Infrastructure
- UpdatedAug 1, 2024
- 1 minute read
The Infrastructure SDO represents a type of Tactics, Techniques, and Procedures (TTPs). They describe any systems, software services, and any associated physical or virtual resources intended to support some purpose of an attack. Infrastructure applies for STIX 2.x.
The elements of an attack are represented by other SDOs or SCOs. However, the Infrastructure SDO represents a named group of data that constitutes the infrastructure.
Examples of infrastructure include, C2 servers used in an attack, a device, or a server that is part of a defense, or database servers targeted by an attack.
Related Content
- Observables
Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks.
- Indicators
Indicators are artifacts observed on a network or operating system that are likely to indicate an intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or domain names.
- Attack Patterns
Attack patterns are a type of Tactics, Techniques, and Procedures (TTPs) that describe the methods that adversaries attempt to compromise targets.
- Campaign
Campaign is defined as grouping of adversarial behaviors that describes a set of malicious activities or attacks, sometimes called waves that occur over a period of time against a specific set of targets.
- Courses of Action
Courses of action is an action taken either to prevent an attack or to respond to an attack that is in progress.
- Identity
Identities represent actual individuals, organizations or groups, and classes of individuals, systems, or groups. Identities apply for STIX 2.x.
- Intrusion Set
An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties. An Intrusion Set usually involves a single organization. Intrusion set applies for STIX 2.x.
- Location
A Location represents a geographic location. Locations are primarily used to give context to other SDOs. Locations apply for STIX 2.x.
- Malware
Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. Malware applies for STIX 2.x.
- Malware Analysis
Malware Analysis captures the metadata and results of a malware. Malware analysis applies for STIX 2.x.
- Object Sighting
Sightings denote that an object was seen. Objects may be a malware, tool, threat actor, and so on.
- Observed Data
Observed Data conveys information about cyber security-related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). Observed data applies for STIX 2.x.
- Threat Actor
Threat Actors are individuals, groups, or organizations who act with malicious intent. Threat actors applies for STIX 2.x.
- Threat Event
An event or situation that has the potential for causing undesirable consequences or impact.
- Threat Grouping
A Threat Groupings object explicitly asserts that the referenced STIX Objects have a shared context. Threat groupings applies for STIX 2.x.
- Threat Note
A Threat Note conveys informative text to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Threat notes applies for STIX 2.x.
- Threat Opinion
An Opinion is an assessment of the accuracy of the information in a STIX Object produced by a different entity. Threat opinions apply for STIX 2.x.
- Threat Report
Threat Reports are collections of threat intelligence focused on one or more topics. Threat reports apply for STIX 2.x.
- Tool
Tools are legitimate software that are used by threat actors to perform attacks. Tools apply for STIX 2.x.
- Vulnerability
A Vulnerability is a weakness or defect in a software or hardware component that attackers exploit. Vulnerabilities apply for STIX 2.x.
- Marking Definition
The marking-definition object represents a specific marking. Data markings typically represent handling or sharing requirements for data.
- Data Component
Data components are used to identify specific properties or values of a data source.
- Data Sources
Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, which identify specific properties/values of a data source.
- Define RSS Feeds
A threat intelligence feed is a real time, continuous data stream that gathers information related to cyber risks or threats. RSS Feeds provides an easy way to stay up to date with your favorite websites, such as blogs or latest cyber security news.
- Relationships Objects
Use the relationships objects to link together two observables or an observable and SDO to explain how they relate to each other.
- Potential Relationships
The application uses automated correlation to establish potentially possible relationships between two SDOs, two Observables or an observable and SDO.