-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcampaign.go
106 lines (94 loc) · 4.52 KB
/
campaign.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package stix2
import (
"github.com/pkg/errors"
)
// Campaign is a grouping of adversarial behaviors that describes a set of
// malicious activities or attacks (sometimes called waves) that occur over a
// period of time against a specific set of targets. Campaigns usually have
// well defined objectives and may be part of an Intrusion Set. Campaigns are
// often attributed to an intrusion set and threat actors. The threat actors
// may reuse known infrastructure from the intrusion set or may set up new
// infrastructure specific for conducting that campaign. Campaigns can be
// characterized by their objectives and the incidents they cause, people or
// resources they target, and the resources (infrastructure, intelligence,
// Malware, Tools, etc.) they use. For example, a Campaign could be used to
// describe a crime syndicate's attack using a specific variant of malware and
// new C2 servers against the executives of ACME Bank during the summer of 2016
// in order to gain secret information about an upcoming merger with another
// bank.
type Campaign struct {
STIXDomainObject
// Name used to identify the Campaign.
Name string `json:"name"`
// Description provides more details and context about the Campaign,
// potentially including its purpose and its key characteristics.
Description string `json:"description,omitempty"`
// Aliases are a lternative names used to identify this Campaign
Aliases []string `json:"aliases,omitempty"`
// FirstSeen is the time that this Campaign was first seen.
FirstSeen *Timestamp `json:"first_seen,omitempty"`
// LastSeen is the time that this Campaign was last seen.
LastSeen *Timestamp `json:"last_seen,omitempty"`
// Objective defines the Campaign’s primary goal, objective, desired
// outcome, or intended effect — what the Threat Actor or Intrusion Set
// hopes to accomplish with this Campaign.
Objective string `json:"objective,omitempty"`
}
func (c *Campaign) MarshalJSON() ([]byte, error) {
return marshalToJSONHelper(c)
}
// AddTargets creates a relationship to either an identity, location, or
// vulnerability that is targeted by this campaign.
func (c *Campaign) AddTargets(id Identifier, opts ...STIXOption) (*Relationship, error) {
if !IsValidIdentifier(id) || (!id.ForType(TypeLocation) &&
!id.ForType(TypeIdentity)) && !id.ForType(TypeVulnerability) {
return nil, ErrInvalidParameter
}
return NewRelationship(RelationshipTypeTargets, c.ID, id, opts...)
}
// AddUses creates a relationship to either a malware or tool that is used by
// the campaign
func (c *Campaign) AddUses(id Identifier, opts ...STIXOption) (*Relationship, error) {
if !IsValidIdentifier(id) || (!id.ForType(TypeAttackPattern) && !id.ForType(TypeInfrastructure) &&
!id.ForType(TypeMalware) && !id.ForType(TypeTool)) {
return nil, ErrInvalidParameter
}
return NewRelationship(RelationshipTypeTargets, c.ID, id, opts...)
}
// AddAttributedTo creates a relationship to either an intrusion set or a
// threat actor that is attributed to the campaign.
func (c *Campaign) AddAttributedTo(id Identifier, opts ...STIXOption) (*Relationship, error) {
if !IsValidIdentifier(id) || (!id.ForType(TypeIntrusionSet) && !id.ForType(TypeThreatActor)) {
return nil, ErrInvalidParameter
}
return NewRelationship(RelationshipTypeTargets, c.ID, id, opts...)
}
// AddCompromises creates a relationship to an infrastructure that is
// compromised as part of the campaign.
func (c *Campaign) AddCompromises(id Identifier, opts ...STIXOption) (*Relationship, error) {
if !IsValidIdentifier(id) || !id.ForType(TypeInfrastructure) {
return nil, ErrInvalidParameter
}
return NewRelationship(RelationshipTypeTargets, c.ID, id, opts...)
}
// AddOriginatesFrom creates a relationship to a location that the campaign
// originates from the related location.
func (c *Campaign) AddOriginatesFrom(id Identifier, opts ...STIXOption) (*Relationship, error) {
if !IsValidIdentifier(id) || !id.ForType(TypeLocation) {
return nil, ErrInvalidParameter
}
return NewRelationship(RelationshipTypeTargets, c.ID, id, opts...)
}
// NewCampaign creates a new Campaign object.
func NewCampaign(name string, opts ...STIXOption) (*Campaign, error) {
if name == "" {
return nil, ErrPropertyMissing
}
base := newSTIXDomainObject(TypeCampaign)
obj := &Campaign{STIXDomainObject: base, Name: name}
err := applyOptions(obj, opts)
if (obj.FirstSeen != nil && obj.LastSeen != nil) && obj.FirstSeen.After(obj.LastSeen.Time) {
return nil, errors.Wrapf(ErrInvalidProperty, "Last seen (%s) is before first seen (%s)", obj.LastSeen, obj.FirstSeen)
}
return obj, err
}