Posted by:

David Greenwood, Chief of Signal

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.

In this post I will introduce some of the basic STIX concepts with a focus on STIX 2.1 Domain Objects (SDOs).

Note: this post is written for OASIS STIX version 2.1. The concepts discussed are not always correct for earlier versions of OASIS STIX.

STIX 2.1 defines a taxonomy of cyber threat intelligence that is represented by different Object types.

STIX 2.1 allows you to tell stories by connecting the Objects together to form the story-line of cyber actors, campaigns, incidents, and much more.

After reading this series of seven blog posts, you will be able to create rich STIX 2.1 stories like those shown above.

Here are a two example reports modelled in STIX 2.1 from Mandiant and Fireeye;

Mandiant’s APT1 Report

Source.

Fireeye’s Poison Ivy Report

Source.

STIX 2.1 Specification in 1 minute

The full STIX 2.1 specification makes for a lot of reading.

I will try an simplify it.

In short STIX 2.1 revolves around Objects. There are 3 Core Object types in STIX 2.1:

• STIX Domain Objects (SDOs)
• STIX Cyber-observable Objects (SCOs)
• STIX Relationship Objects (SROs)

STIX Domain Objects (SDOs)

Most widely known are the 18 predefined STIX Domain Objects (SDOs) used to represent a concept commonly used in cyber threat intelligence:

• Attack Pattern ("type": "attack-pattern"): A type of TTP that describes ways that adversaries attempt to compromise targets.
• Campaign ("type": "campaign"): A grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
• Course of Action ("type": "course-of-action"): A recommendation from a producer of intelligence to a consumer on the actions that they might take in response to that intelligence.
• Grouping ("type": "grouping"): Explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX 2.1 Bundle (which explicitly conveys no context).
• Identity ("type": "identity"): Actual individuals, organisations, or groups as well as classes of individuals, organizations, systems or groups (e.g., the finance sector) that are non-malicious. Use the Threat Actor SDO for those operating with malicious intent.
• Indicator ("type": "indicator"): Contains a pattern that can be used to detect suspicious or malicious cyber activity.
• Infrastructure ("type": "infrastructure"): Represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defence, database servers targeted by an attack, etc.).
• Intrusion Set ("type": "intrusion-set"): A grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization.
• Location ("type": "location"): Represents a geographic location.
• Malware ("type": "malware"): A type of TTP that represents malicious code.
• Malware Analysis: The metadata and results of a particular static or dynamic analysis performed on a malware instance or family.
• Note ("type": "note"): Conveys informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to.
• Observed Data ("type": "observed-data"): Conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs).
• Opinion ("type": "opinion"): An assessment of the correctness of the information in a STIX Object produced by a different entity.
• Report ("type": "report"): Collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
• Threat Actor ("type": "threat-actor"): Actual individuals, groups, or organizations believed to be operating with malicious intent.
• Tool ("type": "tool"): Legitimate software that can be used by threat actors to perform attacks or by teams to defend against attacks.
• Vulnerability ("type": "vulnerability"): A mistake in software that can be directly used by a hacker to gain access to a system or network (commonly an official CVE, but can be any vulnerability).

Each one of these Domain Objects is represented as a .json object.

For example, here is a sample Attack Pattern Object (attack-pattern) for spear phishing, referencing CAPEC;

You can see the SDO type defined in the json representation, line "type": "attack-pattern".

The Object is made up of other Properties (fields) defined in the STIX 2.1 Specification. There are four Property types;

• Required Common Properties (Properties shared between Objects)
  • e.g. for attack-pattern, spec_version is a Required Common Property
• Optional Common Properties (Properties shared between Objects)
  • e.g. for attack-pattern, created_by_ref is an Optional Common Property
• Required Object Specific Properties (Properties unique to the Object in question)
  • e.g. for attack-pattern, name is a Required Object Specific Property
• Optional Object Specific Properties (Properties unique to the Object in question)
  • e.g. for attack-pattern, kill_chain_phases is an Optional Object Specific Property

Here is the full specification for the Attack Pattern Object:

STIX Cyber-observable Objects (SCOs)

STIX Cyber-observable Objects (SCOs) are used for characterising host-based and network-based information.

STIX SCOs document the facts concerning what happened on a network or host. They do not capture the who, when, or why (covered in SDOs).

By associating SCOs with SDOs it is possible to convey a higher-level understanding of the threat landscape, and to potentially provide insight as to the who and the why.

One or more SCOs can be linked to one or more SDOs to provide supporting context. Typically SCOs are linked to Observed Data SDOs.

