CTIM, the data model of CTIA, is closely based on STIX with a few simplifications:
-
The base Types cannot be documented inside of each other. It's like always having to use an idref. This is because we intend to build a hypermedia threat intel web combining global and local threat intel.
-
It's built on top of a "verdict service" so we simplify Observables into their most commonly observed properties. You no longer have to say, "a file, with the sha256 checksum equal to X" you would simple say, "a sha256 checksum". We cross index everything on these observables, and distill the indicators down into verdicts that allow quick looking to see if an observable is of interest.
-
We flatten some structured data to make it easier to deal with as JSON and simpler, since we are dealing with specific cases in CTIA. We will use default vocabularies whenever they are available.
-
We assume specific string representations for descriptions and such, instead of the more complex structured data which allows the specification of multiple formats. This is to enforce a more secure representation format suitable for embedding in web applications.
- Actor
- Attack Pattern
- Campaign
- Course of Action
- Feedback
- Incident
- Indicator
- Judgement
- Malware
- Relationship
- Casebook
- Sighting
- IdentityAssertion
- Tool
- Verdict
- Weakness
- Actor JSON
- Attack Pattern JSON
- Campaign JSON
- Course of Action JSON
- Feedback JSON
- Incident JSON
- Indicator JSON
- Judgement JSON
- Malware JSON
- Relationship JSON
- Casebook JSON
- Sighting JSON
- IdentityAssertion JSON
- Tool JSON
- Verdict JSON
- Weakness JSON