Create an exploit target
An exploit target represents a vulnerability or a weakness in a software or hardware product or system, in a network, or in a configuration that enables a threat actor to use it as an entry point to access your assets and resources, and eventually to take control over them. Like a window that is left open upon leaving the house, it is a security hole in your ecosystem or infrastructure that malicious actors can leverage to get in and pursue their objectives.
In the context of a broader cyber threat scenario, a threat actor implements Tactics, Techniques, and Procedures (TTP) to hit an exploit target, and to attack a targeted victim.
A distinct occurrence is an incident. A series of structured attacks sharing similar characteristics — for example, they are carried out by the same threat actor and they hit the same exploit target — over a period of time is a campaign.
Any footprints or signatures the intruder leaves behind are indicators.
Create an exploit target
Required fields are marked with an asterisk ( * ).
There are two ways of creating an exploit target :
In the top navigation bar of a graph, click , and then ENTITY_UC.
In the side navigation bar of the Dashboard, click , and then ENTITY_UC.
If you create an exploit target from a graph, double-click its icon to access its details page.
If you create an exploit target from the Dashboard, its details page is displayed automatically.
Fill in the exploit target's details as follows:
Step 1 - Define the general options
In the Title field, assign the new exploit target entity a clear and descriptive name.
The name appears also on the entity detail pane header section.
In the Analysis field, you can include non-structured information such as additional context, references, links, and so on.
Step 2 - Define the characteristics
This section breaks down the main components of the exploit target in a structured, standardized, and consistent way.
In the Characteristics section, click Characteristic, and select one of the following options:
The taxonomy and the categorization follow the Common Weakness Enumeration (CWE) list.
To add details about the vulnerability the threat actor exploits to attack the exploit target:
From the Characteristic drop-down menu, select Vulnerability.
In the Title field, enter a name to define the vulnerability.
Select the Is known checkbox to indicate that the vulnerability is already known to exist.
If you leave the checkbox deselected, it means that you are describing a zero-day vulnerability.Select the Is publicly acknowledged checkbox to indicate whether the affected product vendor officially acknowledged the vulnerability.
In the Description field, describe the vulnerability and its effects — for example, if it causes a denial of service, if it can arbitrarily run code, if it a flavor of XSS, and so on.
In the Source field, enter the origin of the acquired information about the vulnerability — for example:
Use the Discovered date/time drop-down calendar, to select a date and time marking the discovery of the vulnerability.
From the Discovered date/time precision drop-down menu, select an option to provide an estimation of how accurate the vulnerability discovery time is: from second (accurate) to year (inaccurate).
Use the Published date/time drop-down calendar to select a date and time marking the publication of the information about the vulnerability.
From the Published date/time precision drop-down menu, select an option to provide an estimation of how accurate the vulnerability publication time is: from second (accurate) to year (inaccurate).
In the CVE-ID field, enter the unique CVE identifier to reference the vulnerability.
Example: CVE-2017-6394 on CVE or CVE-2017-6394 on NVD.
In the OSVDB-ID field, enter the unique Open Source Vulnerability Database (OSVDB) identifier to reference the vulnerability.
OSVDB was shut down in April 2016, the OSVDB blog is still active.
In the CVSS score section, enter the Common Vulnerability Scoring System (CVSS) value to assess the severity of the vulnerability.
You can use an online calculator to calculate the CVSS score of the vulnerability.In the Overall score field, enter the global score assessing the severity of the vulnerability.
In the Base score field, enter the partial score resulting from the analysis and calculation of the Base Score factors.
In the Base vector field, enter the attack vector that defines how close the threat actor needs to be to attack the vulnerability.
The further away the threat actor is from the exploit target, the higher the base score and the seriousness of the vulnerability.
In the Temporal score field, enter the partial score resulting from the analysis and calculation of the Temporal Scorefactors.
In the Temporal vector field, enter the temporal score factor that helps to assess the target’s ability to respond to the vulnerability attack.
They take into account aspects such as the availability of the exploit code, of a fix to patch the vulnerability, as well as the confidence level in the existence of the vulnerability.
In the Environmental score field, enter the partial score resulting from the analysis and calculation of the Environmental Score factors.
In the Environmental vector field, enter the environmental score factor that helps to assess the seriousness of the vulnerability in the specific context of the target environment and its assets.
They take into account aspects such as data breach, loss of privacy or confidentiality, as well as reduced performance and availability
In the Affected software section, you can enter details about the software product affected by the vulnerability.
In the Product field, enter the standard/commercial name of the software product.
Example: Prez-o-matic-fantastic
In the Edition field, enter the flavor of the software product.
Example: PE, Home, Pro.
In the Language field, enter the locale of the software product.
Example: English (US), Portuguese (BR)
In the Update field, enter any updates or service packs applied to the software product.
Example: SP1
In the Vendor field, enter the vendor name of the software product.
Example: Ecorp
In the Version field, enter the version name of the software product.
Example: 4.2.1
In the Device manufacturer field, enter the name of the manufacturer, if the vulnerability affects a hardware device.
Example: Omni Consumer Products
In the Device model field, enter the model of the device.
Example: ED-209
In the Device serial number field, enter the serial number of the device.
Example: OCP-ED-209-PK1580FF20SEC
In the Device firmware version field, enter the version number of the device firmware.
Example: 1.0.2
In the Device system OS field, enter the name of the operating system the device is equipped with.
Example: TempleOS
In the References field, enter a URL pointing to relevant reference information on the exploit target, if available.
The field takes only URLs as input. Enter one URL per field.
To confirm the current input and to display a new input field, press Enter.
To remove an entry from this section, click the cross icon corresponding to the item you want to remove.
To add details about the specific weakness or flaw causing a vulnerability in the software product or the hardware device:
From the Characteristic drop-down menu, select Weakness.
In the Description field, describe the weakness and its effects — for example, Use of Non-Canonical URL Paths for Authorization Decisions .
In the CWE-ID field, enter the CWE identifier to reference the weakness.
The CWE ID format is CWE-${int}.
Example: CWE-647
To add details about the specific configuration of the software product or hardware device that causes a vulnerability:
From the Characteristic drop-down menu, select Configuration.
In the Description field, describe the affected configuration — for example, The Java Security Manager (JSM) should be enabled or disabled as appropriate. .
In the CCE-ID field, enter the CCE identifier to reference the configuration.
The CCE ID format is CCE-${random_integer}-${Luhn_algorithm_check_digit}.
Example: CCE-26789-8
Step 3 - Add observables
If you manually create an entity in the entity editor, and add observables with a type or value that matches the criteria of an existing observable ignore rule, these observables may not be accessible after saving the entity.
Observables are discrete pieces of information that represent properties, attributes, actions, and events.
They record a distinct piece of information, such as: an IP address, a hash, name of a country, name of a city, name of an organization, or the name of an individual; or an event such as the creation of a registry value, or a file deletion or modification.
They are atomic: the information they hold is complete and meaningful, but it cannot be split into smaller components without losing meaning and intelligence value.
They are factual: they record facts with no additional context or background.
You can relate observables with entities to provide context.
If observables are detected in a specific context, or if they are sighted within the organization, they become indicators and sightings, respectively.
To manually add an observable, do one of the following:
In a graph, click in the top navigation bar.
In the entity detail pane, click the menu icon , and from the drop-down menu select Edit.
In the entity editor, under Observables, click Observables.In the side navigation bar click the create icon > Observable.
In the top navigation bar click Intelligence > All intelligence > Browse, Production, or Discovery, or Exposure, click the Observables tab, and then (Create observable).
When you are in the Add observables view:
From the Type drop-down menu, select the type of observable you are creating.
From the drop-down menu, select the appropriate value to correctly describe the type of relationship between the parent entity and the embedded observable.
In the Value(s) field, enter the values of the observable.
If you enter multiple values, separate them with a comma (,).From the Maliciousness drop-down menu, select the maliciousness level.
From the Source drop-down menu, select the data source associated with the observable.
To store your changes, click Save; to discard them, click Cancel.
The observable editor opens, and you can start describing the new observable in the Add observable view:
From the Type drop-down menu, select an observable type that describes the type of information you are storing in the observable.
For example, a bank account number, a payment card number, an IP address, a domain name, a country or city name, and so on.From the Link name drop-down menu, select an option to define the type of relationship existing between the observable and the parent entity.
Setting link names to define relationships adds intelligence value by describing how entities and observables are related.
This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.
For example, it can clarify that an observable describes a vulnerability or a weakness related to its parent entity.Therefore, observables with a Link name value are in general more relevant and more valuable than observables without a Link name value.
Link name options vary, based on the relationship the observable has with the specific entity type it belongs to.
These are the supported entity-observable relationship link names for the exploit target entity:Affected: describes an affected, impacted asset or resource.
Configuration: enter the Common Configuration Enumeration (CCE) code defining a specific security system configuration issue, as well as the related configuration guidance statement containing preferred or required settings or policies for the system configuration it refers to.
Example: CCE-5770-3Vulnerability: enter the Common Vulnerabilities and exposures (CVE) identifier to reference the security threat.
Example: CVE-2017-6394 on CVE or CVE-2017-6394 on NVD.Weakness: enter the Common Weakness Enumeration (CWE) identifier to reference the software security weakness.
Example: CWE-319, CWE-642
After specifying the link name, you can move on to setting the observable value and its maliciousness confidence level.
You can modify and update the link name value at any time to reflect changes in the entity-observable relationship:In the entity edit view browse to the Observables section.
If the section is populated with observables, each of them has a Link name column.
Click the Link name drop-down menu for the observable whose relationship link name you want to update, and then select one of the available options.
If the Link name drop-down menu has no options, the selected the entity-observable relationship is undefined.
In the Value(s) field, enter the value of the observable.
The value and its format should match the specified observable type (kind).
If you specify multiple values, enter one value per line.
If you enter multiple values on one line, use a comma (,) as a separator.
Example: 75.23.125.231, ipwnu.biz, Kansas City, [email protected], Alvin Slocombe.From the Maliciousness drop-down menu, select a maliciousness confidence level to assess the likelihood the potential threat may or may not damage the organization.
This option corresponds to the value that is set underConfidence in observable rules.
When you flag an observable with a maliciousness confidence level, it cannot transition back to being safe or irrelevant. It can only transition to a higher maliciousness confidence level.
You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.
For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the honestpaul-superdeals.com email domain.
Step 4 - Add relationships
In the Relationships view, click Relationship.
From the drop-down menu select the option corresponding to the relationship you want to create.
The following options are available:Option
Incoming/Outgoing
Description
Associated campaigns
Outgoing relationship
Relates the campaign to the selected campaign(s) on the Search an entity dialog.
Attributions
Outgoing relationship
Relates the campaign to the selected threat-actor(s) on the Search an entity dialog.
Related incidents
Outgoing relationship
Relates the campaign to the selected incident(s) on the Search an entity dialog.
Related TTPs
Outgoing relationship
Relates the campaign to the selected TTP(s) on the Search an entity dialog.
Indicator Related campaigns
Incoming relationship
Relates the selected indicator(s) on the Search an entity dialog to the campaign.
Report Campaigns
Incoming relationship
Relates the selected report(s) on the Search an entity dialog to the campaign.
Threat actor Associated campaigns
Incoming relationship
Relates the selected threat-actor(s) on the Search an entity dialog to the campaign.
Sighting Campaign
Incoming relationship
Relates the selected sighting(s) on the Search an entity dialog to the campaign.
In the Search an entity dialog, click the checkbox(es) to select one or more entities that you can relate to the current one.
You can refine search results by specifying a search string in the filter input field.
Alternatively, click to select one or more quick filter options such as:Entity
Source
TLP
Date
Datasets
Click Select.
Select this option… |
… to create this relationship for the exploit target |
Potential courses of action |
Outgoing relationship Relates the exploit target to the selected potential course(s) of action on the Search an entity dialog. |
Related exploit targets |
Outgoing relationship Relates the exploit target to the selected exploit target(s) on the Search an entity dialog. |
Course of action Related exploit targets |
Incoming relationship Relates the selected course(s) of action on the Search an entity dialog to the exploit target. |
Report Exploit targets |
Incoming relationship Relates the selected report(s) on the Search an entity dialog to the exploit target. |
TTP Exploit targets |
Incoming relationship Relates the selected TTP(s) on the Search an entity dialog to the exploit target. |
Sighting Exploit target |
Incoming relationship Relates the selected sighting(s) on the Search an entity dialog to the exploit target. |
From the Relationship type, you can select the name of entity relationship you added.
You can also type in your own relationship name in the empty input field.
When you assign a relationship a predefined or a custom name, it is visible in the graph view.
The arrow orientation, either or , indicates that the relationship is either incoming — from the related entity to the current one — or outgoing — from the current entity to the related one.
To remove a relationship type name, go to the relationship type you want to remove, and click  .
The relationship type name is removed.To remove a relationship, go to the row of the relationship you want to remove, and click .
The row and the corresponding relationship are removed.
You cannot undo these actions. They are irreversible.
Step 5 - Add metadata information
In the Estimated observed time field, enter the date when the entity was first observed/detected.
It corresponds to the date and time when the threat was detected, recorded, and reported for the first time.
Usually, Estimated observed time can be either the same as Estimated threat start time, or it can mark a point in time after Estimated threat start time. It can also be after the Estimated threat end time if the threat ended before it was observed.In the Estimated threat start time field, enter the estimated date the threat activity started, based on observation, reports and other intelligence.
It corresponds to the date and time when the threat was detected, recorded, and reported for the first time as an active/in-progress event.
The Estimated threat start time can be either the same as Estimated observed time, or it can mark a point in time before Estimated observed time.If the threat is no longer active, go to the Estimated threat end time field, and enter the estimated end time of the threat activity, based on observation, reports, and other intelligence.
