We investigated the STIX Visualizer (STIXviz) and the Attack Flow Builder (AFB) for visualizing malware behaviors as defined by MBC and ATT&CK. We assume the reader is familiar with Structured Threat Information Expression (STIX) (a language and serialization format used to exchange cyber threat intelligence) and Attack Flow (a language for describing how cyber adversaries combine and sequence offensive techniques to achieve their goals).

Choosing between STIXviz and AFB

The STIXviz user interface is more advanced than AFB's, so if STIX content is available or easy for the user to generate, STIXviz may be the better option. However, creating a behavior graph when a STIX representation is not available is much easier with AFB.

Other considerations:

• Both tools offer unique advantages and may be best used in combination.
• Capturing temporal flow/chronology is easy in AFB (AFB was designed for "flows").
• AFB relationships are very basic compared to STIX Relationship Objects (SROs).
• For someone familiar with STIX, building a graph in AFB may take more time than generating STIX.
• AFB can be used as a tool for generating STIX. The AFB "Publish Attack Flow" option produces a STIX bundle. The resulting JSON output is not fully aligned with STIX (for example, STIX Relationship Objects are missing) but the output is a good start and can be displayed in STIXviz.

IcedID

• Source blog
• AFB graph (image)
• STIX graph (image)
• .afb file (loadable into AFB)
• STIX JSON file (loadable into STIXviz)

Lactrodectus

• Source blog
• AFB graph (image)
• STIX graph (image)
• .afb file (loadable into AFB)
• STIX JSON file (loadable into STIXviz)

The STIX Visualizer (STIXviz) displays STIX content supported by various schemas. Malware analysis information should be captured in STIX using the Malware Behavior Extension; details and its schema are available in the OASIS Common Object Repository (COR).

Resources

• STIXviz online
• STIXviz download
• Malware Behavior Extension Definition Object
• Custom STIXviz configuration file
• Custom STIXViz icons
• STIX Validator
• MBC STIX 2.1 representation
• ATT&CK STIX 2.0 representation

Usage Notes

• For a node to be visable in STIXviz, the object's STIX JSON must be included in the STIX Bundle. The required JSON objects can be found in the STIX 2 representations for MBC and ATT&CK.
• A custom STIXviz configuation file is needed to display MBC content.
• A custom set of MBC icons is available for displaying MBC content in STIXViz. Otherwise, STIXviz will use a generic marker for all the object types it does not recognize.

Best Practices

• Use STIX Relationship Objects (SROs) to show chronology between behaviors.
  • For example, Behavior "leads-to" Behavior.
  • Relationship types are not defined in the malware behavior extension, but the relationship_type property can be any string.
  • Explicit relationships between Behavior objects may be defined in a future version of the extension.
• Use SROs to capture relationships between Behavior and Malware objects.
  • For example, a Behavior "delivers" Malware.
• Use SROs to capture relationships between Malware objects
  • For example, Malware "drops" Malware.
• Use SROs to capture chronology information.
  • For example, Behavior "leads-to" Behavior.
  • The created and modified common properties could be used to capture chronology, but the properties are not displayed in the STIXviz graph.
• Use Grouping objects to specify AND and OR operations.
  • The context property is set equal to "and" or "or."
  • All objects referenced in a Grouping object_refs property are those being and-ed or or-ed.
  • An SRO would be defined as a Behavior "chooses-from" Grouping.
• Use Grouping objects to capture components of modular malware or sets of C2 commands
  • The context is set equal to "chooses-from".
• Use an SRO to capture a conditional operation.
  • Behavior "if-true" Behavior and Behavior "if-false" Behavior.
• Use an Incident object (and associated Event and Impact objects) when capturing objects such as Threat Actors and Indicators.
  • See the Incident Extension in the OASIS Common COR.

The Attack Flow Builder allows a user to build a graph by inserting nodes and edges. Nodes can be Attack Flow objects (Action, Asset, AND/OR operators, and a Conditional object), STIX Domain Objects (SDOs), or STIX Cyber Observables (SCOs). The Attack Flow team defined a STIX Extension Definition so that an AFB diagram can be saved as a STIX Bundle.

Resources

• Online AFB tool
• AFB STIX Extension Definition Object
• Attack Flow STIX schema

Usage Notes

• ATT&CK Tactics and Techniques are available in property drop-down menus.
• MBC Behaviors, Methods, and Objectives must be manually entered.
• Any Action node without an incoming edge is considered a start_ref to the Flow.
• AFB relationships are all generic "related-to" (i.e., relationships have no properties).
• In the STIX output, relationships are only created between Attack Flow objects (Actions, Assets).
• The STIXviz configuration file would need to be modified to fully display Attack Flow objects.

Best Practices

• Use the description field for details that will help the viewer's understanding.
• When capturing ATT&CK content, Action objects are better than STIX objects because they offer drop-down menus of ATT&CK Tactics and Techniques.
• MBC content should be captured with Action objects to align with the capture of ATT&CK content.
• STIX Observables should be used instead of AFB Assets because they have more properties for capturing details.
• An AFB graph may be disconnected (a collection of subgraphs) when capturing individual execution paths.