [
"event--193a3ea2-32ae-4bfd-b353-16836ab70788",
"event--d263f0f6-4c6c-4f77-a7fd-10368f0cb50a"
],
"start_time": "2023-11-22T14:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"extension-definition--4ca6de00-5b0d-45ef-a1dc-ea7279ea910e": {
"extension_type": "new-sdo"
}
}
}
2.3. Impact
An Impact is the result of the Incident on the victim, captured in the impact_ref property of the Incident object. Impacts can have many categories: availability of resources, confidentiality of data, integrity of data or resources, monetary, physical damage, damage to others and traceability (auditing).
This new SDO extension MUST use extension-definition—7cc33dd6-f6a1-489b-98ea-522d351d71b9 as its extension ID.
As a new SDO extension it must follow the requirements as described in section 7.3.2.2 of the STIX 2.1 specification.
Required Common Properties |
created, id, modified, spec_version, type |
Optional Common Properties |
created_by_ref, revoked, labels, confidence, lang, external_references, object_marking_refs, granular_markings, extensions |
Not Applicable Common Properties |
defanged |
Impact Object Specific Properties |
impact_category, criticality, description, end_time, end_time_fidelity, impacted_entity_counts, impacted_refs, recoverability, start_time, start_time_fidelity, superseded_by_ref |
Property Name | Type | Description |
---|---|---|
impact_category (required) |
The category to which the impact belongs. This MUST be either undetermined or match an extension that provides greater details of a specific type of impact, and SHOULD come from the extensions listed in section 2.3.2 of this document. The value can be specified with or without the "-ext" suffix. If this property is set to undetermined then there MUST not be an "-ext" extension providing further details for this impact. |
|
type (required) |
The value of this property MUST be set to impact. |
|
criticality (optional) |
The criticality of this impact. If present, this value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix B. |
|
description (optional) |
Additional details about this impact |
|
end_time (optional) |
The date and time the impact was last recorded. This property SHOULD be populated if this impact is resolved or mitigated. If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value. If the superseded_by_ref property is included this MUST be included. |
|
end_time_fidelity (optional) |
The level of fidelity that the end_time property is recorded in. This value MUST come from timestamp-fidelity-enum enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. |
|
impacted_entity_counts (optional) |
A listing of the entity types that were impacted and how many of each were affected. If this property is not present it should be assumed that this information is not being shared, not that there were no impacted entities. To affirmatively state no entities of a given class were impacted they should be included with the number of entities affected by it set to 0. |
|
impacted_refs (optional) |
list of type identifier |
A list of all impacted entities or infrastructure. The values of this property MUST be the identifier for an SDO or SCO. |
recoverability (optional) |
The recoverability of this particular impact with respect to feasibility and required time and resources. The value of this property MUST come from the recoverability-enum enumeration. |
|
start_time (optional) |
The date and time this impact was first recorded. This property SHOULD be populated. If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value. |
|
start_time_fidelity (optional) |
The level of fidelity that the start_time property is recorded in. This value MUST come from timestamp-fidelity-enum enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. |
|
superseded_by_ref (optional) |
The referenced impact supersedes the end_time for the current impact. This allows capturing how the severity of this impact changes over time. When this property is populated this impact MUST have an end_time and and the superseded_by_ref value MUST reference an impact of the same as the category specified in the impact_category property. |
2.3.1. Relationships
There are no relationships explicitly defined between the Impact object and other STIX Objects, other than those defined as common relationships (duplicate-of, derived-from, related-to, and the embedded relationships defined by the common SDO properties.)
The reverse relationships section illustrates the relationships targeting this object type from another object type.
Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.
Reverse Relationships | |||
---|---|---|---|
Source |
Type |
Target |
Description |
causes |
An event causes an impact. |
2.3.2. Extensions
There are many types of impacts, each with its own unique properties, therefore the Impact SDO emulates the File SCO through the use of STIX (sub-type) Extensions to provide the granular details of specific categories of impacts. Seven extensions to impact, which further define the impact on a related Incident, are given below. As such, every Impact MUST have the one extension which matches the value of the impact_category property (see this property description above). This allows consumers to quickly validate their ability to process this category of impact and then load all of its specific details.
Because these extensions are used to specify very different types of impacts, producers SHOULD use one and only one of these extensions per Impact object. However, additional extensions might be proposed in the future and might be used in conjunction with one of these.
2.3.2.1. Availability Impact Extension
Type Name: availability-ext
Property Name | Type | Description |
---|---|---|
availability_impact (required) |
The availability / functional impact of the related incident on the objects referenced in impacted_refs. If no objects are referenced, the impact should be treated as the overall availability impact for the related incident. This value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix A. |
2.3.2.1.1. Availability Impact Example
{
"type": "impact",
"id": "impact--de425325-5ac8-4f4b-ace7-054301b80863",
"created": "2023-11-22T15:30:00.000Z",
"modified": "2023-11-22T15:30:00.000Z",
"spec_version": "2.1",
"impact_category": "availability",
"criticality": 70,
"description": "Loss of availability for a critical service.",
"end_time": "2023-11-22T16:00:00Z",
"end_time_fidelity": "minute",
"impacted_entity_counts": {
"system": 1
},
"impacted_refs": [
"infrastructure--11c25d0e-48f5-4491-960a-0da71c4e0d16"
],
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"availability-ext": {
"availability_impact": 90
},
"extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
"extension_type": "new-sdo"
}
}
}
2.3.2.2. Confidentiality Impact Extension
Type Name: confidentiality-ext
Property Name | Type | Description |
---|---|---|
loss_type (required) |
The type of loss that occurred with respect to the relevant information. The values of this property MUST come from the incident-confidentiality-loss-enum enumeration. |
|
information_type (optional) |
The type of information that had its confidentiality compromised. This can include information about control systems and other processes that can result in other impacts. The value of this property SHOULD come from the information-type-ov open vocabulary. This value MUST be included if the loss_type is not none. Otherwise, including an entry with loss_type of none and no information_type indicates that no information had its confidentiality impacted by the related incident. |
|
record_count (optional) |
The number of records of this information type that were compromised. The value of this property MUST NOT be negative. |
|
record_size (optional) |
The amount of data that was compromised in bytes. The value of this property MUST NOT be negative. |
2.3.2.2.1. Confidentiality Impact Example
{
"type": "impact",
"id": "impact--c08d9e5a-ba7e-465c-96d5-659683aa9395",
"created": "2023-11-22T15:30:00.000Z",
"modified": "2023-11-22T15:30:00.000Z",
"spec_version": "2.1",
"impact_category": "confidentiality-ext",
"criticality": 80,
"description": "Confidential customer data was leaked.",
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"confidentiality-ext": {
"information_type": "customer-data",
"loss_type": "confirmed-loss",
"record_count": 1000
},
"extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
"extension_type": "new-sdo"
}
}
}
2.3.2.3. External Impact Extension
Type Name: external-ext
Property Name | Type | Description |
---|---|---|
impact_type (required) |
The type of impact outside of the targeted organization. The value of this property SHOULD come from the external-impact-ov open vocabulary. |
2.3.2.3.1. External Impact Example
{
"type": "impact",
"id": "impact--765719be-0e65-4c40-8024-a7295c90da35",
"created": "2023-11-22T15:30:00.000Z",
"modified": "2023-11-22T15:30:00.000Z",
"spec_version": "2.1",
"impact_category": "external-ext",
"criticality": 60,
"description": "Negative impact on the company's reputation.",
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"external-ext": {
"impact_type": "reputation"
},
"extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
"extension_type": "new-sdo"
}
}
}
2.3.2.4. Integrity Impact Extension
Type Name: integrity-ext
Property Name | Type | Description |
---|---|---|
alteration (required) |
The type of alteration affecting integrity of the information. The value of this property MUST come from the integrity-alteration-enum enumeration. |
|
information_type (optional) |
The type of information that had its integrity compromised. This can include information about control systems and other processes that can result in other impacts. The value of this property SHOULD come from the information-type-ov open vocabulary. This value MUST be included if the alternation is not none. Otherwise, including an entry that with an alteration of none and no information_type provided indicates that no information had its integrity impacted by the related incident. |
|
record_count (optional) |
The number of records of this type that were compromised. The value of this property MUST NOT be negative. |
|
record_size (optional) |
The amount of data that was compromised in bytes. The value of this property MUST NOT be negative. |
2.3.2.4.1. Integrity Impact Example
{
"type": "impact",
"id": "impact--72047fc7-1b34-4cc2-aea7-61b90cdb832d",
"created": "2023-11-22T15:30:00.000Z",
"modified": "2023-11-22T15:30:00.000Z",
"spec_version": "2.1",
"impact_category": "integrity-ext",
"criticality": 75,
"description": "Unauthorized modification of financial records.",
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"integrity-ext": {
"alteration": "full-modification",
"information_type": "financial-records",
"record_count": 500
},
"extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
"extension_type": "new-sdo"
}
}
}
2.3.2.5. Monetary Impact Extension
Type Name: monetary-ext
Property Name | Type | Description |
---|---|---|
variety (required) |
The variety of this monetary impact. The value of this property SHOULD come from the monetary-impact-type-ov open vocabulary. |
|
conversion_rate (optional) |
The conversion rate between the currency and currency_actual properties. This MUST NOT be included if the currency_actual property is not included. This MUST be included if the currency_actual property is included. This value MUST be greater than zero. If this property is provided, the conversion_time property must also be provided. |
|
conversion_time (optional) |
The timestamp corresponding to the conversion rate from the currency property to the currency_actual property. This MUST be included if a conversion_rate property is included. |
|
currency (optional) |
The currency used for reporting the max_amount and min_amount properties values. This SHOULD be an ISO 4217 alpha currency code or the official currency code for the relevant cryptocurrency. This SHOULD match the currency of the organization or the government producing the report. This value MUST be included if the min_amount property is included. |
|
currency_actual (optional) |
The currency that the impact actually used. For ransom demands this should be the currency of the demand. If this is not included it should be assumed to be the same value as the currency property. If this is included then the currency property MUST be included. This SHOULD be an ISO 4217 alpha currency code or the official currency code for the relevant cryptocurrency. |
|
max_amount (optional) |
The maximum monetary amount of the impact using the currency specified in the currency property. This value MUST be greater than zero. This value MUST be included if the min_amount property is included. If min_amount and max_amount properties are both defined, then max_amount value MUST be greater than or equal to the min_amount value. |
|
min_amount (optional) |
The maximum monetary amount of the impact using the currency specified in the currency property. This value MUST be greater than zero. This value MUST be included if the max_amount property is included. If min_amount and max_amount properties are both defined, then max_amount value MUST be greater than or equal to the min_amount value. |
2.3.2.5.1. Monetary Impact Example
{
"type": "impact",
"id": "impact--562c7b03-3c27-4adf-8580-57ecce6687c8",
"created": "2023-11-22T15:30:00.000Z",
"modified": "2023-11-22T15:30:00.000Z",
"spec_version": "2.1",
"impact_category": "monetary",
"criticality": 85,
"description": "Financial loss due to a ransomware attack.",
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"monetary-ext": {
"variety": "ransom",
"currency": "USD",
"min_amount": 10000,
"max_amount": 15000
},
"extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
"extension_type": "new-sdo"
}
}
}
2.3.2.6. Physical Impact Extension
Type Name: physical-ext
Property Name | Type | Description |
---|---|---|
impact_type (required) |
The type of physical impact that has occurred. The value of this property MUST come from the physical-impact-enum enumeration. |
|
asset_type (optional) |
The type of property or system that was affected by this impact. The value of this property SHOULD come from the asset-type-ov open vocabulary. This value MUST be included if the impact_type is not none . Otherwise, including an entry with an impact_type of none and no asset_type indicates that no physical damage was caused by the related incident. |
2.3.2.6.1. Physical Impact Example
{
"type": "impact",
"id": "impact--738492bd-288b-48c9-ad2a-83230d2dee86",
"created": "2023-11-22T15:30:00.123Z",
"modified": "2023-11-22T15:30:00.446Z",
"spec_version": "2.1",
"impact_category": "physical",
"criticality": 95,
"description": "Physical damage to a power plant.",
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"physical-ext": {
"impact_type": "destruction",
"asset_type": "power-plant"
},
"extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
"extension_type": "new-sdo"
}
}
}
2.3.2.7. Traceability Impact Extension
Type Name: traceability-ext
Property Name | Type | Description |
---|---|---|
traceability_impact (required) |
The impact on a system or organization’s ability to perform audits or provide non-repudiation. The value of this property MUST come from the traceability-enum enumeration. |
2.3.2.7.1. Traceability Impact Example
{
"type": "impact",
"id": "impact--ef58b184-e4b8-4f1f-9ac3-f22aff3f9459",
"created": "2023-11-22T15:30:00.628Z",
"modified": "2023-11-22T15:30:00.845Z",
"spec_version": "2.1",
"impact_category": "traceability",
"criticality": 65,
"description": "Loss of audit logs due to a cyber attack.",
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"traceability-ext": {
"traceability_impact": "partial-accountability"
},
"extension-definition--7cc33dd6-f6a1-489b-98ea-522d351d71b9": {
"extension_type": "new-sdo"
}
}
}
2.4. Task
A Task is an activity that is performed by or for the victim/defender to respond to the related incident.
