While one option when sharing indicator signatures is to use the
Observable field in the indicator using CybOX, another option is to share indicators with signatures in a non-CybOX language via the
Test_Mechanisms field. The advantage of this is that you can share signatures that work natively in existing tools but can still integrate with the rest of the STIX architecture.
The hypothetical producer of this information could want to use OpenIOC because it’s a popular language for sharing IOCs that work in existing tools. At the same time, it’s helpful to have the rest of the STIX architecture available to relate the discovered IOCs to what they mean. In this scenario, IOCs that detect some variants of the Zeus malware family are provided along with the indicate that they detect that Zeus malware.
The information that the producer provides is simply the OpenIOC signature and the fact that it indicates Zeus malware. The Malware Hash idiom describes, we can use the Indicator and TTP components to describe this type of relationship. Unlike in that idiom however, in this case we’ll provide the OpenIOC test mechanism in the indicator rather than a CybOX pattern.
Because OpenIOC is also an XML language, we’re able to use XML schema features to ensure that both the STIX and the OpenIOC are valid. This is in contrast to the Snort and Yara test mechanisms, which merely embed those text rules and therefore their format cannot be validated during STIX validation. The other advantage of both languages being XML is that XML parsers are the only ones required to understand the full contents.
Notice in both the production code and the consumption code that the OpenIOC itself is accessed via an lxml ElementTree. That way you can work with it as normal XML…though if you need to extract it in order to send it off to a tool that can process it you can always use the
tostring method to do so.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <stix:Indicator id="example:indicator-b92194e0-da61-4a32-9034-1148123b0f7a" timestamp="2014-06-20T20:53:08.440812+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1"> <indicator:Title>Zeus</indicator:Title> <indicator:Description>Finds Zeus variants, twexts, sdra64, ntos</indicator:Description> <indicator:Indicated_TTP> <stixCommon:TTP idref="example:ttp-27884a06-e75c-4f35-b58d-f8cf2722f7d3" xsi:type='ttp:TTPType' version="1.2"/> </indicator:Indicated_TTP> <indicator:Test_Mechanisms> <indicator:Test_Mechanism id="example:testmechanism-c7f7dad4-4835-4105-8a53-72149f721ec0" xmlns:stix-openioc='http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1' xsi:type='stix-openioc:OpenIOC2010TestMechanismType'> <indicator:Producer> <!-- snip --> </indicator:Producer> <stix-openioc:ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.mandiant.com/2010/ioc" xmlns:stix-openioc="http://stix.mitre.org/extensions/TestMechanism#OpenIOC2010-1" id="6d2a1b03-b216-4cd8-9a9e-8827af6ebf93" last-modified="2011-10-28T19:28:20"> <short_description>Zeus</short_description> <description>Finds Zeus variants, twexts, sdra64, ntos</description> <keywords/> <authored_by>Mandiant</authored_by> <authored_date>0001-01-01T00:00:00</authored_date> <links/> <definition> <!-- snip - full IOC content would go here - snip --> </definition> </stix-openioc:ioc> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator>
1 2 3 4 5 6 7 8 9 10 11 12 ioc = etree.parse('6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc') indicator = Indicator(title="Zeus", description="Finds Zeus variants, twexts, sdra64, ntos") tm = OpenIOCTestMechanism() tm.ioc = ioc tm.producer = InformationSource(identity=Identity(name="Mandiant")) time = Time() time.produced_time = "0001-01-01T00:00:00" tm.producer.time = time tm.producer.references = ["http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc"] indicator.test_mechanisms = [tm]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 stix_package = STIXPackage.from_xml('openioc-test-mechanism.xml') for indicator in stix_package.indicators: print("== INDICATOR ==") print("Title: " + indicator.title) print("Description: " + indicator.description.value) for indicated_ttp in indicator.indicated_ttps: ttp = stix_package.find(indicated_ttp.item.idref) print("Indicated TTP: " + ttp.title) for tm in indicator.test_mechanisms: print("Producer: " + tm.producer.identity.name) print("== IOC ==") print(etree.tostring(tm.ioc)) print("== ENDIOC ==")
|Full XML||Python Producer||Python Consumer|