-
Notifications
You must be signed in to change notification settings - Fork 21
Proposal: Move Indicator Campaign relationships from Campaign construct to Indicator construct
Status: Accepted w/ modifications
Comment Period Closes: 1/17/2014
Affects Backwards Compatibility: YES
Relevant Issue: https://github.com/STIXProject/schemas/issues/55
This proposal concerns the ability to characterize relationships between Indicators and Campaigns in a simpler, more consistent, more ontologically coherent and more practical manner. The use of the current approach is considered a bug that needs resolving as soon as possible.
In STIX 1.0, relationships between Indicators and Campaigns are asserted with the Related_Indicators element of the Campaign construct. As an example:
<stix:Campaign id="example-1">
<campaign:Title>Disco Foo</campaign:Title>
<campaign:Names>
<campaign:Name>Disco Foo</campaign:Name>
</campaign:Names>
<campaign:Related_Indicators>
<campaign:Related_Indicator>
<stixCommon:Indicator idref="example-2" />
</campaign:Related_Indicator>
</campaign:Related_Indicators>
</stix:Campaign>
There are several downsides to this approach:
- From an ontology perspective it does not really make sense for related
Indicatorsto be a part ofCampaignsasCampaignsare a meta construct tying together variousIncidentsand/orTTPwith some believed attribution and intent.Indicatorsmay indicateTTPbehaviors used within aCampaignbut they are not really part of theCampaignitself - If one wishes to specify an
Indicatorand give a simple name label to refer to believed related activity before details are known, they would have to create a separateCampaignconstruct with just aNamegiven andRelated_Indicatorand then pass along both theCampaign(mostly empty) andIndicatorcontstructs. - A very common use case would be to specify one or more Indicators related to a
Campaign, share these and then over time specify and share more Indicators as more is learned. In this use case, the completeCampaigninstance would need to be updated and resent with each newIndicatoreven though its core content had not changed. - If a given
Campaignwas known by multiple different names to different parties (a common occurrence), the current approach would require separateCampaignentries for each name withRelated_Indicatorsdefined within eachCampaigninstance to the set of relatedIndicators. If a singleIndicatorwas applicable to several differentCampaigns, the current approach would not give an easy way to discover this without scanning across all knownCampaigns.
Based on their predominant use cases, numerous stakeholders in the STIX community have expressed an urgent need for a simple way to add Campaign relationships to Indicators rather than the other way around.
This proposal suggests reversing the direction of that relationship: rather than a Campaign having Related_Indicators, an Indicator will have Referenced_Campaigns. This new structure would allow for referencing (but not defining) existing or yet-to-be-defined campaigns through either an @idref or a campaign name.
The specific change would be to add a new Campaign_References element to IndicatorType. That element would consistent of a list of zero or more Campaign_Reference elements, each of type ReferencedCampaignType. ReferencedCampaignType would be similar to the existing RelatedCampaignType but instead of allowing a full campaign model it would be limited to referencing a campaign by either @idref or the campaign's names.
At a more technical level, CampaignReferenceType will extend stixCommon:GenericRelationshipType and add a simple Campaign element of type CampaignReferenceType. That element would allow:
-
@idrefattribute (a STIX ID reference to a separately definedCampaign) -
Nameselement, of typecampaign:NamesType(this type would likely be duplicated or moved from the campaign schema to the stixCommon schema)
Of course, at the Campaign_Reference level you would also have the standard relationship metadata:
-
Confidenceelement, to characterize the confidence in the relationship -
Information_Sourceelement, to characterize the information source of the relationship -
Relationshipelement, to characterize the nature of the relationship
Essentially, you can think of this relationship as identical to standard STIX relationships except instead of allowing for the inline definition of a campaign or a reference to an externally defined campaign, it only allows a reference to an externally defined campaign by @id or Name.
These new types would be added to the stix_common.xsd schema file such that it could be leveraged in several places throughout STIX.
