TA-35—Cyber Threat Data Model and Use Cases – Final Report


  1. Lemay, A.
Corporate Authors
Defence Research and Development Canada, Centre for Operational Research and Analysis, Ottawa ON (CAN);International Safety Research Inc, Ottawa ON (CAN)
This report documents the efforts related to the production of a data model based on the STIX 2.0 format to characterize cyber threats. The work produced four main outcomes: - An analysis of the suitability of the STIX 2.0 standard to support the characterization of cyber threats; - STIX 2.0 compliant data models to support automation or analysis; - Profiles of Advanced Persistent Threat (APT) actors groups using the STIX 2.0 format; and - Examples of exercise scenarios using the APT actor profiles to demonstrate use cases. The main findings regarding the suitability of the STIX 2.0 standard are as follows: The standard is designed to represents threat information using graphs, with the various objects (threat actors, tools and malware, vulnerabilities, identities, etc.) modeled as nodes and the relationships between the objects represented as edges; - The standard is designed around the concept of a minimum viable product, with a small number of rules and a large capacity for customization; - The lack of enforced structures lends itself well to so-called “NOSQL” approaches, but makes automated processing more complex as the same information can be expressed in multiple forms; and - The standard, at the time of writing, lacks in maturity with continually evolving documentation and only partial software support. In terms of presenting a model, the report proposes to either embrace the unstructured nature of the standard in a NOSQL, or to enforce a certain structure to faci

Il y a un résumé en français ici.

threat;data model;threat model;cyber intelligence;Cyber Threat;Advanced Persistent Threat;Use Cases
Report Number
DRDC-RDDC-2017-C290 — Contract Report
Date of publication
01 Nov 2017
Number of Pages
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: