Class: ActiveStix::ThreatActor

Inherits:

ApplicationRecord

• Object
• ActiveRecord::Base
• ApplicationRecord
• ActiveStix::ThreatActor

Defined in:

app/models/active_stix/threat_actor.rb

Class Method Summary

• .find_or_create_attribution(organization) ⇒ Object

Instance Method Summary

• #as_stix ⇒ Object
• #attribute_to(identity) ⇒ Object
• #campaigns ⇒ Object
• #classifications ⇒ Object
• #first_seen_date ⇒ Object
• #flags=(f) ⇒ Object
• #intrusion_set! ⇒ Object
• #intrusion_sets ⇒ Object
• #last_seen_date ⇒ Object
• #mail_server ⇒ Object
• #malwares ⇒ Object
• #type ⇒ Object

Class Method Details

.find_or_create_attribution(organization) ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 39

def self.find_or_create_attribution(organization)
  threat_actor = organization.threat_groups.first
  if threat_actor.nil?
    threat_actor = ActiveStix::ThreatActor.create(name: organization.name)
  end

  threat_actor.attribute_to(organization)
end

Instance Method Details

#as_stix ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 120

def as_stix

  as_json(only: [:name]).tap do |hash|
    hash["type"] = type
    hash["created"] = created_at.utc.iso8601(3)
    hash["modified"] = updated_at.utc.iso8601(3)
    hash["id"] = stix_id
    hash["labels"] = ['competitor']
    hash["x_ased_dialogue_flags"] = [
        {
            "x_ased_date_discovered": "2019-10-03T12:02:26.216Z",
            "x_ased_message_id": "a9b91592-73c7-463c-89a1-e57136406728",
            "x_ased_browser": {
                "value": "chrome",
                "version": "11.2.1"
            }
        }
    ] # todo move this
    hash["spec_version"] = "2.0"
  end

end

#attribute_to(identity) ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 143

def attribute_to(identity)
  ActiveStix::Relationship.relate(self, identity, "attributed-to")
end

#campaigns ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 108

def campaigns
  c = []
  ActiveStix::Relationship.where(target: self, relationship_type: "attributed-to", source_type: "ActiveStix::Campaign").each do |rel|
    c << rel.source
  end
  c
end

#classifications ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 52

def classifications
  batch = []
  source_relationships
      .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
    next unless rel.target
    rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
      employee_rel.target.email_messages.includes(:classifications).each do |em|
        em.eml.classifications.each do |c|
          batch << c if c.motive
        end
      end
    end
  end
  source_relationships
      .where(target_type: "ActiveStix::Identity", relationship_type: "impersonates").collect do |rel|
    next unless rel.target
    rel.target.email_messages.includes(:classifications).each do |em|
      em.eml.classifications.each do |c|
        batch << c if c.motive
      end
    end
  end
  batch.flatten
end

#first_seen_date ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 78

def first_seen_date
  first_email_message = nil
  source_relationships
      .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
    next unless rel.target
    rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
      first_employee_email = employee_rel.target.email_messages.order("date ASC").limit(1).first
      if first_employee_email
        first_email_message = first_employee_email if first_email_message.nil? or first_employee_email.date < first_email_message.date
      end
    end
  end
  first_email_message ? first_email_message.date : 6.months.ago # todo these are hacky workarounds
end

#flags=(f) ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 48

def flags=(f)
  @flags = f
end

#intrusion_set! ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 15

def intrusion_set!
  unless ActiveStix::Relationship.where(target: self, source_type: 'ActiveStix::IntrusionSet', relationship_type: "attributed-to").any?
    intrusion_set = ActiveStix::IntrusionSet.create(name: name)
    ActiveStix::Relationship.create(source: intrusion_set, target: self, relationship_type: "attributed-to")
  end

end

#intrusion_sets ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 23

def intrusion_sets
  intrusion_sets = []
  ActiveStix::Relationship.where(target: self, relationship_type: "attributed-to", source_type: "ActiveStix::IntrusionSet").each do |rel|
    intrusion_sets << rel.source
  end
  intrusion_sets
end

#last_seen_date ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 93

def last_seen_date
  last_email_message = nil
  source_relationships
      .where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to").collect do |rel|
    next unless rel.target
    rel.target.source_relationships.where(relationship_type: "employs").each do |employee_rel|
      last_employee_email = employee_rel.target.email_messages.order("date DESC").limit(1).first
      if last_employee_email
        last_email_message = last_employee_email if last_email_message.nil? or last_employee_email.date > last_email_message.date
      end
    end
  end
  last_email_message ? last_email_message.date : 2.months.ago # todo these are hacky workarounds
end

#mail_server ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 116

def mail_server
  ActiveStix::Relationship.where("relationship_type like 'related-to' and source_type like 'ActiveStix::ThreatActor' and target_type like 'ActiveStix::ObservedDatum'").first.target.cyber_observables.first.cyber_observable_object.mail_server
end

#malwares ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 31

def malwares
  m = []
  ActiveStix::Relationship.where(target: self, relationship_type: "attributed-to", source_type: "ActiveStix::Malware").each do |rel|
    intrusion_sets << rel.source
  end
  intrusion_sets
end

#type ⇒ Object

# File 'app/models/active_stix/threat_actor.rb', line 11

def type
  'threat-actor'
end