A TTP is an instance of a Tool, Technique, or Procedure used by a cyber actor
Property | Type | Description | Required? |
---|---|---|---|
id | String | ✓ | |
schema_version | String | CTIM schema version for this entity | ✓ |
ttp_type | String | type of this TTP | ✓ |
type | TTPTypeIdentifier String | ✓ | |
valid_time | ValidTime Object | a timestamp for the definition of a specific version of a TTP item | ✓ |
behavior | Behavior Object | describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP | |
description | String | ||
external_ids | String List | ||
intended_effect | IntendedEffect String List | the suspected intended effect for this TTP | |
kill_chains | KillChain String List | ||
language | String | ||
resources | Resource Object | infrastructure or tools that the adversary uses to execute this TTP | |
revision | Integer | ||
short_description | String | ||
source | String | ||
source_uri | String | ||
timestamp | Inst (Date) | ||
title | String | ||
tlp | TLP String | ||
victim_targeting | VictimTargeting Object | characterizes the people, organizations, information or access being targeted |
- Reference: TTPType
describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP
- This entry is optional
- Behavior Object Value
- Details: Behavior Object
-
This entry is optional
- Markdown string with at most 5000 characters
- This entry is optional
- This entry's type is sequential (allows zero or more values)
-
This entry is required
- IDs are strings of the form: type-<128bitUUID>, for example
judgment-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.
- IDs are strings of the form: type-<128bitUUID>, for example
the suspected intended effect for this TTP
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Account Takeover
- Advantage
- Advantage - Economic
- Advantage - Military
- Advantage - Political
- Brand Damage
- Competitive Advantage
- Degradation of Service
- Denial and Deception
- Destruction
- Disruption
- Embarrassment
- Exposure
- Extortion
- Fraud
- Harassment
- ICS Control
- Theft
- Theft - Credential Theft
- Theft - Identity Theft
- Theft - Intellectual Property
- Theft - Theft of Proprietary Information
- Traffic Diversion
- Unauthorized Access
- Allowed Values:
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Actions on Objectives
- Command & Control
- Delivery
- Exploitation
- Installation
- Reconnaissance
- Weaponization
- Allowed Values:
-
This entry is optional
- String with at most 1024 characters
infrastructure or tools that the adversary uses to execute this TTP
- This entry is optional
- Resource Object Value
- Details: Resource Object
-
This entry is optional
- Zero, or a positive integer
CTIM schema version for this entity
-
This entry is required
- A semantic version matching the CTIM version against which this object should be valid.
-
This entry is optional
- String with at most 2048 characters
-
This entry is optional
- String with at most 2048 characters
-
This entry is optional
- A URI
-
This entry is optional
- Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.
-
This entry is optional
- String with at most 1024 characters
-
This entry is optional
- TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
- amber
- green
- red
- white
type of this TTP
-
This entry is required
- String with at most 1024 characters
-
This entry is required
- Must equal: "ttp"
a timestamp for the definition of a specific version of a TTP item
- This entry is required
- ValidTime Object Value
- Details: ValidTime Object
characterizes the people, organizations, information or access being targeted
- This entry is optional
- VictimTargeting Object Value
- Details: VictimTargeting Object
Period of time when a cyber observation is valid.
Property | Type | Description | Required? |
---|---|---|---|
end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
- Reference: ValidTimeType
If end_time is not present, then the valid time position of the object does not have an upper bound.
-
This entry is optional
- Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.
If not present, the valid time position of the indicator does not have an upper bound
-
This entry is optional
- Schema definition for all date or timestamp values. Time is stored internally as a java.util.Date object. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property | Type | Description | Required? |
---|---|---|---|
attack_patterns | AttackPattern Object List | one or more Attack Patterns for this TTP | |
malware_type | MalwareInstance Object List | one or more instances of Malware for this TTP |
- Reference: BehaviorType
one or more Attack Patterns for this TTP
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- AttackPattern Object Value
- Details: AttackPattern Object
one or more instances of Malware for this TTP
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- MalwareInstance Object Value
- Details: MalwareInstance Object
Property | Type | Description | Required? |
---|---|---|---|
description | String | ||
short_description | String | ||
title | String | ||
type | MalwareType String List | a characterization of what type of malware this |
- Reference: MalwareInstanceType
-
This entry is optional
- Markdown string with at most 5000 characters
-
This entry is optional
- String with at most 2048 characters
-
This entry is optional
- String with at most 1024 characters
a characterization of what type of malware this
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Adware
- Automated Transfer Scripts
- Bot
- Bot - Credential Theft
- Bot - DDoS
- Bot - Loader
- Bot - Spam
- Dialer
- DoS / DDoS - Participatory
- DoS / DDoS - Script
- DoS / DDoS - Stress Test Tools
- DoS/ DDoS
- Exploit Kit
- POS / ATM Malware
- Ransomware
- Remote Access Trojan
- Rogue Antivirus
- Rootkit
- Allowed Values:
Property | Type | Description | Required? |
---|---|---|---|
capec_id | String | a reference to a particular entry within the Common Attack Pattern Enumeration and Classification | |
description | String | ||
short_description | String | ||
title | String |
- Reference: AttackPatternType
a reference to a particular entry within the Common Attack Pattern Enumeration and Classification
- This entry is optional
-
This entry is optional
- Markdown string with at most 5000 characters
-
This entry is optional
- String with at most 2048 characters
-
This entry is optional
- String with at most 1024 characters
Property | Type | Description | Required? |
---|---|---|---|
infrastructure | Infrastructure Object | infrastructure observed to have been utilized for cyber attack | |
personas | Identity Object | ||
tools | Tool Object | The tool leveraged by this TTP |
- Reference: ResourceType
infrastructure observed to have been utilized for cyber attack
- This entry is optional
- Infrastructure Object Value
- Details: Infrastructure Object
- This entry is optional
- Identity Object Value
- Details: Identity Object
The tool leveraged by this TTP
- This entry is optional
- Tool Object Value
- Details: Tool Object
Describes a person or an organization
Property | Type | Description | Required? |
---|---|---|---|
description | String | ✓ | |
related_identities | RelatedIdentity Object List | Identifies other entity Identities related to this Identity | ✓ |
- Reference: IdentityType
-
This entry is required
- Markdown string with at most 5000 characters
Identifies other entity Identities related to this Identity
- This entry is required
- This entry's type is sequential (allows zero or more values)
- RelatedIdentity Object Value
- Details: RelatedIdentity Object
Describes a related Identity
Property | Type | Description | Required? |
---|---|---|---|
identity | String | The reference (URI) of the related Identity object | ✓ |
confidence | HighMedLow String | Specifies the level of confidence in the assertion of the relationship between the two objects | |
information_source | String | Specifies the source of the information about the relationship between the two components | |
relationship | String |
- Reference: RelatedIdentityType
Specifies the level of confidence in the assertion of the relationship between the two objects
-
This entry is optional
- Allowed Values:
- High
- Low
- Medium
- None
- Unknown
- Reference: HighMedLowVocab
- Allowed Values:
The reference (URI) of the related Identity object
-
This entry is required
- A URI
Specifies the source of the information about the relationship between the two components
- This entry is optional
- This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
description | String | text (Markdown) description of specific classes or instances of infrastructure utilized for cyber attack | |
short_description | String | ||
title | String | ||
type | AttackerInfrastructure String | represents the type of infrastructure being described |
- Reference: [Infrastructure Type](http://stixproject.github.io/data-model/1.2/ttp/Infrastructure Type/)
text (Markdown) description of specific classes or instances of infrastructure utilized for cyber attack
-
This entry is optional
- Markdown string with at most 5000 characters
-
This entry is optional
- String with at most 2048 characters
-
This entry is optional
- String with at most 1024 characters
represents the type of infrastructure being described
-
This entry is optional
- Allowed Values:
- Anonymization
- Anonymization - Proxy
- Anonymization - TOR Network
- Anonymization - VPN
- Communications
- Communications - Blogs
- Communications - Forums
- Communications - Internet Relay Chat
- Communications - Micro-Blogs
- Communications - Mobile Communications
- Communications - Social Networks
- Communications - User-Generated Content Websites
- Domain Registration
- Domain Registration - Dynamic DNS Services
- Domain Registration - Legitimate Domain Registration Services
- Domain Registration - Malicious Domain Registrars
- Domain Registration - Top-Level Domain Registrars
- Electronic Payment Methods
- Hosting
- Hosting - Bulletproof / Rogue Hosting
- Hosting - Cloud Hosting
- Hosting - Compromised Server
- Hosting - Fast Flux Botnet Hosting
- Hosting - Legitimate Hosting
- Reference: AttackInfrastructureTypeVocab
- Allowed Values:
Describes a hardware or software tool used
Property | Type | Description | Required? |
---|---|---|---|
description | String | ✓ | |
references | String List | references to instances or additional information for this tool | |
service_pack | String | service pack descriptor for this tool | |
type | AttackToolType String List | type of the tool leveraged | |
vendor | String | information identifying the vendor organization for this tool |
- Reference: ToolInformationType
-
This entry is required
- Markdown string with at most 5000 characters
references to instances or additional information for this tool
- This entry is optional
- This entry's type is sequential (allows zero or more values)
service pack descriptor for this tool
- This entry is optional
type of the tool leveraged
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Application Scanner
- Malware
- Password Cracking
- Penetration Testing
- Port Scanner
- Traffic Scanner
- Vulnerability Scanner
- Reference: AttackerToolTypeVocab
- Allowed Values:
information identifying the vendor organization for this tool
- This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
identity | Identity Object | infrastructure observed to have been utilized for cyber attack | |
targeted_information | InformationType String List | a type of information that is targeted | |
targeted_observables | Observable Object List | targeted observables | |
targeted_systems | SystemType String List | type of system that is targeted |
- Reference: VictimTargetingType
infrastructure observed to have been utilized for cyber attack
- This entry is optional
- Identity Object Value
- Details: Identity Object
a type of information that is targeted
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Authentication Cookies
- Information Assets
- Information Assets - Corporate Employee Information
- Information Assets - Customer PII
- Information Assets - Email Lists / Archives
- Information Assets - Financial Data
- Information Assets - Intellectual Property
- Information Assets - Mobile Phone Contacts
- Information Assets - User Credentials
- Reference: InformationTypeVocab
- Allowed Values:
targeted observables
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- Dev Notes: Was targeted_technical_details
- Observable Object Value
- Details: Observable Object
type of system that is targeted
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Enterprise Systems
- Enterprise Systems - Application Layer
- Enterprise Systems - Database Layer
- Enterprise Systems - Enterprise Technologies and Support Infrastructure
- Enterprise Systems - Network Systems
- Enterprise Systems - Networking Devices
- Enterprise Systems - VoIP
- Enterprise Systems - Web Layer
- Industrial Control Systems
- Industrial Control Systems - Equipment Under Control
- Industrial Control Systems - Operations Management
- Industrial Control Systems - Safety, Protection and Local Control
- Industrial Control Systems - Supervisory Control
- Mobile Systems
- Mobile Systems - Mobile Devices
- Mobile Systems - Mobile Operating Systems
- Mobile Systems - Near Field Communications
- Third-Party Services
- Third-Party Services - Application Stores
- Third-Party Services - Cloud Services
- Third-Party Services - Security Vendors
- Third-Party Services - Social Media
- Third-Party Services - Software Update
- Users
- Users - Application And Software
- Users - Removable Media
- Users - Workstation
- Reference: SystemTypeVocab
- Allowed Values:
A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
Property | Type | Description | Required? |
---|---|---|---|
type | ObservableTypeIdentifier String | ✓ | |
value | String | ✓ |
-
This entry is required
- Observable type names
- Allowed Values:
- amp-device
- amp_computer_guid
- device
- domain
- file_name
- file_path
- hostname
- imei
- imsi
- ip
- ipv6
- mac_address
- md5
- pki-serial
- sha1
- sha256
- url
- user
- This entry is required
Describes a person or an organization
Property | Type | Description | Required? |
---|---|---|---|
description | String | ✓ | |
related_identities | RelatedIdentity Object List | Identifies other entity Identities related to this Identity | ✓ |
- Reference: IdentityType
-
This entry is required
- Markdown string with at most 5000 characters
Identifies other entity Identities related to this Identity
- This entry is required
- This entry's type is sequential (allows zero or more values)
- RelatedIdentity Object Value
- Details: RelatedIdentity Object
Describes a related Identity
Property | Type | Description | Required? |
---|---|---|---|
identity | String | The reference (URI) of the related Identity object | ✓ |
confidence | HighMedLow String | Specifies the level of confidence in the assertion of the relationship between the two objects | |
information_source | String | Specifies the source of the information about the relationship between the two components | |
relationship | String |
- Reference: RelatedIdentityType
Specifies the level of confidence in the assertion of the relationship between the two objects
-
This entry is optional
- Allowed Values:
- High
- Low
- Medium
- None
- Unknown
- Reference: HighMedLowVocab
- Allowed Values:
The reference (URI) of the related Identity object
-
This entry is required
- A URI
Specifies the source of the information about the relationship between the two components
- This entry is optional
- This entry is optional