STIX Output

Title	STIX Phishing Indicator Example
Package_Intent	Indicators - Phishing

example:Indicator-19e5d914-cc0e-478f-a523-b099a34383f7 ○ ○

Title

"US-China" Phishing Indicator

Description

This is a cyber threat indicator for instances of "US-China" phishing attempts.

Valid Time Position

(2012-12-01T09:30:47Z to 2013-02-01T09:30:47Z)

Suggested COAs

○ "example:COA-346075c3-f3a4-48db-8e71-31b053f7838a"

○ "example:COA-a157f596-e1bf-4599-9dad-748511d68c3a"

○ "example:COA-0ac78ae1-661d-4845-ace1-a460c6075080"

○ "example:COA-a09c17a4-d05e-48f3-b629-7de9a8c42162"

○ "example:COA-98cf40a2-e2be-448e-8474-c6e8c02628ef"

○ "example:COA-d470b8d7-3717-4a42-a3bc-3b57f1b2c300"

○ "example:COA-e46d2565-754e-4ac3-9f44-2de1bfb1e71d"

Observable

○ "example:Observable-Pattern-5f1dedd3-ece3-4007-94cd-7d52784c1474"

Indicated TTP

Behavior

Attack_Patterns

Attack_Pattern [capec_id=CAPEC-98] →

Description → Phishing

Kill Chain Phases

DEBUG kill chain phase w/ idref

[external] ○ "example:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d"

Confidence

Confidence [timestamp=2012-12-01T09:30:47Z] →

Value [vocab_reference=someURLtoConfidenceModelDescription.foo.com] → High

Source → MITRE

example:Observable-Pattern-5f1dedd3-ece3-4007-94cd-7d52784c1474 ○ ○

EmailMessageObjectType ○ "example:Object-3a7aa9db-d082-447c-a422-293b78e24238"

example:Object-3a7aa9db-d082-447c-a422-293b78e24238 ○ EmailMessageObjectType ○

NOT THERE

cybox properties (type: EmailMessageObjectType)

Header →

From [category=e-mail] →

Address Contains: @state.gov

Related Objects

Contains ○ FileObjectType ○ [No ID]

d5e56 ○ Contains ○ FileObjectType ○

NOT THERE

cybox properties (type: FileObjectType)

File_Extension → pdf

Size_In_Bytes → 87022

Hashes →

HashMD5 = cf2b3ad32a8a4cfb05e9dfc45875bd70

example:COA-346075c3-f3a4-48db-8e71-31b053f7838a ○ ○

course of action (type: CourseOfActionType)

Stage → Remedy

Type → Email Block

Description → Redirect and quarantine new matching email

Objective →

Description → Prevent future instances of similar phishing attempts from reaching targeted recipients in order to eliminate possibility of compromise from targeted recipient falling for phishing lure.

example:COA-a157f596-e1bf-4599-9dad-748511d68c3a ○ ○

course of action (type: CourseOfActionType)

Stage → Remedy

Type → Web Link Block

Description → Block malicous links on web proxies

Objective →

Description → Prevent execution/navigation to known malicious web URLs.

example:COA-0ac78ae1-661d-4845-ace1-a460c6075080 ○ ○

course of action (type: CourseOfActionType)

Stage → Remedy

Type → Domain Traffic Block

Description → Block traffic to/from malicous domains via firewalls and DNS servers.

Objective →

Description → Prevent any traffic (potentially containing malicious logic, data exfil, C2, etc.) to or from known malicious domains.

example:COA-a09c17a4-d05e-48f3-b629-7de9a8c42162 ○ ○

course of action (type: CourseOfActionType)

Stage → Response

Type → Malicous Email Cleanup

Description → Remove existing matching email from the mail servers

Objective →

Description → Cleanup any known malicious emails from mail servers (potentially in Inboxes, Sent folders, Deleted folders, etc.) to prevent any future exploitation from those particular emails.

example:COA-98cf40a2-e2be-448e-8474-c6e8c02628ef ○ ○

course of action (type: CourseOfActionType)

Stage → Response

Type → Phishing Target Identification

Description → Review mail logs to identify other targeted recipients

Objective →

Description →

Identify all targeted victims of a particular phishing campaign in order to enable notification and to support more strategic cyber threat intelligence activities (TTP characterization, Campaign analysis, ThreatActor attribution, etc.).

example:COA-d470b8d7-3717-4a42-a3bc-3b57f1b2c300 ○ ○

course of action (type: CourseOfActionType)

Stage → Response

Type → Phishing Target Notification

Description → Notify targeted recipients

Objective →

Description → Notify all targeted victims of a particular phishing campaign to ensure they are aware they have been targeted and to help them understand how to avoid falling for phishing attacks.

example:COA-e46d2565-754e-4ac3-9f44-2de1bfb1e71d ○ ○

course of action (type: CourseOfActionType)

Stage → Response

Type → Super Secret Proprietary Response

Description → Carry out some sensitive action that is applicable only within the environment of the affected organization.

Title	Observable Title	Type
"US-China" Phishing Indicator	[Observable, no Title]	Malicious E-mail
EXPANDABLE CONTENT HERE

STIX Report

Document Contents

STIX Header

Indicators