The CourseOfActionTypeVocab is the default STIX vocabulary for expressing types of courses of action.
|Perimeter-based blocking of traffic from a compromised source.
|Host-based blocking of traffic from an internal compromised source.
|Re-routing of suspicious or known malicious traffic away from the intended target to an area where the threat can be more safely observed and analyzed.
|Redirection (Honey Pot)
|Setting up a decoy parallel network that is intended to attract adversaries to the honey pot and away from the real network assets.
|Securing a system by reducing its surface of unnecessary software, usernames or logins, and running services.
|A specific form of hardening, patching involves applying a code fix directly to the software with the vulnerability.
|Identifying, locating, and eliminating malware from the network.
|Re-installing a computing resource from a known safe source in order to ensure that the malware is no longer present on the previously compromised resource.
|Training users and administrators on how to identify and mitigate this type of threat.
|Setting up network or host-based sensors to detected the presence of this threat.
|Physical Access Restrictions
|Activities associated with restricting physical access to computing resources.
|Logical Access Restrictions
|Activities associated with restricting logical access to computing resources.
|Informing the public of the existence and characteristics of the threat or threat actor to influence positive change in adversary behavior.
|Engaging in communications and relationship building with threat actors to influence positive changes in behavior.
|Modifications to policy that reduce the attack surface or infection vectors of malware.
|Other actions not covered in this list.
The vocab_name field specifies the name of the controlled vocabulary.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.