Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New entity type "exploit" #797

Open
OzRex08 opened this issue Jul 23, 2020 · 7 comments
Open

New entity type "exploit" #797

OzRex08 opened this issue Jul 23, 2020 · 7 comments
Labels
feature use for describing a new feature to develop

Comments

@OzRex08
Copy link

OzRex08 commented Jul 23, 2020

Problem to Solve

PoCs and Exploits, once developed and published can significantly change Vulnerability Assessments. There appears to be no dedicated area withing CVE 'Knowledge' to add information regarding a PoC or exploit (usually found as Python script).

Current Workaround

Added in Notes section of CVE, and Tagged as PoC or Exploit

Proposed Solution

Create an Entity type as PoC or Exploit and allow relationships with CVE's

Additional Information

The PoC/Exploit could be sourced from www.exploit-db.com (or elsewhere) as a Connector, or manually added. It could have the following properties:

  • External Reference
  • Format (Python, STIX etc)
  • Date published
  • Relationship to Threat Actors, Campaigns or Intrusion Sets
  • Relationship to Attack Pattern
  • Relationship to Detection and Course of Action
@lightoyou
Copy link

lightoyou commented Aug 7, 2020
edited
Loading

Yeah maybe it's not a bad idea. !

  • Relationship to Tool and Exploit like 'has'

I also propose this :

Problem to Solve

Import the CPE dictionnary inside openCTI.
The goal behind is to map your internal assets to be proactive in case of new vulnerability and create alert in your SIEM for example.

Proposed Solution

  1. Create a Connector able to :
  • Import Vendors from CPE as Identity object.
  • Import Products from CPE as Tool object.
  • Add a new relation ship between Identity and Tools like 'owns'.
  • Import relation ship between Tools and Vendors Identity.
  • Import relation ship between Vulnerability and Tools.
  1. Map your internal Assets with Infrastructure object:
  • Import relation ship between Infrastructure 'hosts' and Tools .

STIX2_CVE(1)

@richard-julien richard-julien added the feature use for describing a new feature to develop label Aug 27, 2020
@richard-julien
Copy link
Member

@SamuelHassine any thoughts on that?

@SamuelHassine SamuelHassine added this to the Release 4.1.0 milestone Sep 14, 2020
@SamuelHassine
Copy link
Member

+1

@SamuelHassine SamuelHassine changed the title PoC / Exploit entity for CVE's New entity type "exploit" Sep 29, 2022
@SamuelHassine
Copy link
Member

SamuelHassine commented Sep 29, 2022
edited
Loading

Create a new SDO "Exploit" to be displayed in the "Arsenal" section:

Exploit attributes:

  • Name
  • Description
  • Published (date)
  • Language = language_ov (already existing)

Relationships:

Exploit => targets => Vulnerability
Threats => uses => Exploit
Malware => uses => Exploit
Exploit => uses => Attack Pattern

@SamuelHassine SamuelHassine self-assigned this Sep 29, 2022
@SamuelHassine SamuelHassine removed their assignment Feb 10, 2023
@Kedae Kedae removed this from the Release 5.8.0 milestone Apr 3, 2023
@Kedae Kedae modified the milestones: Release 5.9.0, Release 5.8.0 Apr 3, 2023
@Kedae Kedae modified the milestones: Release 5.8.0, Release 5.9.0 May 22, 2023
@Jipegien Jipegien modified the milestones: Release 5.11.0, Long-term candidates Jul 27, 2023
@d1zanv
Copy link

d1zanv commented Oct 4, 2023

I have a project similar to this issue, so I was wondering if someone had started working on it?

@tomibennett tomibennett removed their assignment Oct 11, 2023
@SamuelHassine SamuelHassine removed the P1 label Jan 6, 2024
@d1zanv d1zanv mentioned this issue Feb 6, 2024
Closed
@zerodayace
Copy link

@Jipegien concerning the marking of exploited vulnerabilities the entity seems to be the way to go. Any ETA?

@Jipegien
Copy link
Member

Hello @iFrozenPhoenix! Currently we are using Malware entity and the malware_type open vocab to identify "Exploits". We do not plan to develop a specific Exploit entity anytime soon. Is it not enough to cover your use case?

@Jipegien Jipegien removed this from the Long-term candidates milestone Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

issue/797 OpenCTI-Platform/opencti
10 participants
@richard-julien @SouadHadjiat @SamuelHassine @tomibennett @lightoyou @OzRex08 @zerodayace @Kedae @Jipegien @d1zanv