Threat intelligence often contains references to the vulnerabilities that threat actors are targeting. When those vulnerabilities have been formally disclosed and identified (i.e., are not 0-day or unknown vulnerabilites) they are almost always identified via a Common Vulnerabilities and Exposures (CVE®) identifier. This idiom describes how to use the STIX Exploit Target element to represent a disclosed vulnerability via its CVE ID.
In this scenario, we’ll describe CVE-2013-3893 using the STIX exploit target element.
The relevant STIX component, Exploit Target, is used to represent potential targets of cyber threat activity. This idiom describes using the exploit target to represent a disclosed vulnerability via its CVE identifier. The advantage of doing this is easier correlation with the large set of existing tools and data sources that already work with CVE.
As you can see, this is a very simple idiom to represent. The
Title field simply gives the exploit target a human-readable title. Similarly,
Short Description could be used to give it longer human-readable descriptions if desired.
Vulnerability field is used to represent the vulnerability itself. This field is implemented via VulnerabilityType, which can be used to identify vulnerabilities via a CVE ID (as here), OSVDB ID, or even use Common Vulnerability Reporting Framework (CVRF) to characterize an undisclosed vulnerability.
Representing the CVE ID is as easy as filling out the
CVE ID field with a property-formatted CVE identifier.
1 2 3 4 5 6 print("== VULNERABILITY ==") for target in pkg.exploit_targets: print("---") print("Title : " + target.title) for vuln in target.vulnerabilities: print("CVE: " + vuln.cve_id)
See the full documentation for the relevant types for further information that may be provided: