You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
skos:definition "Sub-gist for cybersecurity."^^xsd:string ;
22
24
skos:prefLabel "gistCyber"^^xsd:string ;
23
25
.
24
26
27
+
gist:AccountTypeVocabulary
28
+
a owl:Class ;
29
+
rdfs:subClassOf gist:Category ;
30
+
.
31
+
32
+
gist:AttackMotivationVocabulary
33
+
a owl:Class ;
34
+
rdfs:subClassOf gist:Category ;
35
+
.
36
+
25
37
gist:AttackPattern
26
38
a owl:Class ;
27
39
rdfs:subClassOf gist:TaskTemplate ;
28
40
rdfs:label "Attack Pattern"^^xsd:string ;
29
41
rdfs:comment 'Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC].'^^xsd:string ;
30
42
.
31
43
44
+
gist:AttackResourceLevelVocabulary
45
+
a owl:Class ;
46
+
rdfs:subClassOf gist:Category ;
47
+
.
48
+
32
49
gist:Campaign
33
50
a owl:Class ;
34
51
rdfs:subClassOf gist:TaskTemplate ;
@@ -48,13 +65,33 @@ gist:CourseOfAction
48
65
rdfs:comment "Note: The Course of Action object in STIX 2.1 is a stub. It is included to support basic use cases (such as sharing prose courses of action) but does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action. Future STIX 2 releases will expand it to include these capabilities. A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as a placeholder for future inclusion of machine automatable courses of action."^^xsd:string ;
49
66
.
50
67
68
+
gist:EncryptionAlgorithmEnum
69
+
a owl:Class ;
70
+
rdfs:subClassOf gist:Category ;
71
+
.
72
+
73
+
gist:ExtensionTypesEnum
74
+
a owl:Class ;
75
+
rdfs:subClassOf gist:Category ;
76
+
.
77
+
51
78
gist:Grouping
52
79
a owl:Class ;
53
80
rdfs:subClassOf gist:Collection ;
54
81
rdfs:label "Grouping"^^xsd:string ;
55
82
rdfs:comment "STIX Definition: A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators. The Grouping SDO contains a list of references to SDOs, SCOs, SROs, and SMOs, along with an explicit statement of the context shared by the content, a textual description, and the name of the grouping."^^xsd:string ;
56
83
.
57
84
85
+
gist:GroupingContextVocabulary
86
+
a owl:Class ;
87
+
rdfs:subClassOf gist:Category ;
88
+
.
89
+
90
+
gist:HashingAlgorithmVocabulary
91
+
a owl:Class ;
92
+
rdfs:subClassOf gist:Category ;
93
+
.
94
+
58
95
gist:Identity
59
96
a owl:Class ;
60
97
rdfs:label "Identity"^^xsd:string ;
@@ -74,6 +111,16 @@ gist:Identity
74
111
] ;
75
112
.
76
113
114
+
gist:IdentityClassVocabulary
115
+
a owl:Class ;
116
+
rdfs:subClassOf gist:Category ;
117
+
.
118
+
119
+
gist:ImplementationLanguageVocabulary
120
+
a owl:Class ;
121
+
rdfs:subClassOf gist:Category ;
122
+
.
123
+
77
124
gist:Incident
78
125
a owl:Class ;
79
126
rdfs:subClassOf gist:Event ;
@@ -88,10 +135,25 @@ gist:Indicator
88
135
rdfs:comment "STIX Definition: Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc."^^xsd:string ;
89
136
.
90
137
138
+
gist:IndicatorTypeVocabulary
139
+
a owl:Class ;
140
+
rdfs:subClassOf gist:Category ;
141
+
.
142
+
143
+
gist:IndustrySectorVocabulary
144
+
a owl:Class ;
145
+
rdfs:subClassOf gist:Category ;
146
+
.
147
+
91
148
gist:Infrastructure
92
149
a owl:Class ;
93
150
.
94
151
152
+
gist:InfrastructureTypeVocabulary
153
+
a owl:Class ;
154
+
rdfs:subClassOf gist:Category ;
155
+
.
156
+
95
157
gist:IntrusionSet
96
158
a owl:Class ;
97
159
rdfs:subClassOf gist:TaskTemplate ;
@@ -117,6 +179,31 @@ gist:MalwareAnalysis
117
179
a owl:Class ;
118
180
.
119
181
182
+
gist:MalwareCapabilitiesVocabulary
183
+
a owl:Class ;
184
+
rdfs:subClassOf gist:Category ;
185
+
.
186
+
187
+
gist:MalwareResultVocabulary
188
+
a owl:Class ;
189
+
rdfs:subClassOf gist:Category ;
190
+
.
191
+
192
+
gist:MalwareTypeVocabulary
193
+
a owl:Class ;
194
+
rdfs:subClassOf gist:Category ;
195
+
.
196
+
197
+
gist:NetworkSocketAddressFamilyEnum
198
+
a owl:Class ;
199
+
rdfs:subClassOf gist:Category ;
200
+
.
201
+
202
+
gist:NetworkSocketTypeEnum
203
+
a owl:Class ;
204
+
rdfs:subClassOf gist:Category ;
205
+
.
206
+
120
207
gist:Note
121
208
a owl:Class ;
122
209
.
@@ -129,15 +216,40 @@ gist:Opinion
129
216
a owl:Class ;
130
217
.
131
218
219
+
gist:OpinionEnum
220
+
a owl:Class ;
221
+
rdfs:subClassOf gist:Category ;
222
+
.
223
+
224
+
gist:PatternTypeVocabulary
225
+
a owl:Class ;
226
+
rdfs:subClassOf gist:Category ;
227
+
.
228
+
229
+
gist:ProcessorArchitectureVocabulary
230
+
a owl:Class ;
231
+
rdfs:subClassOf gist:Category ;
232
+
.
233
+
132
234
gist:ProtocolVulnerability
133
235
a owl:Class ;
134
236
rdfs:subClassOf gist:Vulnerabity ;
135
237
.
136
238
239
+
gist:RegionVocabulary
240
+
a owl:Class ;
241
+
rdfs:subClassOf gist:Category ;
242
+
.
243
+
137
244
gist:Report
138
245
a owl:Class ;
139
246
.
140
247
248
+
gist:ReportTypeVocabulary
249
+
a owl:Class ;
250
+
rdfs:subClassOf gist:Category ;
251
+
.
252
+
141
253
gist:SoftwareVulnerability
142
254
a owl:Class ;
143
255
rdfs:subClassOf gist:Defect ;
@@ -152,15 +264,70 @@ gist:ThreatActor
152
264
rdfs:comment "Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \\n\\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \\n\\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization."^^xsd:string ;
153
265
.
154
266
267
+
gist:ThreatActorRoleVocabulary
268
+
a owl:Class ;
269
+
rdfs:subClassOf gist:Category ;
270
+
.
271
+
272
+
gist:ThreatActorSophisticationVocabulary
273
+
a owl:Class ;
274
+
rdfs:subClassOf gist:Category ;
275
+
.
276
+
277
+
gist:ThreatActorTypeVocabulary
278
+
a owl:Class ;
279
+
rdfs:subClassOf gist:Category ;
280
+
.
281
+
155
282
gist:Tool
156
283
a owl:Class ;
157
284
rdfs:subClassOf gist:Software ;
158
285
rdfs:label "Tool"^^xsd:string ;
159
286
rdfs:comment "STIX Definition:Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \\n\\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \\n\\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack."^^xsd:string ;
0 commit comments