Skip to content
sbarnum edited this page Oct 2, 2015 · 146 revisions

High Level Use cases identified for STIX include:

  1. Analyzing Cyber Threats
  2. Incident Analysis
  3. TTP Analysis 1. Attack Pattern Analysis and Characterization 2. Malware Analysis and Characterization 3. Exploit Analysis and Characterization 4. Attack Tool Analysis and Characterization 5. Attack Infrastructure Analysis and Characterization 6. Victim Targeting Analysis and Characterization
  4. Indicator Analysis 1. Indicator Extraction 2. Specifying Indicator Patterns for Cyber Threats 3. Indicator Contextualization 4. COA Selection 5. Indicator Sighting Analysis 6. Indicator Comparative Analysis
  5. Threat Actor Characterization
  6. Campaign Analysis
  7. Exploit Target Analysis
  8. COA Analysis
  9. CTI Report Scoping and Aggregation
  10. Identifying Relationships Between Content
  11. Asserting Relationships Between Content
  12. Cyber Breach Analysis and Categorization
  13. Managing Cyber Threat Response Activities
  14. Cyber Threat Prevention
  15. Cyber Threat Detection
  16. Incident Response
  17. Prioritizing Cyber Threats
  18. Managing Situational Awareness
  19. Management of Content Over Time
  20. Create new content
  21. Update content
  22. Share Cyber Threat Information
  23. Negotiation/Agreement on Technical Factors for Cyber Threat Information Exchange
  24. Management of Content Sharing Over Time 1. Publish content 2. Receive content 3. Content Comparative Analysis 4. Reshare content
  25. Cyber Threat Indicator Sharing
  26. Indicator Sighting Reporting
  27. Malware Analysis Sharing
  28. Holistic Threat Intelligence Report Sharing
  29. Shared Content Source Assessment
  30. Managing Content Control
  31. Security Tool Integration

Detailed Use cases identified for STIX include:

  1. Analyzing Cyber Threats
  2. Threat Actor Characterization 1. Threat Actor Identity Analysis 2. Threat Actor Motivation Analysis 3. Threat Actor Capability Analysis 4. Threat Actor Modus Operandi Analysis
    1. Threat Actor Kill Chain Analysis
    2. TTP-to-KillChain Mapping Analysis
    3. Kill Chain Temporal Analysis 5. Threat Actor Predictive Intent Analysis 6. Attribution Analysis
    4. Incident Attribution
    5. Campaign Attribution Analysis
  3. TTP Analysis 1. Attack Pattern Analysis and Characterization
    1. Attack Pattern Comparative Analysis 2. Malware Analysis and Characterization
    2. Malware structural analysis
    3. Malware behavioral analysis
    4. Malware Reverse Engineering
    5. Malware Comparative Analysis
    6. Malware Family/Lineage Analysis
    7. Collaborative Malware Analysis 3. Exploit Analysis and Characterization
    8. Exploit Reverse Engineering 4. Attack Tool Analysis and Characterization
    9. Attack Tool Characterization
    10. Attack Tool Attribution Analysis
    11. Attack Tool Comparative Analysis
    12. Attack Tool Family/Lineage Analysis 5. Attack Infrastructure Analysis and Characterization
    13. Attack Infrastructure Characterization
    14. Attack Infrastructure Attribution Analysis
    15. Attack Infrastructure Comparative Analysis
    16. Attack Infrastructure Family/Lineage Analysis 6. Attacker Persona Analysis and Characterization 7. Victim Targeting Analysis and Characterization
    17. Victim Targeting by Identity Characterization
    18. Victim Targeting by System Type Characterization
    19. Victim Targeting by Information Type Characterization
    20. Victim Targeting by Technical Context Characterization 8. TTP Exploit Targeting Analysis and Characterization
    21. TTP Targeted Vulnerability Identification
    22. TTP Targeted Weakness Identification
    23. TTP Targeted Confifguration Identification 9. Kill Chain Analysis
    24. Kill Chain Characterization
    25. Kill Chain Temporal Analysis
    26. TTP-to-KillChain Mapping Analysis
  4. Indicator Analysis 1. Indicator Extraction from Digital Forensics Analysis 2. Indicator Extraction from Malware Analysis 3. Indicator Extraction from Sensor or Log Data 4. Indicator Extraction from CTI 5. Indicator Composition Analysis 6. Indicator-to-KillChain Mapping Analysis 7. Indicator Comparative Analysis
    1. Indicator Duplication Identification
    2. Indicator Deduplication 8. Indicator Sighting Analysis
    3. Victim Targeting Analysis and Characterization 9. COA Selection
    4. Automated COA Selection
    5. Automated COA Transformation
    6. Automated COA Deployment
  5. Campaign Analysis 1. Campaign TTP Mapping Analysis 2. Campaign Incident Mapping Analysis 3. Campaign Attribution Analysis 4. Campaign Motivation Analysis 5. Campaign Victim Targeting Analysis
  6. Incident Analysis 1. Incident Timeline Analysis 2. Incident Categorization Analysis 3. Asset Risk Analysis
    1. Asset Risk Characterization 4. Incident Impact Assessment 5. Incident Victim Targeting Analysis 6. Incident Indicator Analysis
    2. Indicator Extraction
    3. Indicator Efficacy Analysis 7. Incident TTP Analysis 8. Incident Attribution Analysis 9. Intended Effect Analysis 10. Incident Comparative Analysis 11. COA Selection
  7. Exploit Target Analysis 1. Vulnerability Characterization 2. Weakness Characterization 3. Configuration Characterization 4. Exploit Target Susceptibility Analysis 5. COA Selection
  8. COA Analysis 1. COA Characterization
    1. COA Structured Characterization 2. COA Mapping to Purpose
  9. CTI Report Scoping and Aggregation
  10. Identifying Relationships Between Content 1. Identifying Duplicate Content
    1. Identifying Exact Duplicate Content from the Same Producer
    2. Identifying Exact Duplicate Content from a different Producer
    3. Identifying Partially Duplicate Content
  11. Asserting Relationships Between Content 1. Qualifying Asserted Relationship Confidence
  12. Cyber Breach Analysis and Categorization
  13. Specifying Indicator Patterns for Cyber Threats
  14. Specifying Network Indicator Patterns for Cyber Threats
  15. Specifying Host/Endpoint Indicator Patterns for Cyber Threats
  16. Specifying Composite/Complex Indicator Patterns for Cyber Threats 1. Specifying Relational Composite/Complex Indicator Patterns for Cyber Threats 2. Specifying Logical Composite/Complex Indicator Patterns for Cyber Threats
  17. Managing Cyber Threat Response Activities
  18. Cyber Threat Prevention 1. Deploying Indicator Patterns for Cyber Threats
    1. Deploying COAs for Cyber Threats
    2. Deploying Decomposed Indicator Patterns for Cyber Threats
  19. Cyber Threat Detection 1. Deploying Indicator Patterns for Cyber Threats
    1. Deploying Decomposed Indicator Patterns for Cyber Threats 2. Event/Log (SIEM) Analysis 3. Hunting
  20. Incident Response 1. Incident Analysis 2. Digital Forensics Investigation
    1. Digital Forensic Information Containment
    2. Forensic examination
    3. Network forensic examination
    4. System forensic examination 1. File forensic examination 2. Memory forensic examination
    5. Media forensic examination
    6. Digital Trace Analysis and Capture
    7. Digital Forensic Information Provenance and Context Capture and Management
    8. Digital Forensic Tool Interoperability, Integration and Verification
    9. Forensic analysis and interpretation
    10. Digital Forensics Correlation and Differential Analysis
    11. Human Behavior Characterization via Digital Traces
    12. Digital Forensic Information Exchange
    13. Digital Forensics Archival 3. Malware Analysis and Characterization 4. Attack Pattern Extraction 5. Cyber Incident Reporting
    14. Cyber Incident Breach Reporting 6. Incident Management
    15. Incident Response Timeline Management
    16. Incident Response Contributor Tracking
  21. Prioritizing Cyber Threats 1. Prioritizing Cyber Threats based on Motivation 2. Prioritizing Cyber Threats based on Intended Effect 3. Prioritizing Cyber Threats based on Victim Targeting 4. Prioritizing Cyber Threats based on Technical Capability for Detection 5. Prioritizing Cyber Threats based on Tempo of Activity
  22. Managing Situational Awareness 1. CTI SA Visualization 2. Mapping CTI to Asset Posture and General SA Information
  23. Management of Content Over Time
  24. Create new content 1. Assert confidence in content based on context
  25. Update content 1. Refine/enhance content
    1. Refine/enhance content with additional content
    2. Refine/enhance content with additional context
    3. Modify confidence in content based on context
  26. Share Cyber Threat Information
  27. Negotiation/Agreement on Technical Factors for Cyber Threat Information Exchange 1. Negotiation/Agreement on Information Semantics and Structure 2. Negotiation/Agreement on Information Serialization Format 3. Negotiation/Agreement on Protocols for Exchange 4. Negotiation/Agreement on Commitments regarding Managing Content Control
  28. Management of Content Sharing Over Time 1. Publish content
    1. Publish new content
    2. Publish updated content (from originator)
    3. Publish refined/enhanced content (from originator) 1. Publish refined/enhanced content with additional content (from originator) 2. Publish refined/enhanced content with additional context (from originator)
    4. Publish corrected content (from originator)
    5. Publish updated content (from non-originator)
    6. Assert Low Confidence in Content (from non-originator)
    7. Revoke previously published content 2. Receive content
    8. Receive new content (from originator)
    9. Receive new content (from non-originator)
    10. Receive updated content (from originator)
    11. Receive updated content (from non-originator) 3. Content Comparative Analysis
    12. Content Duplication Identification
    13. Content Deduplication 4. Reshare content
  29. Cyber Threat Indicator Sharing
  30. Indicator Sighting Reporting 1. Simple Indicator Sighting Reporting (+1) 2. Anonymized Indicator Sighting Reporting 3. Indicator Sighting Reporting with Count 4. Indicator Sighting Reporting with Specific Observation
  31. Malware Analysis Sharing
  32. Holistic Threat Intelligence Report Sharing
  33. Shared Content Source Assessment 1. Assessing/Managing Trust for CTI Sources 2. Assessing/Asserting Confidence in Shared Content
  34. Managing Content Control 1. Asserting Data Markings on Content
    1. Asserting Handling Guidance on Content 2. Interpreting Data Markings on Content 3. Managing/Maintaining Data Markings on Content

To propose a new use case please:

  1. create a new wiki page
  2. title the page "Use Case:" followed by your use case title
  3. copy and paste the following outline into the new page
  4. fill in the appropriate content
  5. edit this page and add your new use case to the list as a link to your new use case page

Use case title (replace with your title)

Pre-1.2.1 Use Case (True/False): False (replace with your value)

Relevant to which SCs (STIX/TAXII/CybOX): STIX (replace with your values)

Abstraction Level (High, Medium or Low): High (replace with your value)

Related Use Cases: Related use case (replace with your content)

Description: Use case objective and flow description (replace with your content)

Stakeholders/Goals:

  • Stakeholder: Stakeholder description (replace with your content)
  • Goal: Goal description (replace with your content)

Preconditions:

  1. Precondition description (replace with your content)

Dependencies:

  1. Dependency description (replace with your content)

Main Success Scenario:

  1. Scenario description (replace with your content)
Clone this wiki locally