This new SDO extension MUST use extension-definition—2074a052-8be4-4932-849e-f5e7798e0030 as its extension ID.
As a new SDO extension it must follow the requirements as described in section 7.3.2.2 of the STIX 2.1 specification.
Required Common Properties |
created, id, modified, spec_version, type |
Optional Common Properties |
created_by_ref, revoked, labels, confidence, lang, external_references, object_marking_refs, granular_markings, extensions |
Not Applicable Common Properties |
defanged |
Task Object Specific Properties |
task_types, affected_entity_counts, changed_objects, description, end_time, end_time_fidelity, error, name, next_tasks_refs outcome, priority, start_time, start_time_fidelity |
Property Name | Type | Description |
---|---|---|
outcome (required) |
The outcome of the task. The value of this property MUST come from the task-outcome-enum enumeration. |
|
type (required) |
The value of this property MUST be set to task. |
|
changed_objects (optional) |
list of type state-change |
A list of changes that this task has caused. This is typically used to indicate how a task has affected impacts. |
task_types (optional) |
list of type open-vocabulary |
A list of high level types for the task in order to enable aggregation and summaries. The values of this property SHOULD come from the task-type-ov open vocabulary. |
description (optional) |
A description of the task. |
|
end_time (optional) |
The date and time the task was last recorded. If this is not present it is assumed to be unknown. If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value. |
|
end_time_fidelity (optional) |
The level of fidelity that the end_time fidelity is recorded in. This value MUST come from timestamp-fidelity-enum enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. |
|
error (optional) |
Details about any failures or deviations that occurred in the task. |
|
affected_entity_counts (optional) |
A listing of the entity types and how many of each that were affected. This is primarily used when recording victim notifications. |
|
name (optional) |
A name used to identify the task. |
|
next_tasks_refs (optional) |
list of type identifier |
|
priority (optional) |
The priority or importance of the task. This value MUST be an integer between 0 and 100. This can be translated into qualitative values as described in Appendix B. |
|
start_time (optional) |
The date and time the task was first recorded. If this is not present it is assumed to be unknown. This property SHOULD be populated. If start_time and end_time properties are both defined, then end_time value MUST be the same or later than the start_time value. |
|
start_time_fidelity (optional) |
The level of fidelity that the start_time property is recorded in. This value MUST come from timestamp-fidelity-enum enumeration. If no value is provided the timestamp should be considered to be accurate up to the number of decimal digits it includes. |
2.4.1. Relationships
These are the relationships explicitly defined between the Task object and other STIX Objects. The table identifies the relationships that can be made from this object type to another object type by way of the Relationship object.
The reverse relationships section illustrates the relationships targeting this object type from another object type.
Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.
To relate tasks to an incident the task_refs property SHOULD be used. Using these embedded relationships ensures that an incomplete sequence cannot be shared accidentally (avoiding potential confusion or misunderstandings when processing STIX data.)
Common Relationships | |||
---|---|---|---|
derived-from, duplicate-of, related-to |
|||
Source |
Type |
Target |
Description |
uses |
An task uses a particular course of action. |
||
blocks |
A task was performed to block a potential event. |
||
causes |
A task was performed that caused an event, usually due to an error. |
||
detects |
A task was used to detect an event. |
||
creates |
A task was performed that created an indicator. |
||
impacts |
A task has an impact on specific infrastructure. |
||
located-at |
The task occurred at a specific location. |
Reverse Relationships | |||
---|---|---|---|
Source |
Type |
Target |
Description |
led-to |
The event led to performing the task. |
||
assigned |
An identity has been assigned the task |
||
contact-for |
An identity is a point of contact for this task. |
||
participated-in |
An identity participated in a specific task, but as not the primary performer |
||
performed |
An identity performed a specific task. |
||
performed |
A tool performed a specific task. |
2.4.2. Example
{
"type": "task",
"id": "task--4e1e2a5a-6b3c-4d5e-8f6a-9e7b8a9a5b6c",
"created": "2023-11-22T15:30:00.529Z",
"modified": "2023-11-22T15:30:00.811Z",
"spec_version": "2.1",
"outcome": "successful",
"changed_objects": [
{
"state_change_type": "mitigated",
"initial_ref": "impact--f3e1a6f3-1a95-457a-84a7-887c2d9e5e7c",
"result_ref": "impact--c1f2d3e4-5b6c-4a8d-9e0a-1b2c3d4e5f62"
}
],
"description": "Mitigated the impact of the phishing attack.",
"end_time": "2023-11-22T16:30:00Z",
"end_time_fidelity": "minute",
"task_types": [
"blocked"
],
"name": "Mitigation Task",
"next_task_refs": [
"task--1cb3fbba-3216-4fd7-a1c2-b33473d20ed7"
],
"priority": 80,
"start_time": "2023-11-22T15:30:00Z",
"start_time_fidelity": "minute",
"extensions": {
"extension-definition--2074a052-8be4-4932-849e-f5e7798e0030": {
"extension_type": "new-sdo"
}
}
}
3. Additional Sub-Objects Types
3.1. Entity Count Type
Type Name: entity-count
The Entity Count type represents the count of one or more entity types. The name of each entity type MUST be specified as a key in the dictionary and MUST identify the count of the entity that corresponds to the value. Each key SHOULD come from entity-type-ov open vocabulary. This value MUST be an integer that is equal to or greater than zero.
Examples:
100 individuals, 70 employees, 30 customers
{
"individual": 100,
"employee": 70,
"customer-individual": 30
}
1000 systems, 10 organizations
{
"organization": 10,
"system": 1000
}
0 individuals
{
"individual": 0
}
3.2. Incident Score Object Type
Type Name: incident-score
Property Name | Type | Description |
---|---|---|
name (required) |
The name of the score. This is normally a system or process name or some combination of these such as "<Tool Name> Automated Exposure Score". |
|
value (required) |
The numeric score. |
|
description (optional) |
A description of how this score was calculated by the system, if that information is provided. |
3.2.1. Example
{
"name": "ExampleSystem Automated Exposure Score",
"value": 75.5,
"description": "The score is calculated based on the severity of the incident and the potential impact on the organization."
}
3.3. State Change Object Type
Type Name: state-change
The initial_ref or result_ref property MUST be populated.
Property Name | Type | Description |
---|---|---|
state_change_type (required) |
How this activity influenced the change in state between the initial_ref and result_ref. The value of this property SHOULD come from the state-change-type-ov open vocabulary. |
|
initial_ref (optional) |
The initial object state that this event affected. It MUST be an SDO. To capture a changing SCO, the Observed Data SDO must be used. If the result_ref property is not populated then this MUST be populated. If there is no result state this typically means that this event/task removed or resolved the initial object. For example, a task resolved a network outage. If both are present this indicates a transition between these states. For example, a confidentiality impact was made worse as the information was shared further. If the result_ref property is populated this MUST reference the same type of SDO. |
|
result_ref (optional) |
The final state that this event influenced. If the initial_ref property is not populated then this MUST be populated. If there is no initial state it typically means that this event/task caused or created the result. For example, an event causing a network outage. If the initial_ref property is populated this MUST reference the same type of SDO. |
3.3.1. Example
{
"state_change_type": "escalation",
"initial_ref": "incident--d1e4f6c7-3b1a-4b5c-8a5a-9e7b8a9a5b6c",
"result_ref": "incident--c1f2d3e4-5b6c-4a8d-9e0a-1b2c3d4e5f62"
}
4. Vocabularies
4.1. Asset Type Vocabulary
Type Name: asset-type-ov
Vocabulary Value | Description |
---|---|
building-doors |
Doors within buildings or structures. |
building-windows |
The exterior or interior windows of buildings or structures. |
buildings |
Entire buildings or structures. |
computers-mobile |
Mobile devices such as smartphones. |
computers-personal |
Workstations or laptops owned by an organization. |
computers-server |
Servers owned by an organization. |
environment |
Land, environment or the ability of either to support humans or wildlife. |
ics-actuator |
Actuator for industrial control systems. |
ics-engineering-workstation |
Engineering workstation for industrial control systems. |
ics-historian |
Historian for industrial control systems. |
ics-hmi |
Human machine interfaces for industrial control systems. |
ics-other |
Other Industrial control systems. |
ics-plc |
Programmable logic controller for industrial control systems. |
ics-safety-system |
Safety system for industrial control systems. |
ics-sensor |
Sensor for industrial control systems. |
inventory |
Stocks of goods to be sold or consumed. |
network-device |
Switches, routers, and wireless communication towers. |
private-infrastructure |
Privately owned infrastructure such as roads, plumbing, railways, pipelines and electrical infrastructure. |
public-infrastructure |
Publicly owned infrastructure such as roads, plumbing, railways, pipelines and electrical infrastructure. |
security-containers |
Safes or other security containers. |
vehicles |
Vehicles of various types including cars, trains, and planes. |
4.2. Detection Methods Vocabulary
Type Name: detection-methods-ov
Vocabulary Value | Description |
---|---|
automated-tool |
An incident is detected by an automated tool. If this option is used it is generally useful to also include a separate entry for the tool itself. |
commercial-solution |
A commercial tool or provider detected this incident. This can be combined with other methods including automated-tool to allow greater fidelity. |
external-notification |
An external entity detected this incident and notified the impacted organization. |
human-review |
An incident is detected by human threat hunting. |
message-from-attacker |
Notification comes from a message provided by the attacker including email, a note left of a message or popup message. |
propriety-solution |
An internally developed tool or process detected this incident. This can be combined with other methods including automated-tool to allow greater fidelity. |
system-outage |
An incident is detected because a system is no longer available. |
user-reporting |
One or more users report an incident. |
4.3. Entity Type Vocabulary
Type Name: entity-type-ov
Vocabulary Value | Description |
---|---|
computers-mobile |
Mobile devices such as smartphones. |
computers-personal |
Workstations or laptops owned by an organization. |
computers-server |
Servers owned by an organization. |
customer |
An customer or client. This can be an individual or organization. |
customer-individual |
An customer or client that represents an individual. |
customer-organization |
An customer or client that represents a business or other organization. |
domain-controller |
A windows domain controller. |
employee |
An employee of an organization. |
group |
An informal collection of people, without formal governance, such as a distributed hacker group. |
ics-actuator |
Actuator for industrial control systems. |
ics-engineering-workstation |
Engineering workstation for industrial control systems. |
ics-historian |
Historian for industrial control systems. |
ics-hmi |
Human machine interfaces for industrial control systems. |
ics-other |
Other Industrial control systems. |
ics-plc |
Programmable logic controller for industrial control systems. |
ics-safety-system |
Safety system for industrial control systems. |
ics-sensor |
Sensor for industrial control systems. |
individual |
A single person. |
network-device |
Switches, routers, and wireless communication towers. |
organization |
A formal organization of people, with governance, such as a company or country. |
system |
A computer system, such as a SIEM. |
vehicles |
Vehicles of various types including cars, trains, and planes. |
4.4. Event Type Vocabulary
This vocabulary draws for numerous sources including heavily from MISP taxonomies.
