- Location of an intrusion set or information source: "APT1 originates from China"
- Location tied to specific identity
- Location of a sighting: "This indicator was sighted in NY, USA"
- Location tied to general characteristics (presumption is orgs/people in NY)
- Location might be combined with other attributes (e.g., "This indicator was sighted in the finance sector in NY, USA")
- Targeting by location: "This threat actor targets organizations in North America"
- Location tied to general characteristics (orgs in NA)
- Location might be combined with other attributes (e.g., "This threat actor targets the electric sector in North America")
Add more extensive identity characteristics to identity
and intrusion-set
. Make it:
- Optional "geolocation" attribute, linked to GeoJSON
- Optional address attributes
Benefits:
- Fewer SDOs and relationships
- Allows
sighting_of_ref
to always refer to anidentity
- Cleaner semantics...you're not literally referring to locations in these instances, you're refering to identities that exist at those locations
- Avoids burying civic addresses in structures they aren't meant to be conveyed in