ThreatActors believed responsible for the Campaign, other Campaigns believed related to the Campaign, confidence in the assertion of aggregated intent and characterization of the Campaign, activity taken in response to the Campaign, source of the Campaign information, handling guidance, etc. Recognizing a lack of current standardized approaches, STIX leverages community knowledge and best practices to define a new Campaign structure for representing Campaign information. 9.6 ThreatActors ThreatActors are characterizations of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behavior. In a structured sense, ThreatActors consist of a characterization of identity, suspected motivation, suspected intended effect, historically observed TTP used by the ThreatActor, historical Campaigns believed associated with the ThreatActor, other ThreatActors believed associated with the ThreatActor, handling guidance, confidence in the asserted characterization of the ThreatActor, source of the ThreatActor information, etc. Recognizing a lack of current standardized approaches, STIX leverages community knowledge and best practices to define a new ThreatActor structure for representing ThreatActor information.
17 9.7 ExploitTargets ExploitTargets are vulnerabilities or weaknesses in software, systems, networks or configurations that are targeted for exploitation by the TTP of a ThreatActor. In a structured sense, ExploitTargets consist of vulnerability identifications or characterizations, weakness identifications or characterizations, configuration identifications or characterizations, potential Courses of Action, source of the ExploitTarget information, handling guidance, etc. Recognizing a lack of current standardized approaches for generalized characterizations, STIX leverages community knowledge and best practices to define a new ExploitTarget structure for representing ExploitTarget information. However, portions of the ExploitTarget structure utilize defined extension points to enable leveraging of other existing standardized approaches for characterizing things like vulnerabilities, weaknesses, and configurations. The identifier constructs from the Common Vulnerabilities and Exposures (CVE®) and the Open Source Vulnerability Database (OSVDB) are utilized for identification of publicly disclosed vulnerabilities. The Common Vulnerability Reporting Framework (CVRF) format may be utilized for detailed structured characterization of vulnerabilities not identified in CVE or OSVDB including the potential for characterizing 0-day vulnerabilities. The identifier construct from the Common Weakness Enumeration (CWE ™ ) is utilized for identification of weaknesses.