These include:
Type Name: event-type-ov
Vocabulary Value | Description |
---|---|
aggregation-information-phishing-schemes |
Collecting data obtained through phishing attacks on web pages, email accounts, etc… |
benign |
The event was neither dangerous nor malicious and was not suspected to be malicious or dangerous. |
blocked |
The event was suspected to be malicious and was blocked. |
brute-force-attempt |
Unsuccessful login attempt by using sequential credentials for gaining access to the system. |
c&c-server-hosting |
Web page disseminating one or various types of malware. |
compromised-system |
Attackers obtained control of a compromised system. |
confirmed |
The event was confirmed to be tied to an incident and response is underway. |
connection-malware-port |
System attempting to gain access to a port normally linked to a specific type of malware. |
connection-malware-system |
System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet. |
content-forbidden-by-law |
Distribution or sharing of illegal content such as child pornography, racism, xenophobia, etc… |
control-system-bypass |
Unauthorized access to a system or component by bypassing an access control system in place. |
copyrighted-content |
Distribution or sharing of content protected by copyright and related rights. |
data-exfiltration |
Unauthorized access to and sharing of a specific set of information. |
deferred |
The event is deferred due to resource constraints, information types or external reasons. |
deletion-information |
Unauthorized deleting of a specific set of information. |
denial-of-service |
The event or incident resulted in a loss of availability for a service or system. Incidents of this type SHOULD have an availability impact, but organizations may choose to not share the details of these impacts. |
destruction |
The event or incident destroyed data or systems. Incidents of this SHOULD have an integrity impact, but organizations may choose to not share the details of these impacts. |
dictionary-attack-attempt |
Unsuccessful login attempt by using system access credentials previously loaded into a dictionary. |
discarded |
The event was discarded due to resource constraints, information types or external reasons. |
disruption-data-transmission |
Logical and physical activities aimed at causing damage to information or at preventing its transmission among systems. |
dissemination-malware-email |
Malware attached to a message or email message containing link to malicious URL. |
dissemination-phishing-emails |
Mass emailing aimed at collecting data for phishing purposes with regard to the victims. |
dns-cache-poisoning |
DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver’s cache by injecting false DNS records, causing the resolver to records controlled by the attacker. |
dns-local-resolver-hijacking |
Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses. |
dns-spoofing-registered |
In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant. |
dns-rebinding |
DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim’s local resources. |
dns-server-compromise |
Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server. |
dns-spoofing-unregistered |
In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant. |
dns-stub-resolver-hijacking |
The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses. |
dns-zone-transfer |
Transfer of a specific DNS zone. |
domain-name-compromise |
The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control. |
duplicate |
This event is a duplicate of another event. A relationship should be created between this event and the event it duplicates. |
email-flooding |
Sending an unusually large quantity of email messages. |
equipment-loss |
A loss of control of physical equipment that is not known to be theft. |
equipment-theft |
Theft of equipment. In general this should be paired with equipment-loss. |
exploit |
Successful use of a tool exploiting a specific vulnerability of the system. |
exploit-attempt |
Unsuccessful use of a tool exploiting a specific vulnerability of the system. |
exploit-framework-exhausting-resources |
Various sources using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability. |
exploit-tool-exhausting-resources |
One single source using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability. |
failed |
The event failed its suspected goal. |
file-inclusion |
Inclusion of files into a system under attack with the use of file inclusion techniques. |
file-inclusion-attempt |
Unsuccessful attempt to include files in the system under attack by using file inclusion techniques. |
hosting-malware-webpage |
Web page disseminating one or various types of malware. |
hosting-phishing-sites |
Hosting web sites for phishing purposes. |
illegitimate-use-name |
Using the name of an institution without permission to do so. |
illegitimate-use-resources |
Use of institutional resources for purposes other than those intended. |
infected-by-known-malware |
The presence of any of the types of malware was detected in a system. |
insufficient-data |
Not enough data is available to assess this event. |
known-malware |
This incident involves a known type of malware. Events and incidents SHOULD be related to a Malware object, but organizations may choose not to share the details on this malware. |
lame-delegations |
Lame delegations occur as a result of expired name server domains allowing attackers to take control of the domain resolution by re-registering this expired name server domain. |
major |
The incident is classified as major based on the internal criteria within the organization or due to external reporting requirements. |
modification-information |
Unauthorized changes to a specific set of information. |
misconfiguration |
A false positive where this event was triggered by a misconfiguration. |
natural |
The event was due to natural causes such as an earthquake or hurricane. |
negotiation |
Negotiation of a deal or payment amount. |
network-scanning |
Scanning a network aimed at identifying systems which are active in the same network. |
no-apt |
It is not believed that this incident involved an advanced persistent threat. |
packet-flood |
Mass mailing of requests (network packets, emails, etc…) from various sources to a specific service, aimed at affecting its normal functioning. |
password-cracking-attempt |
Attempt to acquire access credentials by breaking the protective cryptographic keys. |
policy-violation |
The event or incident was a violation of organizational or regulatory policy. |
ransomware |
This incident involved malware that encrypted data with a demand that a ransom is paid to regain access to it. |
ransomware-payment |
The event or incident associated with actually paying a ransom. |
refuted |
The event was previously suspected to have achieved a goal, but this has since been refuted. |
scan-probe |
Event was triggered based on scanning activity |
silently-discarded |
The event was silently discarded due to resource constraints, information types or external reasons. |
supply-chain-customer |
This incident used a vendor further up in the supply chain where the target was a customer. |
supply-chain-vendor |
This incident targeted a system or product that is supplied to others to enable further attacks. |
spam |
Sending an email message that was unsolicited or unwanted by the recipient. |
sql-injection |
Manipulation or reading of information contained in a database by using the SQL injection technique. |
sql-injection-attempt |
Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique. |
successful |
The event is believed to have succeeded in its goal. |
system-probe |
Single system scan searching for open ports or services using these ports for responding. |