Go to the Half life section.
Half-life represents the amount of time it takes for a threat to lose half its intelligence value.
It corresponds to the number of days it takes for the malicious potential of a threat to decay by 50%.Select the Use default value option to assign the entity the predefined half-life value.
You can assign default half-life values to each entity type in the /etc/eclecticiq/platform_settings.py file.
Integer values represent the number of days.
settings.py (sourced from EIQ platform-backend)Author
Rutger Prins
Commit
17a58f9f930d83ee862b731813ff472ea3994a37
Timestamp
February, 14, 2022 11:59 AM
Full path
eiq/platform/settings.py
Title
[SNYK] Upgrade packages and ignore issues with no upgrade path
Description
**Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465
# Default values
HALF_LIFE = {
"campaign"
:
1000
,
"course-of-action"
:
182
,
"eclecticiq-sighting"
:
182
,
"exploit-target"
:
182
,
"incident"
:
182
,
"indicator"
:
30
,
"report"
:
182
,
"threat-actor"
:
1000
,
"ttp"
:
720
,
Select the Override value option to override the default half-life value for the entity, and to set a custom one.
Enter an integer to represent the number of days it takes the entity to lose half its intelligence value.In the Tags section, click Add tags to associate one or more tags with the entity .
Tags enable structuring and categorizing entities based on criteria such as confidence and attack stage.
Tags improve findability, and they offer quick reference pointers to place entities in a broader cyber threat context.Click Source, and select the source of the threat information you are using to create the new entity.
The options available are the names of existing assigned user groups in the Intelligence Center.Go to the Source reliability section.
Use this option to flag the entity with a predefined reliability value to help other users assess how trustworthy the entity data source is.Select the Inherit from source option to assign the entity the same reliability value as the corresponding original data source.
Select the Custom override option to override the default source reliability value for the entity, and to set a custom one.
From the drop-down menu select, select an option to flag the entity data source reliability level.Values in this menu have the same meaning as the first character in the two-character Admiralty System code.
Example: B - Usually reliable
Step 6 - Add information source details
In the Description field, provide context and details to qualify the information source.
For example, enter a job role, or the function of an institution.In the Identity field, enter the name of the information source.
For example, an individual’s name or the official name of an entity such as an organization or government agency.From the Roles drop-down menu, select one or more options to define how the information source contributed to the information in the report.
In the References field, enter a URL pointing to relevant reference information on the report, if available.
The field takes only URLs as input. Enter one URL per field.To confirm the current input and to display a new input field, press ENTER.
To remove an input field from this section, click the corresponding .
Define sharing and usage
From the TLP drop-down menu, select the TLP color code you want to use to filter enrichment data.
You can choose to override the TLP color by selecting Not set in the Override TLP drop-down menu.
TLP provides an intuitive reference to assess how sensitive information is, focusing in particular on how serious it is, and whom it should or should not be shared with.In the Terms of use field, enter any legal notes about fair use of the information about the entity.
Define a workflow
Select the Add to dataset checkbox to include the campaign to one or more existing datasets.
From the drop-down menu select the target datasets you want to add the entity to.Select the Manually enrich checkbox to manually enrich the entity with the enricher sources you select from the Enrichers to apply drop-down menu.
Step 6 - Save and publish
To store your changes, click Save; to discard them, click Cancel.
To access additional save options, click the down arrow on the Save button:
Click Save draft to store your changes without publishing the entity.
Click Publish to release the new version of the entity that includes your changes.
Click Cancel to discard the changes.
Save a draft
Drafts are available in the entity editor under Draft entities.
Two additional options are available when saving an entity as a draft:
Click Save draft and new if you are creating a new entity and have not saved it before. This option saves the current populated form as a draft without publishing it to the Intelligence Center, and creates and opens a new draft form in the editor.
Click Save draft and duplicate to the current populated form as a draft without publishing it to the Intelligence Center, and create and opens a prepopulated copy of the draft entity in the editor to speed up the creation of a new entity of the same type.
Publish an entity
Published entities are saved to the Intelligence Center.
When the new entity is indexed, it is available in the Intelligence Center, in the entity editor under Published.
Published entities associated with a workspace or included in a dataset are available also through the corresponding workspace and dataset.
Two additional options are available when publishing an entity:
Click Publish and new if you are creating a new entity and you have not published it before. This option saves the current populated form, publishes it to the Intelligence Center, and creates and opens a new form in the editor.
Click Publish and duplicate to save the current populated form, publish it to the Intelligence Center, and create and open a prepopulated copy of the newly published entity in the editor to speed up the creation of a new entity of the same type.