Skip to content

Instantly share code, notes, and snippets.

@johnwunder

johnwunder/readme.md

Created October 26, 2016 15:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save johnwunder/212b6362e5210319bd3b1f0619b58d5b to your computer and use it in GitHub Desktop.
Save johnwunder/212b6362e5210319bd3b1f0619b58d5b to your computer and use it in GitHub Desktop.
Download ZIP
Location thoughts
Raw
readme.md

Use Cases

  1. Location of an intrusion set or information source: "APT1 originates from China"
  • Location tied to specific identity
  1. Location of a sighting: "This indicator was sighted in NY, USA"
  • Location tied to general characteristics (presumption is orgs/people in NY)
  • Location might be combined with other attributes (e.g., "This indicator was sighted in the finance sector in NY, USA")
  1. Targeting by location: "This threat actor targets organizations in North America"
  • Location tied to general characteristics (orgs in NA)
  • Location might be combined with other attributes (e.g., "This threat actor targets the electric sector in North America")

Solution

Add more extensive identity characteristics to identity and intrusion-set. Make it:

  • Optional "geolocation" attribute, linked to GeoJSON
  • Optional address attributes

Benefits:

  • Fewer SDOs and relationships
  • Allows sighting_of_ref to always refer to an identity
  • Cleaner semantics...you're not literally referring to locations in these instances, you're refering to identities that exist at those locations
  • Avoids burying civic addresses in structures they aren't meant to be conveyed in
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment