How should TWIGS represent infrastructure?

[johnwunder]

In STIX, it leverages observable patterns to do so. Is that something we should replicate in TWIGS, and if so, should it

This has been a point of confusion in STIX, so it's probably worth rethinking it vs. just carrying over the STIX pattern. The confusion mostly stems from the fact that you can have a TTP infrastructure component to describe C2 infrastructure or you can put it in an indicator. So, one possible solution might be to have a relationship to indicator with a type of "Characterized_By" to describe that.

[terrymacdonald]

This might be an area where VERIS can help. Within VERIS the main part of
an attack is characterized by the four A's...

Actor,
Action,
Asset,
Attributes.

The actor is who did it. The action is what they did. The asset is what
they did it to. And the attribute is how they affected the asset.

They also have victim section to describe the victim and an impact section
to describe how that affected the victim.

So in our case, maybe we require an asset component to allow us to describe
either victim, attacker or intermediary assets used in an attack? We could
then use indicators (and their patterns) and the characterized_by
relationship as the link to it. We can then also have other relationships
from assets to observations to show when that asset was involved in
communication.

Would that work?
On 4/01/2016 4:30 am, "John Wunder" notifications@github.com wrote:

In STIX, it leverages observable patterns to do so Is that something we
should replicate in TWIGS, and if so, should it

This has been a point of confusion in STIX, so it's probably worth
rethinking it vs just carrying over the STIX pattern The confusion mostly
stems from the fact that you can have a TTP infrastructure component to
describe C2 infrastructure or you can put it in an indicator So, one
possible solution might be to have a relationship to indicator with a type
of "Characterized_By" to describe that

—
Reply to this email directly or view it on GitHub
#38.

[johnwunder]

Wow, that makes so much sense. Let's do it!

[treyka]

@terrymacdonald +1