We should be able to better describe each STIX object in words #37
Description
Let’s take a look at https://github.com/kbandla/APTnotes for place with lot of CTI reports as insight into how lot of CTI reports from some open/commercial vendors look like today (and in months/years to come).
In our vision we should be able to express those CTI Reports through STIX and attachment/reference them as a reference.
We would create STIX Report object and then a network of related STIX objects (Actors, TTPs, Campaigns, COAs, Indicators) underneath it, to express conclusions, but in order to do this we need to be able to express and note down all relevant text in its full richness within STIX objects themselves.
Think about how to simply in words explain TTPs, or some Actor or Eventually APT Report.
Reports as such are really just a place for executive summary and root for network of related STIX objects and have a attachment/reference back to original report and source of it.
Pretty much now in twigs, each STIX object has just a title and description as simple text fields (based on describable.json) and that is a major gap to support this goal and severely limits expressiveness.
We are looking for full rich text support, embedding images and for sure adding attachments
I guess it is partially down to looking at describable.json and then to some other things as well.
Motivation for this is full context enablement of CTI:
- enable CTI Analysts to perform his job by clearly understanding CTI with all caveats around it
- enable Intel Providers to adopt STIX and pass on reports as structured information
- enable CTI teams to create structured reporting for stakeholder and/or policy makers
- enable IR/SOC teams to better express findings and observations for humans to read them
- CTI is not for machines, but for humans also