theft-access-credentials |
Unauthorized access to a system or component by using stolen access credentials. |
unattributed |
This event or incident has not been attributed. It is unclear if it is tied to a specific advanced persistent threat group. |
unauthorized-access-information |
Unauthorized access to a set of information. Incidents of this SHOULD have a confidentiality impact, but organizations may choose to not share the details of these impacts. |
unauthorized-access-system |
Unauthorized access to a system or component. |
unauthorized-equipment |
Usage of unauthorized devices as part of the incident |
unauthorized-release |
The unauthorized release of information. Incidents of this SHOULD have a confidentiality impact, but organizations may choose to not share the details of these impacts. |
unauthorized-use |
The usage of information that falls outside of official purposes |
undetermined |
Field aimed at the classification of unprocessed events, which have remained undetermined from the beginning. |
unintentional |
The event was due to unintentional activity. |
unknown-apt |
This incident is believed to involve an advanced persistent threat, but the specific APT is unknown. |
unspecified |
Other unlisted events. |
vandalism |
Logical and physical activities which - although they are not aimed at causing damage to information or at preventing its transmission among systems - have this effect. |
wiretapping |
Logical or physical interception of communications. |
worm-spreading |
System infected by a worm trying to infect other systems. |
xss |
Attacks performed with the use of cross-site scripting techniques. |
xss-attempt |
Unsuccessful attempts to perform attacks by using cross-site scripting techniques. |
4.5. External Impact Vocabulary
Type Name: external-impact-ov
Vocabulary Value | Description |
---|---|
economic |
This incident is expected to have national or international economic impacts. |
emergency-services |
This incident impacts emergency services. |
foreign-relations |
This incident impacts international politics. |
national-security |
This incident impacts the national security of one or more nations. |
public-confidence |
This incident impacts the confidence in public or private institutions. |
public-health |
This incident impacts the public health of one or more nations. |
public-safety |
This incident impacts the public safety of individuals in one or more nations. |
4.6. Incident Investigation Open Vocabulary
Type Name: incident-investigation-ov
Vocabulary Value | Description |
---|---|
closed |
All victim/defender work on this incident has been concluded. Blue teams may use a closed incident as a starting point for their work, by creating child Incidents of the closed Incident. In these cases, it is appropriate to mark an initial Incident as closed if the related child incidents that track this work are still open. |
new |
A new incident which the victim/defender has not begun formal work on. |
open |
Victim/Defender work is in underway for this Incident. |
4.7. Information Type Vocabulary
Type Name: information-type-ov
Vocabulary Value | Description |
---|---|
classified-material |
Data classified based on relevant government authorities. |
communication |
Communication records including emails, chats and instant messages. |
credentials-admin |
Administrative credential data. |
credentials-user |
User credential data. |
financial |
Financial records including purchasing activity and planned activities. |
legal |
Legal records that are not yet public including contracts under negotiation and documents protected under legal privilege. |
payment |
Payment information. |
phi |
Protected Health Information. |
pii |
Personally Identifiable Information. |
proprietary |
Proprietary information e.g., intellectual property. |
system |
Information necessary to keep a system operational. The destruction or encryption of this data can cause availability impacts. |
4.8. Monetary Impact Type Vocabulary
Type Name: monetary-impact-type-ov
Vocabulary Value | Description |
---|---|
asset-and-fraud |
Losses incurred due to loss of assets or fraud. |
brand-damage |
Losses incurred due to reputational or brand damage. |
business-disruption |
Losses incurred due to business disruptions. |
competitive-advantage |
Losses incurred due to theft of intellectual property, techniques or other capabilities that grant an advantage in the field. |
legal-and-regulatory |
Losses incurred due to legal or regulatory actions in response to the incident. |
operating-costs |
Losses incurred due to additional operating costs that have been incurred due to the incident. |
ransom-demand |
The demanded amount of ransom to be paid. When this is selected the demand amount should be listed as the max_amount and the min_amount should be 0. |
ransom-payment |
An actual payment of a ransom. |
response-and-recovery |
Losses incurred due to response and recovery efforts for the incident. |
uncategorized |
Losses incurred that have not been categorized yet. |
4.9. State Change Type Vocabulary
Type Name: state-change-type-ov
Vocabulary Value | Description |
---|---|
caused |
This task or event is the primary cause of the resulting object. |
contributed-to |
This task or event is a contributing factor to the result occurring. |
input |
This task or event took in a group as an input for automated or playbook activities. If this is selected the initial_ref property MUST be populated. |
mitigated |
This task or event lessened the severity of the initial object. |
output |
This task or event produced a group as an output as part of automated or playbook activities. If this is selected the result_ref property MUST be populated.. |
resolved |
This task or event resolved the initial object. |
4.10. Task Type Vocabulary
Type Name: task-type-ov
Vocabulary Value | Description |
---|---|
administrative |
Perform an administrative action such as the introduction or change of a policy. |
attribution |
Perform an administrative action such as the introduction or change of a policy. |
containment |
The containment phase of incident response |
declared |
When this was officially declared an incident. |
detected |
When the incident was detected. |
eradication |
The eradication phase of incident response. |
escalated |
When the incident was escalated to a major incident. |
exercised-control |
Attempted to use a security control that was already in place within the environment. |
external-intelligence |
Used external intelligence information. |
external-outreach |
Reaching out to an external organization to gain support or information. |
external-support |
Acquire support from an external organization. |
implemented-control |
Implemented a security control within the environment. |
investigation |
Performed an investigation into an event or incident. |
negotiation |
Negotiation of a deal or payment amount. |
playbook-execution |
Executing an automated playbook. If the playbook is stored outside of STIX it should be included as an external-reference. |
playbook-step-execution |
Executing a step in an automated playbook. If the playbook is stored outside of STIX both the playbook and step stored in separate external-reference objects. If playbook steps feed each other information that is designed to be passed as STIX it SHOULD be referenced as a grouping as either the initial_ref or result_ref of a state-change. |
ransom-payment |
An actual payment of a ransom. |
recovery |
The recovery phase of incident response. |
reported |
When the incident was reported externally. |
routine-updates |
Performed a routine update in the environment including patching. |
victim-notification |
Notified victims, potentially impacted individuals or organizations about the incident. |
5. Enumerations
5.1. Event Status Enumeration
Type Name: event-status-enum
Vocabulary Value | Description |
---|---|
ongoing |
The event is still occurring. |
occurred |
The event took place and is no longer ongoing. |
not-occurred |
The event did not take place, but it was previously expected to. |
pending |
The event has not yet been started or observed, but it is projected or otherwise planned. Pending activity may never occur as various factors can cause it to be blocked or not attempted. As such any time or sequence values for pending activities should be treated as an estimation or projection that is subject to change. |
undetermined |
The status of the event has not been determined or is not shareable. |
5.2. Incident Confidentiality Loss Enumeration
Type Name: incident-confidentiality-loss-enum
Vocabulary Value | Description |
---|---|
confirmed-loss |
Information has been exfiltrated and is now available to the attacker, but it is unknown if it has been misused. |
contained |
Information’s confidentiality was compromised, but the spill was within an environment that allowed it to be effectively contained. For example: a sensitive data spill occurred within a controlled network allowing it to be resolved before information exited the organization. |
exploited-loss |
Information has been exfiltrated and has been actively misused by the attacker. |
none |
This information type was not compromised based on the investigation that was performed. This option should be used to affirmatively supply this information when necessary. |
suspected-loss |
It is suspected but not confirmed that the attacker may have gained access to this information. |
unknown |
It is unknown if the attacker may have gained access to this information. |
5.3. Incident Determination Enumeration
Type Name: incident-determination-enum
Vocabulary Value | Description |
---|---|
blocked |
The incident had no or minimal impact due to pre-emptive measures including rate limiting or spam filters. |
confirmed |
An incident has been determined to have caused at least some harm or violated a policy. |
failed-attempt |
The incident had no or minimal impact but not due to any affirmative defense for example a password guesser failed but was also not rate limited. |
false-positive |
An incident was determined to have been triggered by a false alert and no action including automatically performed automated actions were needed to remediate the issue. This should not be used when an incident was flagged correctly, but is of no importance. For findings of that nature low-value should be used. |
suspected |
An incident is suspected, but not yet confirmed. |
5.4. Integrity Alteration Enumeration
Type Name: integrity-alteration-enum
Vocabulary Value | Description |
---|---|
potential-destruction |
Information may have been destroyed within the system. |
potential-modification |
Information may have been modified within the system. |
partial-destruction |
Some data of this type has been destroyed, but sufficient data remains to allow partial functionality. |
partial-modification |
Some data in the system has been modified, but the remaining data is of an acceptable level of integrity for operations to continue. |
full-destruction |
Sufficient data of this type was destroyed to render the system inoperable until recovery can be completed. |
full-modification |
Sufficient data of this type was modified to render the system inoperable until recovery can be completed. |
none |
There is no evidence of destruction or modification of this data type in the system. |
unknown |
It is unknown if destruction or modification of this data type in the system has occurred. |
5.5. Physical Impact Enumeration
Type Name: physical-impact-enum
Vocabulary Value | Description |
---|---|
damaged-functional |
The property, asset or system was damaged but still remains functional and repair may be possible. |
damaged-nonfunctional |
The property, asset or system was damaged and does not remain functional, but repair may be possible. |
destruction |
The property, asset or system was destroyed, cannot be repaired and no longer functions. In some cases destroyed assets can be rebuilt, but doing so involves a similar amount of effort as the original construction. |
none |
No damage or destruction has occurred. |
unknown |
The degree of damage has not been determined yet. |
5.6. Recoverability Enumeration
Type Name: recoverability-enum
Vocabulary Value | Description |
---|---|
extended |
Time to recovery is unpredictable; additional resources and outside help are necessary. |
not-applicable |
No recovery is necessary. |
not-recoverable |
Recovery from the incident is not possible. |
regular |
Time to recovery is predictable with existing resources. |
supplemented |
Time to recovery is predictable with additional resources. |
5.7. Task Outcome Enumeration
Type Name: task-outcome-enum
Vocabulary Value | Description |
---|---|
cancelled |
The task was planned or started, but later cancelled or discarded. |
failed |
The task has been completed, but failed. |
ongoing |
The task is still taking place. |
pending |
The task has not yet been started, but is currently planned. |
successful |
The task was completed successfully. |
unknown |
The status of this task is currently unknown. |
5.8. Timestamp Fidelity Enumeration
Type Name: timestamp-fidelity-enum
Vocabulary Value | Description |
---|---|
day |
The associated timestamp should be considered to represent a time within the one day period starting with the provided timestamp. Hours and minutes should be understood to establish the timezone for this activity. |
hour |
The associated timestamp should be considered to represent a time within the one hour period starting with the provided timestamp. |
minute |
The associated timestamp should be considered to represent a time within the one minute period starting with the provided timestamp. |
month |
The associated timestamp should be considered to represent a time within the one month period starting with the provided timestamp. Hours and minutes should be understood to establish the timezone for the activity. The day should always be listed as the first or the last day of the previous month if in a timezone that is offset before UTC. |
second |
The associated timestamp should be considered to represent a time within the one second period starting with the provided timestamp. |
year |
The associated timestamp should be considered to represent a time within the one year period starting with the provided timestamp. Hours and minutes should be understood to establish the timezone for the activity. |
5.9. Traceability Enumeration
Type Name: traceability-enum
Vocabulary Value | Description |
---|---|
accountability-lost |
Traces used to retrieve accountability are lost or do not exist. |
partial-accountability |
Traces are present, but insufficient to have provable accountability. |
provable-accountability |
Accountability can be ensured from the traces that are present. |
unknown-accountability |
Accountability is unknown. |
6. Relationship Summary Table
Source |
Type |
Target |
causes |
||
impacts |
||
led-to |
||
located-at |
||
blocks |
||
causes |
||
creates |
||
detects |
||
impacts |
||
located-at |
||
uses |
||
associated-with |
||
assigned |
||
contact-for |
||
participated-in |
||
performed |
||
attributed-to |
||
impacts |
||
led-to |
||
located-at |
||
targets |
||
based-on |
||
detected |
||
performed |
||
performed |
Appendix A. Incident Availability Impact Mapping
This appendix defines mappings for availability and functional scales to be used by the availability impact property. A value of "Not Specified" in the table below means that the criticality property is not present.
US-CERT | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
No Impact |
0 |
0 |
No Impact to Services |
5 |
1-9 |
Minimal Impact to Non-Critical Services |
15 |
10-19 |
Minimal Impact to Critical Services |
30 |
20-39 |
Significant Impact to Non-Critical Services |
50 |
40-59 |
Denial of Non-Critical Services |
65 |
60-69 |
Significant Impact to Critical Services |
75 |
70-79 |
Denial of Critical Services / Loss of Control |
90 |
80-100 |
Simple Qualitative | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
None |
0 |
0 |
Minimal |
20 |
1-39 |
Significant |
50 |
40-59 |
Denial |
75 |
60-89 |
Loss of Control |
95 |
90-100 |
0 to 10 | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
0 |
0 |
0-4 |
1 |
10 |
5-14 |
2 |
20 |
15-24 |
3 |
30 |
25-34 |
4 |
40 |
35-44 |
5 |
50 |
45-54 |
6 |
60 |
55-64 |
7 |
70 |
65-74 |
8 |
80 |
75-84 |
9 |
90 |
85-94 |
10 |
100 |
95-100 |
Appendix B. Incident Criticality Mapping
This appendix defines mappings for criticality scales to be used by the criticality property. A value of "Not Specified" in the table below means that the criticality property is not present.
5 Qualitative | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
False Positive |
0 |
0 |
Low |
15 |
1-29 |
Moderate |
40 |
30-49 |
High |
70 |
50-89 |
Extreme |
95 |
90-100 |
Major / Minor | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
None |
0 |
0 |
Minor |
25 |
1-49 |
Major |
75 |
50-100 |
Major / Minor / Critical | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
None |
0 |
0 |
Minor |
25 |
1-49 |
Major |
70 |
50-89 |
Critical |
95 |
90-100 |
None, Low, High, Extreme | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
None |
0 |
0 |
Low |
20 |
1-39 |
High |
65 |
40-89 |
Extreme |
95 |
90-100 |
VERIS | STIX Criticality Value | Range of Values |
---|---|---|
Unknown |
Not Specified |
N/A |
Insignificant |
10 |
0-19 |
Distracting |
35 |
20-49 |
Painful |
60 |
50-69 |
Damaging |
80 |
70-90 |
Catastrophic |
95 |
90-100 |
0 to 10 | STIX Criticality Value | Range of Values |
---|---|---|
Not Specified |
Not Specified |
N/A |
0 |
0 |
0-4 |
1 |
10 |
5-14 |
2 |
20 |
15-24 |
3 |
30 |
25-34 |
4 |
40 |
35-44 |
5 |
50 |
45-54 |
6 |
60 |
55-64 |
7 |
70 |
65-74 |
8 |
80 |
75-84 |
9 |
90 |
85-94 |
10 |
100 |
95-100 |
Appendix C. Acknowledgements
Primary Editor
Jeffrey Mates, US Department of Defense (DoD)
Contributors
The following individuals were members of the OASIS CTI Technical Committee and contributed time and effort to ensure that this extension would be possible. Their contributions are gratefully acknowledged:
-
Alexandre Cabrol Perales, Sopra Steria Group
-
Alexandre Dulaunoy, CIRCL
-
Ben Ottoman, Cyber Threat Intelligence Network, Inc. (CTIN)
-
Christian Hunt, Copado
-
Christopher Robinson, Cyber Threat Intelligence Network, Inc. (CTIN)
-
Christian Studer, CIRCL
-
David Kemp, National Security Agency (NSA)
-
Desiree Beck, MITRE Corporation
-
Duncan Sparrell, sFractal Consulting LLC
-
Emily Ratliff, IBM
-
Jane Ginn, Cyber Threat Intelligence Network, Inc. (CTIN)
-
Jason Keirstead, IBM
-
Jean-Philippe Salles, Filigran
-
Jeremy Berthelet, Sopra Steria Group
-
Jonathan Matkowsky, Microsoft
-
Keven Ates, US Federal Bureau of Investigation
-
Kirk Dunkelberger, Peraton
-
Leszek Adamiak, IBM
-
Margaux Quittelier, Sopra Steria Group
-
Marlon Taylor, DHS Cybersecurity and Infrastructure Security Agency (CISA)
-
Mateusz Zych, University of Oslo
-
Michael Rosa, National Security Agency (NSA)
-
Patrick Maroney, AT&T
-
Qem Lumi, Northrop Grumman
-
Richard Piazza, MITRE Corporation
-
Rob Coderre, Accenture
-
Robert Keith, Accenture
-
Ryan Hohimer, DarkLight, Inc.
-
Scott Robertson, Kaiser Permanente
-
Sean Carroll, National Security Agency
-
Stephen Campbell, Cyber Threat Intelligence Network, Inc. (CTIN)
-
Trey Darley, CCB/CERT.be
-
Vasileios Mavroeidis, University of Oslo
Appendix D. Revision History
Revision | Date | Editor | Changes Made |
---|---|---|---|
01 |
2022-05-23 |
Incident Mini Group |
Initial Version |
02 |
2022-10-27 |
Jeffrey Mates |
Added ongoing to activity-outcome-enum. Removed normative text for attacker_activity.pattern_ref that indicated a field that does not exist can be excluded if it is present. |
03 |
2023-02-15 |
Jeffrey Mates |
Added labels and criticality to all impact types. Made impacted_refs optional for availability impact. Replaced availability_impact with availability_impacts new guidance is to use scores for this in more granular availability_impacts. Added ransom-demand and ransom-payment to monetary-impact-type-ov. |
04 |
2023-07-10 |
Incident Mini Group |
Version 2.0 |
05 |
2023-10-10 |
Richard Piazza and Jeffrey Mates |
Multiple editorial fixes, removing copy paste errors and obsolete relationships. |
06 |
2024-02-15 |
Richard Piazza, Jeffrey Mates and Dez Beck |
Additional editorial fixes, a minor changes to normative statements |
07 |
2024-07-02 |
Richard Piazza, Jeffrey Mates and Dez Beck |
Removed event_sequence, event_entry, task_sequence, task_entry |