CODEBOOK
CIA Posture
Cyber security involves safeguarding the Confidentiality, Integrity, and
Availability (CIA) of information systems. These three principles form the foundation of effective cyber
security:
- Confidentiality: Ensures that sensitive information is accessed only by authorised individuals, preventing data breaches and unauthorised disclosures.
- Integrity: Protects the accuracy and reliability of data by preventing unauthorised modifications or tampering, ensuring that the information remains trustworthy.
- Availability: Ensures that information systems and data are accessible when needed by authorised users, minimising downtime caused by cyber attacks or system failures.
STIX Motives
Below is the list of potential motives or motivations for cyber incidents, based on STIX 2.1.
Reference:
STIX Attack
Motivation Vocabulary
| Motive | Description |
|---|---|
| Accidental | A non-hostile actor whose benevolent or harmless intent inadvertently causes harm. For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization. |
| Coercion | Being forced to act on someone else's behalf. Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss. |
| Dominance | A desire to assert superiority over someone or something else. Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks. |
| Ideology | A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and
illegal acts. Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty. For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment. |
| Notoriety | Seeking prestige or to become well known through some activity. Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience. |
| Organizational Gain | Seeking advantage over a competing organization, including a military
organization. Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability. |
| Personal Gain | The desire to improve one’s own financial status. Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft. While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits. |
| Personal Satisfaction | A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement,
etc. Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective. |
| Revenge | A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft,
fraud, or embarrassing certain individuals or the organization. A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm. |
| Unpredictable | Acting without identifiable reason or purpose and creating unpredictable
events. Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims. |
STIX Industry Sectors
Below is the list of STIX Industry Sectors, based on STIX 2.1. Reference:
STIX Industry Sector Vocabulary
| Type | Description |
|---|---|
| Agriculture | The production of food, crops, and livestock for human consumption. |
| Aerospace | The design, development, and manufacturing of aircraft and spacecraft. |
| Automotive | Manufacturing and design of vehicles for personal and commercial use. |
| Chemical | Production and distribution of chemicals, from industrial to consumer products. |
| Commercial | Retail, trade, and business sectors focused on selling goods and services. |
| Communications | Industries responsible for telephone, broadcasting, and internet communications. |
| Construction | Building infrastructure including roads, bridges, and buildings. |
| Defense | Government and military sectors involved in national security and defense technology. |
| Education | Institutions focused on academic learning and research. |
| Energy | The generation and distribution of power, including oil, gas, and renewable energy. |
| Entertainment | Industries related to media, film, music, and other forms of entertainment. |
| Financial Services | Institutions like banks, investment firms, and payment processors. |
| Government Emergency Services | Services related to law enforcement, fire departments, and emergency medical response. |
| Government Local | Local government agencies and services at the municipal or county level. |
| Government National | National-level government bodies and agencies. |
| Government Public Services | Public-facing government services including social services and welfare programs. |
| Government Regional | Regional or state-level government agencies and services. |
| Healthcare | Organizations and professionals involved in medical care and public health. |
| Hospitality & Leisure | Hotels, restaurants, and tourism-related services. |
| Infrastructure - Dams | Management and operation of dam systems for water control and power generation. |
| Infrastructure - Nuclear | Industries focused on the development and management of nuclear power plants. |
| Infrastructure - Water | Management of water systems for consumption and sanitation purposes. |
| Insurance | Companies providing risk management through insurance policies. |
| Manufacturing | Industries involved in the production of goods and materials. |
| Mining | Extraction of minerals, metals, and other natural resources. |
| Non-Profit | Organizations that provide services and operate without a profit motive. |
| Pharmaceuticals | Development, production, and marketing of drugs and medical treatments. |
| Retail | Businesses involved in the sale of goods directly to consumers. |
| Technology | Companies focused on software, hardware, and technology development. |
| Telecommunications | Industries involved in providing communication services, including mobile and internet. |
| Transportation | Industries focused on moving people and goods via air, land, and sea. |
| Utilities | Provision of essential services such as electricity, gas, and water. |
STIX Threat Actor Types
Below is the list of STIX Threat Actor Types, based on STIX 2.1. Reference:
STIX Threat Actor
Type Vocabulary
| Type | Description |
|---|---|
| Activist | Highly motivated supporter of a social or political cause, aiming to disrupt an organization’s business model or damage its image. This category includes anarchists, cyber vandals, and hacktivists. |
| Competitor | An organization aiming to gain an advantage over a rival by stealing intellectual property, trade secrets, or business data. |
| Crime Syndicate | An enterprise organized to conduct large-scale criminal activity for profit, often associated with organized crime. |
| Criminal | Individuals or small groups committing crimes, often for personal financial gain. Common activities include intellectual property theft and extortion. |
| Hacker | Individuals who break into networks for the thrill or challenge, using either advanced skills or pre-made attack scripts. |
| Insider-Accidental | Non-hostile insiders who unintentionally expose the organization to harm through human error or lack of training. |
| Insider-Disgruntled | Current or former insiders seeking revenge, potentially leveraging extensive internal knowledge to harm the organization. |
| Nation-State | Actors working for or on behalf of a government, often with sophisticated tools, resources, and training to conduct espionage or political attacks. |
| Sensationalist | Individuals or small groups seeking fame by exposing sensitive information to cause public relations crises, without political goals. |
| Spy | Actors collecting sensitive information for use, dissemination, or sale, typically part of a well-resourced intelligence organization. |
| Terrorist | Individuals or groups using violence or cyber techniques to promote political or ideological goals, often raising funds through criminal activity. |
| Unknown | Actors whose motivations or identities cannot yet be determined due to insufficient information. |
Tactics, Techniques & Procedures (TTPS)
Below is a list of tactics, techniques, and procedures (TTPs) definitions, aligned with those used in the CISSM Events database:
| Name | Description |
|---|---|
| Message Manipulation | Interfering with the target's ability to communicate accurately. Examples: Hijacking social media accounts, defacing websites with political messages. |
| External Denial of Service | Attacks from outside the network to disrupt communication. Examples: DDoS attacks like ICMP flood, SYN flood, BGP hijack. |
| Internal Denial of Service | Disruption from within the network. Examples: Resetting routers, installing disruptive malware on file servers. |
| Data Attack | Manipulation, destruction, or encryption of data. Examples: Wiper viruses, ransomware, altering data with stolen credentials. |
| Physical Attack | Using IT components to damage physical systems. Examples: Manipulating PLCs to cause grid shutdowns, overheating a blast furnace. |
| Exfiltration from Sensors | Theft of data from peripheral devices. Example: Compromising PoS devices to steal credit card data. |
| Exfiltration from End Host | Theft of data from user devices. Examples: Malicious links, using compromised credentials. |
| Exfiltration from Network Infrastructure | Theft via networking equipment. Example: VPNFilter malware compromising routers. |
| Exfiltration from Application Server | Exploiting server vulnerabilities to steal data. Examples: SQL injection, direct access to email servers. |
| Exfiltration from Data in Transit | Intercepting data in transit. Example: Unencrypted data stolen from PoS devices or unsecured Wi-Fi. |