Using this approach you could easily do the following things:
- Add a simple campaign appellation to an
Indicatorwhere a separateCampaignconstruct for that campaign may not exist:
<indicator:Referenced_Campaign>
<stixCommon:Campaign>
<stixCommon:Names>
<stixCommon:Name>Disco Foo</Name>
</stixCommon:Names>
</stixCommon:Campaign>
</indicator:Referenced_Campaign>
- Add a reference to a separately defined
Campaignconstruct using the@idrefattribute:
<indicator:Referenced_Campaign>
<stixCommon:Campaign idref="example-1" />
</indicator:Referenced_Campaign>
- Add a set of simple campaign appellations to an
Indicatorwhere a given campaign may be known by several names:
<indicator:Referenced_Campaign>
<stixCommon:Campaign>
<stixCommon:Names>
<stixCommon:Name>Disco Foo</Name>
<stixCommon:Name>Sunday Parade</Name>
</stixCommon:Names>
</stixCommon:Campaign>
</indicator:Referenced_Campaign>
- Add a simple campaign appellation as a newly created name for new activity and then in the future also add an
@idrefto aCampaignentry when more is known and that knowledge is formalized.
For STIX 1.1, we propose adding a Campaign_References element of CampaingReferencesType to Indicator.
For STIX 2.0, we see potential applicability to adding a similar element to other constructs such as Incident, TTP, Exploit_Target, Threat_Actor and potentially Observables.
Once again, it should be noted that this relationship structure is a subset of the standard full extension of GenericRelationshipListType and not the full type used in most relationships between STIX top level constructs. This is due to the fact that Campaigns are only applicable as separate constructs related from an Indicator and would never make sense to define inline within an Indicator as an inherent part of the Indicator itself.
It is further proposed that the existing Related_Indicators structure within the Campaign construct be removed in order to avoid inconsistency and complexity issues with maintaining the same relationships in multiple places. This does have the effect of invalidating any existing 1.0 or 1.0.1 content using that structure, however. This is likely the most significant backwards-incompatible change being proposed for STIX 1.1 so please carefully evaluate any potential impact against your current content.
Upon our review of this proposed approach there do not seem to be any major ontological issues, though we are interested if you see any.
Here is the draft XSD for the proposed solution (in stixCommon).
<xs:complexType name="CampaignReferencesType">
<xs:annotation>
<xs:documentation>The CampaignReferencesType specifies identity for one or more referential campaigns asserted to be related to this component.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Campaign_Reference" type="stixCommon:CampaignReferenceType">
<xs:annotation>
<xs:documentation>The Campaign_Reference field specifies identity for one referential campaign asserted to be related to this component.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CampaignReferenceType">
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipType">
<xs:sequence>
<xs:element name="Campaign" type="stixCommon:ReferencedCampaignType" minOccurs="1">
<xs:annotation>
<xs:documentation>A reference to the related campaign.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="ReferencedCampaignType">
<xs:sequence>
<xs:element name="Names" maxOccurs="unbounded" type="stixCommon:CampaignNamesType">
<xs:annotation>
<xs:documentation>The Names field specifies Names used to identify a Campaign. These may be either internal or external names.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="idref" type="xs:QName">
<xs:annotation>
<xs:documentation>Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="CampaignNamesType">
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Name" type="stixCommon:ControlledVocabularyStringType">
<xs:annotation>
<xs:documentation>The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>This proposal resolves what is considered a bug in STIX 1.0.1 and is not fully backward compatible. Specifically, it removes the Related_Indicators element from CampaignType. Any Campaign instance content currently containing such relationship specifications would need to be transformed to utilize the proposed Campaign_References structure on Incidents in order to be valid for STIX 1.1.
- Is there value in the ability to refer to
CampaignsfromIndicators? - Is the mechanism in which this is implemented, including the set of fields on
ReferencedCampaignType, correct? - Are there any significant issues with removing
Related_IndicatorsfromCampaignType? - Are there any ontological issues other than those discussed above?
This proposal was accepted with the stipulation that the existing mechanism (Campaign -> Indicator) was kept and marked as deprecated rather than removed.