Posted by:

David Greenwood

David Greenwood, Chief of Signal

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.

In this post I will talk about customising STIX Objects when the predefined specification does not meet the needs of a data creators.

Note: this post is written for OASIS STIX version 2.1. The concepts discussed are not always correct for earlier versions of OASIS STIX.

The STIX 2.1 Specification covers 99% of the most common cyber threat intelligence concepts.

However, sometimes there are times where the STIX 2.1 will not be broad enough for your needs. This is typically the case for data producers.

There are three ways to customise STIX 2.1:

  1. Custom Objects: There are cases where predefined STIX 2.1 Objects will not suffice. In such cases Custom Objects can be used.
  2. Custom Properties: Similarly, defined STIX 2.1 properties inside STIX Objects might not be suited to the information to be represented. In such cases Custom Objects Properties can be used.
  3. Custom Extensions: In addition to the predefined Cyber Observable Object extensions, STIX supports user-defined custom extensions for STIX Cyber-observable Objects (SCOs).

Breaking each one of these down into detail…

1. Custom Objects

Custom Objects can be declared using a type Property prefixed with x- (e.g. "type": "x-my-custom-object").

MITRE ATT&CK is a good example of STIX 2.1 Custom Objects. To represent MITRE ATT&CK Tactics, MITRE use a custom Tactic Object (x-mitre-tactic--).

ATT&CK also uses Custom Objects for x-mitre-data-component, x-mitre-data-source, and x-mitre-matrix.

MITRE ATTCK Custom Objects

Custom Objects can contain both Common Properties, Unique Object Properties defined in the STIX 2.1 specification, or Custom Properties (ultimately the producer defines the specification of their Custom Object).

Custom Objects make no distinction between SDO, SCO, or SRO. The producer defines the type value of the Custom Object and it can be used for any of these three cases (or something else entirely, if need be).

2. Custom Properties

Custom Properties are the most common way producers extend STIX 2.1 Objects because they are very useful for specific information relating to their service or processes, for example, internal references.

Custom Properties in a STIX 2.1 predefined Object or a Custom Object can be declared using the prefix x_ (e.g "x_custom_property": "value").

Here is an example of a Custom Property (x_phising_score) in an ATT&CK Pattern Object;

3. Custom Extensions

Where an SCO does not have a predefined Extension that meets your needs, like with Custom Properties, you can create your own.

Custom Extensions can be declared inside an SCOs extensions Property prefixed with x- (e.g. "extensions"."x-my-custom-extension"."key": "value").

To demonstrate this, I will a Network Traffic SCO with a Custom Extension x-asset-info to represent the asset related to the IPv4 SCO.

A real world example

MITRE’s representation of ATT&CK is a good example of the need for customisation.

MITRE use both Custom Objects and Custom Properties for ATT&CK.

The Matrix view you often see rendering ATT&CK Tactics and Techniques is defined by a custom x-mitre-matrix SDO.

Inside each Mitre ATT&CK SDO, you will see Custom Properties MITRE uses for their own references.

See the x_mitre_ Custom Property in the Attack Pattern SDO for the Technique T1047: Windows Management Instrumentation including; x_mitre_platforms and x_mitre_domains, to name just two examples.

Versioning changes to your Objects

Now you are starting to create new STIX 2.1 Objects, it is important you know how to update them when needed.

In my next post I will share when and how to version changes to your Objects.


STIX 2.1 Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our STIX 2.1 training.

If you want to join a select group of certified STIX 2.1 professionals, subscribe to our newsletter below to be notified of new course dates.




Our brand new Discord!

Like this blog?

Sign up to receive new posts in your inbox.


Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.

Obstracts

Obstracts

Turn any blog into structured threat intelligence.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.