For example, an Observed Data SDO might have links to one or more SCOs, for example, an IPv4 Address SCO and Domain SCO (you will also see the Domain SCO has a link (resolves_to_refs) to an IPv4 SCO);

Here is what this looks like in a real STIX Bundle;

Here is a full list of predefined STIX 2.1 SCOs available for use:

• Artifact Object ("type": "artifact")
  • The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.
  • View STIX 2.1 specification.
• AS Object ("type": "autonomous-system")
  • The AS object represents the properties of an Autonomous System (AS).
  • View STIX 2.1 specification.
• Directory Object ("type": "directory")
  • The Directory object represents the properties common to a file system directory.
  • View STIX 2.1 specification.
• Domain Name Object ("type": "domain-name")
  • The Domain Name object represents the properties of a network domain name.
  • View STIX 2.1 specification.
• Email Address Object ("type": "email-addr")
  • The Email Address object represents a single email address.
  • View STIX 2.1 specification.
• Email Message Object ("type": "email-message")
  • The Email Message object represents an instance of an email message, corresponding to the internet message format described in RFC5322 and related RFCs.
  • View STIX 2.1 specification.
• File Object ("type": "file")
  • The File object represents the properties of a file.
  • View STIX 2.1 specification.
• IPv4 Address Object ("type": "ipv4-addr")
  • The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation.
  • View STIX 2.1 specification.
• IPv6 Address Object ("type": "ipv6-addr")
  • The IPv6 Address object represents one or more IPv6 addresses expressed using CIDR notation.
  • View STIX 2.1 specification.
• MAC Address Object ("type": "mac-addr")
  • The MAC Address object represents a single Media Access Control (MAC) address.
  • View STIX 2.1 specification.
• Mutex Object ("type": "mutex")
  • The Mutex object represents the properties of a mutual exclusion (mutex) object.
  • View STIX 2.1 specification.
• Network Traffic Object ("type": "network-traffic")
  • The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination.
  • View STIX 2.1 specification.
• Process Object ("type": "process")
  • The Process object represents common properties of an instance of a computer program as executed on an operating system.
  • View STIX 2.1 specification.
• Software Object ("type": "software")
  • The Software object represents high-level properties associated with software, including software products.
  • View STIX 2.1 specification.
• URL Object ("type": "url")
  • The URL object represents the properties of a uniform resource locator (URL).
  • View STIX 2.1 specification.
• User Account Object ("type": "user-account")
  • The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.
  • View STIX 2.1 specification.
• Windows Registry Key Object ("type": "windows-registry-key")
  • The Registry Key object represents the properties of a Windows registry key.
  • View STIX 2.1 specification.
• X.509 Certificate Object ("type": "x509-certificate")
  • The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509.
  • View STIX 2.1 specification.

Like SDOs, SCOs have may properties; some shared, some unique, some required, and some optional.

I will use the Network Traffic SCO linked to two IPv4 Address SCOs to demonstate;

Here is what this looks like in a real STIX Bundle;

You can see the SCOs types defined in the json representation lines "type": "network-traffic" and "type": "ipv4-addr".

Like SDOs, SCOs also contains Properties. In the Network Traffic SCO these include protocols, src_byte_count, src_packets and ipfix Properties. These predefined Properties are all defined in the specification for each SCO.

You will also see that SCOs can be linked to provide even more contextual evidence. In the case of network traffic, this could be linking a source IPv4 (src_ref) and destination IPv4 (dst_ref).

SCOs can also utilise predefined Object Extensions that define a coherent sets of Properties beyond the base (useful in adding standardised additional content). For example, HTTP request information for a Network Traffic object;

Here is what this looks like in a real STIX Bundle;

You can see the extensions defined in the json representation of the Network Traffic SCO.

Each SCO may include one or more Object Extension defined in the STIX 2.1 specification.

STIX Relationship Objects (SROs)

In this post I have covered how SCOs and SDOs, and SCOs and SCOs can be linked using Properties like dst_ref, src_ref, and object_refs.

STIX Relationship Objects are similar, but offer a much richer way to represent and describe certain types of relationships between STIX Objects for other use-cases not covered by Properties.

In my next post, STIX 102, I will cover how SROs work.

---

STIX 2.1 Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our STIX 2.1 training.

If you want to join a select group of certified STIX 2.1 professionals, subscribe to our newsletter below to be notified of new course dates.

---

STIX 2.1 102: Relationships »

---

Similar Posts You Will Enjoy Reading...

CACAO Playbooks 102: Building Workflows

CACAO Playbooks 101: Basic Structure

Getting Started with STIX Shifter

MITRE ATT&CK 102: STIX 2.1 Customisation

---

Discuss this post

JOIN US

Never miss an update

Sign up to receive new articles in your inbox as they published.