Actor Describes malicious actors (or adversaries) related to a cyber attack
| Property | Type | Description | Required? |
|---|---|---|---|
| description | MarkdownString | A description of object, which may be detailed. | ✓ |
| id | String | Globally unique URI identifying this object. | ✓ |
| schema_version | String | CTIM schema version for this entity | ✓ |
| short_description | MedStringString | A single line, short summary of the object. | ✓ |
| source | MedStringString | ✓ | |
| title | ShortStringString | A short title for this object, used as primary display and reference value | ✓ |
| type | ActorTypeIdentifierString | ✓ | |
| valid_time | ValidTime Object | ✓ | |
| actor_types | ThreatActorTypeString List | ||
| aliases | ShortStringString List | A list of other names that this Threat Actor is believed to use. | |
| confidence | HighMedLowString | ||
| external_ids | String List | ||
| external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
| identity | Identity Object | ||
| intended_effect | IntendedEffectString | ||
| language | ShortStringString | The human language this object is specified in. | |
| motivation | MotivationString | ||
| planning_and_operational_support | LongStringString | ||
| revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
| sophistication | SophisticationString | ||
| source_uri | String | ||
| timestamp | Inst (Date) | The time this object was created at, or last modified. | |
| tlp | TLPString | Specification for how, and to whom, this object can be shared. |
- Reference: ThreatActorType
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- Allowed Values:
- Cyber Espionage Operations
- Disgruntled Customer / User
- Hacker
- Hacker - Black hat
- Hacker - Gray hat
- Hacker - White hat
- Hacktivist
- Insider Threat
- State Actor / Agency
- eCrime Actor - Credential Theft Botnet Operator
- eCrime Actor - Credential Theft Botnet Service
- eCrime Actor - Malware Developer
- eCrime Actor - Money Laundering Network
- eCrime Actor - Organized Crime Actor
- eCrime Actor - Spam Service
- eCrime Actor - Traffic Service
- eCrime Actor - Underground Call Service
- Allowed Values:
A list of other names that this Threat Actor is believed to use.
-
This entry is optional
-
This entry's type is sequential (allows zero or more values)
- ShortString String with at most 1024 characters
-
This entry is optional
- Allowed Values:
- High
- Info
- Low
- Medium
- None
- Unknown
- Reference: HighMedLowVocab
- Allowed Values:
A description of object, which may be detailed.
-
This entry is required
- Markdown Markdown string with at most 5000 characters
- This entry is optional
- This entry's type is sequential (allows zero or more values)
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- ExternalReference Object Value
- Details: ExternalReference Object
Globally unique URI identifying this object.
-
This entry is required
- IDs are URIs, for example
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.
- IDs are URIs, for example
- This entry is optional
- Identity Object Value
- Details: Identity Object
-
This entry is optional
- Allowed Values:
- Account Takeover
- Advantage
- Advantage - Economic
- Advantage - Military
- Advantage - Political
- Brand Damage
- Competitive Advantage
- Degradation of Service
- Denial and Deception
- Destruction
- Disruption
- Embarrassment
- Exposure
- Extortion
- Fraud
- Harassment
- ICS Control
- Theft
- Theft - Credential Theft
- Theft - Identity Theft
- Theft - Intellectual Property
- Theft - Theft of Proprietary Information
- Traffic Diversion
- Unauthorized Access
- Allowed Values:
The human language this object is specified in.
-
This entry is optional
- ShortString String with at most 1024 characters
-
This entry is optional
- Allowed Values:
- Ego
- Financial or Economic
- Ideological
- Ideological - Anti-Corruption
- Ideological - Anti-Establishment
- Ideological - Environmental
- Ideological - Ethnic / Nationalist
- Ideological - Human Rights
- Ideological - Information Freedom
- Ideological - Religious
- Ideological - Security Awareness
- Military
- Opportunistic
- Political
- Allowed Values:
-
This entry is optional
- LongString String with at most 5000 characters
A monotonically increasing revision, incremented each time the object is changed.
-
This entry is optional
- Zero, or a positive integer
CTIM schema version for this entity
-
This entry is required
- A semantic version matching the CTIM version against which this object should be valid.
A single line, short summary of the object.
-
This entry is required
- MedString String with at most 2048 characters
-
This entry is optional
- Allowed Values:
- Aspirant
- Expert
- Innovator
- Novice
- Practitioner
- Allowed Values:
-
This entry is required
- MedString String with at most 2048 characters
-
This entry is optional
- A URI
The time this object was created at, or last modified.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
A short title for this object, used as primary display and reference value
-
This entry is required
- ShortString String with at most 1024 characters
Specification for how, and to whom, this object can be shared.
-
This entry is optional
- TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
- Default: green
- Allowed Values:
- amber
- green
- red
- white
-
This entry is required
- Must equal: "actor"
- This entry is required
- ValidTime Object Value
- Details: ValidTime Object
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
| Property | Type | Description | Required? |
|---|---|---|---|
| source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
| description | MarkdownString | ||
| external_id | String | An identifier for the external reference content. | |
| hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
| url | String | A URL reference to an external resource |
- Reference: External Reference
-
This entry is optional
- Markdown Markdown string with at most 5000 characters
An identifier for the external reference content.
- This entry is optional
Specifies a dictionary of hashes for the contents of the url.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
The source within which the external-reference is defined (system, registry, organization, etc.)
-
This entry is required
- MedString String with at most 2048 characters
A URL reference to an external resource
-
This entry is optional
- A URI
ValidTime Period of time when a cyber observation is valid.
| Property | Type | Description | Required? |
|---|---|---|---|
| end_time | Inst (Date) | If end_time is not present, then the valid time position of the object does not have an upper bound. | |
| start_time | Inst (Date) | If not present, the valid time position of the indicator does not have an upper bound |
- Reference: ValidTimeType
If end_time is not present, then the valid time position of the object does not have an upper bound.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
If not present, the valid time position of the indicator does not have an upper bound
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Identity Describes a person or an organization
| Property | Type | Description | Required? |
|---|---|---|---|
| description | MarkdownString | ✓ | |
| related_identities | RelatedIdentity Object List | Identifies other entity Identities related to this Identity | ✓ |
- Reference: IdentityType
-
This entry is required
- Markdown Markdown string with at most 5000 characters
Identifies other entity Identities related to this Identity
- This entry is required
- This entry's type is sequential (allows zero or more values)
- RelatedIdentity Object Value
- Details: RelatedIdentity Object
RelatedIdentity Describes a related Identity
| Property | Type | Description | Required? |
|---|---|---|---|
| identity | String | The reference (URI) of the related Identity object | ✓ |
| confidence | HighMedLowString | Specifies the level of confidence in the assertion of the relationship between the two objects | |
| information_source | String | Specifies the source of the information about the relationship between the two components | |
| relationship | String |
- Reference: RelatedIdentityType
Specifies the level of confidence in the assertion of the relationship between the two objects
-
This entry is optional
- Allowed Values:
- High
- Info
- Low
- Medium
- None
- Unknown
- Reference: HighMedLowVocab
- Allowed Values:
The reference (URI) of the related Identity object
-
This entry is required
- A URI
Specifies the source of the information about the relationship between the two components
- This entry is optional
- This entry is optional