The CourseOfActionTypeVocab is the default STIX vocabulary for expressing types of courses of action.
Item | Description |
---|---|
Perimeter Blocking | Perimeter-based blocking of traffic from a compromised source. |
Internal Blocking | Host-based blocking of traffic from an internal compromised source. |
Redirection | Re-routing of suspicious or known malicious traffic away from the intended target to an area where the threat can be more safely observed and analyzed. |
Redirection (Honey Pot) | Setting up a decoy parallel network that is intended to attract adversaries to the honey pot and away from the real network assets. |
Hardening | Securing a system by reducing its surface of unnecessary software, usernames or logins, and running services. |
Patching | A specific form of hardening, patching involves applying a code fix directly to the software with the vulnerability. |
Eradication | Identifying, locating, and eliminating malware from the network. |
Rebuilding | Re-installing a computing resource from a known safe source in order to ensure that the malware is no longer present on the previously compromised resource. |
Training | Training users and administrators on how to identify and mitigate this type of threat. |
Monitoring | Setting up network or host-based sensors to detected the presence of this threat. |
Physical Access Restrictions | Activities associated with restricting physical access to computing resources. |
Logical Access Restrictions | Activities associated with restricting logical access to computing resources. |
Public Disclosure | Informing the public of the existence and characteristics of the threat or threat actor to influence positive change in adversary behavior. |
Diplomatic Actions | Engaging in communications and relationship building with threat actors to influence positive changes in behavior. |
Policy Actions | Modifications to policy that reduce the attack surface or infection vectors of malware. |
Other | Other actions not covered in this list. |
Field Name | Type | Description |
---|---|---|
@vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
@vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |