Course of Action to Block Network Traffic

One potential course of action in response to an attack is to block network traffic associated with that attack. This idiom describes how that course of action can be represented in STIX.

Scenario

In this scenario, an organization wishes to represent a course of action describing blocking traffic to a known PIVY C2 server located at a specific IP address.

Data model

Blocking Network Traffic

The focus of this data model is of course on the STIX Course of Action component. The course of action is represented as a simple description with structured fields for the cost, efficacy, stage, and type of the course of action. A parameter is also given that indicates, using CybOX, the IP address to block.

The Title field simply gives the course of action a human-readable title. Similarly, Description and Short Description could be used to give it longer human-readable descriptions if desired.

The Stage field describes the stage of the response process that the course of action is used at. This is a controlled vocabulary (see xsi:type idiom) where the default vocabulary is COAStageVocab-1.0. For this idiom, the action is a response to some known activity so it’s set to “Response”.

The Type field, also a controlled vocabulary (default is CourseOfActionTypeVocab-1.0), indicates what general type of course of action is being described. This COA describes blocking of an IP address by perimeter firewalls, so is set to “Perimeter Blocking”.

The Objective field describes the intended purpose of the course of action at a technical level. It consists of a text description describing that objective and a confidence statement that the COA will achieve that objective. Since the objective is strightforward and the COA has a high degree of success in achieving it, that is set to high.

The Impact field describes the expected impact that implementing the course of action will have on normal operations. It uses StatementType, which consists of a set of fields allowing the information producer to assert a statement about something. In this case, the Value field of the statement is set to “Low” (using the defualt vocabulary for this statement, HighMediumLowVocab-1.0) and a description is given as to why the impact is low. Because this COA involves blocking an IP address that is not used for any legitimate purposes the impact to operations will be low.

Similarly, the Cost field is a StatementType field that describes the estimated cost of applying the course of action. Applying a firewall rule is cheap, and therefore the field value is set to “Low”. No description is given because the statement is simple enough to not require a justification or further explanation. The Efficacy is yet another StatementType field describes the effectiveness of the COA assuming it is successful in achieving its objective.

The Parameter Observables field is a set of CybOX Observables that describe the technical parameters to the course of action. In combination with the Type field, these could be used to automatically convert the course of action into something actionable in a security tool. Alternatively, they can simply be displayed in a structured fashion to the end user. In this case, the CybOX AddressObject is used to represent the IP address that should be blocked.

Implementation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<stix:Course_Of_Action id="example:coa-55f57cc7-ddd5-467b-a3a2-6fd602549d9e" xsi:type="coa:CourseOfActionType" version="1.1">
    <coa:Title>Block traffic to PIVY C2 Server (10.10.10.10)</coa:Title>
    <coa:Stage xsi:type="stixVocabs:COAStageVocab-1.0">Response</coa:Stage>
    <coa:Type xsi:type="stixVocabs:CourseOfActionTypeVocab-1.0">Perimeter Blocking</coa:Type>
    <coa:Objective>
        <coa:Description>Block communication between the PIVY agents and the C2 Server</coa:Description>
        <coa:Applicability_Confidence>
            <stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
        </coa:Applicability_Confidence>
    </coa:Objective>
    <coa:Parameter_Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
        <cybox:Observable id="example:Observable-e04425e4-60a2-4d91-a9f9-0ca956f19edb">
            <cybox:Object id="example:Address-d5bc7186-319d-44e0-85f4-0b65f59034a3">
                <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
                    <AddressObj:Address_Value>10.10.10.10</AddressObj:Address_Value>
                </cybox:Properties>
            </cybox:Object>
        </cybox:Observable>
    </coa:Parameter_Observables>
    <coa:Impact>
        <stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
        <stixCommon:Description>This IP address is not used for legitimate hosting so there should be no operational impact.</stixCommon:Description>
    </coa:Impact>
    <coa:Cost>
        <stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Low</stixCommon:Value>
    </coa:Cost>
    <coa:Efficacy>
        <stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">High</stixCommon:Value>
    </coa:Efficacy>
</stix:Course_Of_Action>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
pkg = STIXPackage()
coa = CourseOfAction()
coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
coa.stage = "Response"
coa.type_ = "Perimeter Blocking"

obj = Objective()
obj.description = "Block communication between the PIVY agents and the C2 Server"
obj.applicability_confidence = Confidence("High")

coa.objective = obj
coa.impact = "Low"
coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
coa.cost = "Low"
coa.efficacy = "High"

addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
coa.parameter_observables=Observables(addr)

pkg.add_course_of_action(coa)

print pkg.to_xml(encoding=None)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
print("== COA ==")
for coa in pkg.courses_of_action:
    print("---")
    print("COA: " + coa.title)
    print("Stage: "+ str(coa.stage))
    print("Type: "+ str(coa.type_))
    for obs in coa.parameter_observables.observables:
        print("Observable: " + str(obs.object_.properties.address_value))
    
    print("---")
    print("Objective: "+ str(coa.objective.description))
    print("Confidence: "+ str(coa.objective.applicability_confidence.value))
    print("---")
    print("Impact: "+ str(coa.impact.value))
    print("Description: "+ str(coa.impact.description))
    print("---")
    print("Cost: "+ str(coa.cost.value))
    print("Efficacy: "+ str(coa.efficacy.value))
Full XML Python Producer Python Consumer

Further Reading

See the full documentation for the relevant types for further information that may be provided: