-
Notifications
You must be signed in to change notification settings - Fork 21
Proposal: Fix relationship from TTP to Exploit_Target
Status: Accepted
Comment Period Closes: 12/6/2013
Affects Backwards Compatibility: YES
Relevant Issue: https://github.com/STIXProject/schemas/issues/18
In the STIX 1.0.1 data model, there is a relationship from TTP to Exploit Target. That structure, however, does not use the standard STIX relationship mechanism but uses a straight list of exploit targets. This is inconsistent with other relationships (a downside in and of itself) and also means that relationships from TTPs to Exploit Targets are not capable of expressing the relationship name or type, confidence, and other information present on standard STIX relationships.
An example of the current relationship structure is:
<ttp:TTP id="example-1" xsi:type="ttp:TTPType">
<!-- snip -->
<TTP:Exploit_Targets>
<stixCommon:Exploit_Target idref="example-2"/>
</TTP:Exploit_Targets>
</ttp:TTP>
Note that the type of TTP:Exploit_Targets is stixCommon:ExploitTargetsType instead of an appropriate relationship type.
This proposal suggests changing the relationship from TTP to Exploit Targets from the custom mechanism to a standard STIX relationship. This will be a backwards-incompatible change but is being considered for 1.1 because it is flagged as a bug.
An example of this in use is:
<ttp:TTP id="example-1" xsi:type="ttp:TTPType">
<!-- snip -->
<TTP:Exploit_Targets>
<TTP:Related_Exploit_Target>
<stixCommon:Relationship>Targets Vulnerability</stixCommon:Relationship>
<stixCommon:Confidence>
<stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
</stixCommon:Confidence>
<stixCommon:Exploit_Target idref="example-2"/>
</TTP:Related_Exploit_Target>
</TTP:Exploit_Targets>
</ttp:TTP>
Note that it is not backwards-compatible at a schema level with the 1.0.1 construct, but also note how it allows for the capture of the relationship and confidence fields.
This change will be implemented by extending the GenericRelationshipListType and GenericRelationshipType constructs to match how all other relationships in STIX are defined.
This change will break backwards incompatibility for any producers and consumers using the TTP to Exploit_Target relationship.
On the other hand, the advantage of making this change is that relationships will be 100% consistent across STIX plus it will give users the ability to specify relationship type, confidence, and other data points on relationships that in 1.0.1 they cannot.
Please carefully evaluate whether this change is worth making in 1.1 or whether it should be delayed until a major update (2.0).
- Should this change be made in STIX 1.1?