-
Notifications
You must be signed in to change notification settings - Fork 23
/
intrusionSet.go
78 lines (67 loc) · 2.84 KB
/
intrusionSet.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
// Copyright 2015-2018 Bret Jordan, All rights reserved.
//
// Use of this source code is governed by an Apache 2.0 license that can be
// found in the LICENSE file in the root of the source tree.
package intrustionset
import (
"github.com/freetaxii/libstix2/objects/baseobject"
"github.com/freetaxii/libstix2/objects/properties"
)
// ----------------------------------------------------------------------
//
// Define Object Type
//
// ----------------------------------------------------------------------
/*
IntrusionSet - This type implements the STIX 2 Intrusion Set SDO and defines
all of the properties methods needed to create and work with the STIX Intrusion Set
SDO. All of the methods not defined local to this type are inherited from
the individual properties.
The following information comes directly from the STIX 2 specification documents.
An Intrusion Set is a grouped set of adversarial behaviors and resources with
common properties that is believed to be orchestrated by a single organization.
An Intrusion Set may capture multiple Campaigns or other activities that are all
tied together by shared attributes indicating a common known or unknown Threat
Actor. New activity can be attributed to an Intrusion Set even if the Threat
Actors behind the attack are not known. Threat Actors can move from supporting
one Intrusion Set to supporting another, or they may support multiple Intrusion
Sets.
Where a Campaign is a set of attacks over a period of time against a specific
set of targets to achieve some objective, an Intrusion Set is the entire attack
package and may be used over a very long period of time in multiple Campaigns to
achieve potentially multiple purposes.
While sometimes an Intrusion Set is not active, or changes focus, it is usually
difficult to know if it has truly disappeared or ended. Analysts may have
varying level of fidelity on attributing an Intrusion Set back to Threat Actors
and may be able to only attribute it back to a nation state or perhaps back to
an organization within that nation state.
*/
type IntrusionSet struct {
baseobject.CommonObjectProperties
properties.NameProperty
properties.DescriptionProperty
properties.AliasesProperty
properties.SeenTimestampProperties
properties.GoalsProperty
properties.ResourceLevelProperty
properties.MotivationProperties
}
// ----------------------------------------------------------------------
//
// Initialization Functions
//
// ----------------------------------------------------------------------
/*
New - This function will create a new STIX Intrusion Set object and return it as
a pointer.
*/
func New() *IntrusionSet {
var obj IntrusionSet
obj.InitObject("intrusion-set")
return &obj
}
// ----------------------------------------------------------------------
//
// Public Methods - IntrusionSet
//
// ----------------------------------------------------------------------