newspaper-fold Blog

It's All in the Name: A Guide to STIX Naming Conventions

July 3, 2019

It's All in the Name: A Guide to STIX Naming Conventions

By Andrew Foster, Senior Threat Intelligence Analyst & Team Lead Academy

Generating quality titles for STIX objects isn’t as straightforward as it might seem. Titles should be short and meaningful. But not just to the author: We’re always interested in making STIX more useful and practical. To that end we’ve identified some guidelines on STIX naming conventions, which are outlined below, along with explanations and examples to illustrate our thinking.

1. Start by describing the object to an imaginary non-technical person who is in a hurry

The ‘five Ws’ (‘who’, ‘what’, ‘when’, ‘where’ and ‘why’) can serve as a useful checklist for naming objects but are often too verbose for STIX titles.

For example, answering the ‘when’ question is rarely necessary as there are several fields for capturing detailed time and date information in STIX objects. Answering the ‘who’ part in relation to  a threat actor is important, but this information is typically communicated using fields that describe relationships with other STIX objects.

2. Maximize insight and minimize words

Analysts must be able to quickly and accurately determine if an object is relevant to their investigation, without having to review the details of every object. Analysts aren’t Sherlock Holmes, so cryptic clues like “RACHE” won’t suffice.

Knowing your customers’ needs and ways of working helps. If you know how they use intelligence, it’s easier to convey the minimum information necessary to enable a relevancy determination.

3. Strive for reasonably unique titles across individual objects and object types

If every object has the same title, analysts will struggle to differentiate them. In the case of Indicators, if many share the same title, it might be worthwhile to consider merging them. For example:

Imagine a piece of malware code-named Kapsalon. Version 1 of Kapsalon comes hardcoded with five domains and five IP addresses used for C2. It is equally valid to create:

  • 10 Indicators titled ‘Kapsalon v1 C2 {IP address}’ and ‘Kapsalon v1 C2 {Domain}’
  • 2 Indicators titled ‘Kapsalon v1 C2 Domains’ and ‘Kapsalon v1 C2 IPs’
  • 1 Indicator titled ‘Kapsalon v1 C2’

The level of merging applied depends on the tools available and how the customers use the intelligence you create. The following titles might be unique at creation, but are unlikely to remain unique:

  • Any grouping of indicators all with the same title, e.g. ‘Malware C2’
  • Two indicators titled ‘Malicious Domains’ and ‘Malicious IPs’
  • One indicator titled ‘Kapsalon Malware IOCs’

Not only should titles be reasonably unique within the same object type, STIX objects of different types shouldn’t share the same title.

For example, while valid, it is confusing to create a TTP object titled ‘Kapsalon C2’, with relationships to 10 Indicators, also titled ‘Kapsalon C2’.

4. Use a repeatable titling convention and minimize ‘one-offs’

This might seem obvious given that most STIX objects are being created automatically. However, many STIX objects are being created manually by human analysts using a Threat Intelligence Platform, like ours.

This also might seem contradictory with the guidance to create reasonably unique titles, but the structure of the title is what should be repeatable, not the actual title. Consider the following example.

  • The indicator naming structure from above, ‘Kapsalon v1 C2 Domains’, breaks down into four chunks that can be programmatically filled across multiple samples:
    • Malware codename
    • Sample version number
    • Kill chain stage
    • Type of indicator
  • The title ‘Indicators for APT99 malware sample identified by client that lives in memory and is AV/Sandbox aware’, is certainly informative and unique, but it is also unstructured and difficult to generate programmatically.
  • Meanwhile, ‘BLOCK IMMEDATELY BAD!!!’ might catch an analyst’s attention; but within a very short space of time, this title will convey no useful information.
5. Avoid complex naming conventions and rules where possible 

Simplicity is your friend. EclecticIQ Fusion Center has used a few different complex naming conventions and rules over the years, but each of them came with a sound justification.

For example:

The STIX 1.2 ‘Threat Actor’ object will be split into 3 different STIX 2.x objects: ‘Intrusion Set’, ‘Threat Actor’ and ‘Identity’.

Today, a Fusion Center analyst creating a STIX object for ‘APT99’ will create a STIX 1.2 ‘Threat Actor’. In the future, they will create a STIX 2.x ‘Intrusion Set’.

Because this mapping is known, analysts prepend ‘Intrusion Set:’ to the title of STIX 1.2 ‘Threat Actor’ that will become STIX 2.x ‘Intrusion Set’ in the future.

Today, the correct title for an APT99 object is a STIX 1.2 ‘Threat Actor’ titled ‘Intrusion Set: APT99’. 

Similarly, a Fusion Center analyst creating a STIX object for ‘Ivan Sergeyevich Yermakov’ (a Russian intelligence official indicted by the FBI for interfering with the 2016 US Elections) would title the STIX 1.2 ‘Threat Actor’, ‘Threat Actor: Ivan Sergeyevich Yermakov’.

In the future, these labels will be dropped, as they won’t be necessary. 

Hopefully this short guide has been useful. As we’ve seen, it’s not always obvious how we can create meaningful and clear titles for STIX objects. But taking the time to do so makes it easier for other analysts to process intelligence more quickly and with greater confidence.

These are just five thoughts from the EclecticIQ analyst team. We’d love to hear your ideas and insights on object title naming.

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.

3 more posts you might like