From 2ef38ce931db25ef6e027a6c41a3ed0af29e0292 Mon Sep 17 00:00:00 2001
From: Ben Schmoker <g@d-str.cc>
Date: Mon, 18 May 2015 15:29:21 +0000
Subject: [PATCH 1/2]  add deception schema and sample file

---
 extensions/deception/deception.xsd | 77 +++++++++++++++++++++++++
 extensions/deception/sample.xml    | 90 ++++++++++++++++++++++++++++++
 2 files changed, 167 insertions(+)
 create mode 100644 extensions/deception/deception.xsd
 create mode 100644 extensions/deception/sample.xml

diff --git a/extensions/deception/deception.xsd b/extensions/deception/deception.xsd
new file mode 100644
index 0000000..4d28cc5
--- /dev/null
+++ b/extensions/deception/deception.xsd
@@ -0,0 +1,77 @@
+<!-- Deception  Vocabulary -->
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:stixCommon="http://stix.mitre.org/common-1" targetNamespace="http://stix.mitre.org/default_vocabularies-1" elementFormDefault="qualified" version="1.2.0" xml:lang="en">
+
+	<xs:complexType name="DeceptionVocab-1.0">
+		<xs:annotation>
+			<xs:documentation>Capture the ways that defenders can use deception</xs:documentation>
+		</xs:annotation>
+		<xs:simpleContent>
+			<xs:restriction base="stixCommon:ControlledVocabularyStringType">
+				<xs:simpleType>
+					<xs:union memberTypes="stixVocabs:DeceptionEnum-1.0"/>
+				</xs:simpleType>
+				<xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Deception Vocabulary"/>
+				<xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#DeceptionVocab-1.0"/>
+			</xs:restriction>
+		</xs:simpleContent>
+	</xs:complexType>
+	<xs:simpleType name="DeceptionEnum-1.0">
+		<xs:annotation>
+			<xs:documentation>Sneaky methods that defenders can use to detect intrusions</xs:documentation>
+			<xs:appinfo>
+				<version>1.0</version>
+			</xs:appinfo>
+		</xs:annotation>
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="Purpose">
+				<xs:annotation>
+					<xs:documentation>Deciding why you are taking the deceptive action</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+			<xs:enumeration value="Collect Intelligence">
+				<xs:annotation>
+					<xs:documentation>Understanding what the intruders are doing</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+			<xs:enumeration value="Design Cover Story">
+				<xs:annotation>
+					<xs:documentation>Writing a plausible story for your deception</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+			<xs:enumeration value="Plan">
+				<xs:annotation>
+					<xs:documentation>Implementing cover story via technical methods</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+			<xs:enumeration value="Prepare">
+				<xs:annotation>
+					<xs:documentation>Seeding the environment with false information</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+			<xs:enumeration value="Execute">
+				<xs:annotation>
+					<xs:documentation>Placing the environment in an intruder-visible spot</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+				<xs:enumeration value="Monitor">
+				<xs:annotation>
+					<xs:documentation>Watching for intruders to fall for it</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+				<xs:enumeration value="Reinforce">
+				<xs:annotation>
+					<xs:documentation>Building a plausible reason for the deception</xs:documentation>
+				</xs:annotation>
+			</xs:enumeration>
+			
+			
+		</xs:restriction>
+	</xs:simpleType>
+</xs:schema>	
\ No newline at end of file
diff --git a/extensions/deception/sample.xml b/extensions/deception/sample.xml
new file mode 100644
index 0000000..d3f427e
--- /dev/null
+++ b/extensions/deception/sample.xml
@@ -0,0 +1,90 @@
+
+
+<stix:STIX_Package 
+
+    xmlns:incident="http://stix.mitre.org/Incident-1"
+
+	xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
+
+	xmlns:cybox="http://cybox.mitre.org/cybox-2"
+
+	xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
+
+	xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
+
+	xmlns:example="http://example.com"
+
+	xmlns:coa="http://stix.mitre.org/CourseOfAction-1"
+
+	xmlns:stixCommon="http://stix.mitre.org/common-1"
+
+	xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
+
+	xmlns:stix="http://stix.mitre.org/stix-1"
+
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+
+	xsi:schemaLocation="
+
+    http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
+
+	http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
+
+	http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
+
+	http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
+
+	http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd
+
+	http://stix.mitre.org/CourseOfAction-1 http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd
+
+	http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
+
+	http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
+
+	http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" 
+
+	id="example:Package-495c4c04-b5d8-11e3-b7bb-000c29789dba" 
+
+	version="1.2">
+
+<stix:Incidents>
+        <stix:Incident id="example:incident-8236b4a2-abe0-4b56-9347-288005c4bb92" timestamp="2014-11-18T23:40:08.061362+00:00" xsi:type='incident:IncidentType' version="1.2">
+            <incident:Title>Breach of Cyber Tech Dynamics</incident:Title>
+            
+            <incident:COA_Requested > 
+            <incident:Course_Of_Action id="example:coa-495c9b28-b5d8-11e3-b7bb-000c29789dbf" xsi:type='coa:CourseOfActionType' version="1.2">
+
+                <coa:Title>Monitor activity related to known compromised accounts</coa:Title>
+    
+                <coa:Stage xsi:type="stixVocabs:DeceptionVocab-1.0">Monitor</coa:Stage>
+    
+                <coa:Type xsi:type="stixVocabs:CourseOfActionTypeVocab-1.0">Redirection (Honey Pot)</coa:Type>
+
+                <coa:Description>Allow login with credentials at this domain, with intensified monitoring and dis-allowing any destructive actions. 
+                                </coa:Description>
+                    <coa:Objective>
+                        This will further our investigation into the intruders who are re-using compromised accounts.
+                    </coa:Objective>
+                    
+                <coa:Parameter_Observables cybox_major_version="2" cybox_minor_version="1" cybox_update_version="0">
+                <cybox:Observable id="example:Observable-356e3258-0979-48f6-9bcf-6823eecf9a7f">
+                    <cybox:Object id="example:Address-df3c710c-f05c-4edb-a753-de486204895f">
+                        <cybox:Properties xsi:type="AccountObj:AccountObjectType" >
+                            <AddressObj:Domain>cybertech.biz</AddressObj:Domain>
+                        </cybox:Properties>
+                    </cybox:Object>
+                </cybox:Observable>
+            </coa:Parameter_Observables>    
+                    
+            </incident:Course_Of_Action>
+
+            </incident:COA_Requested>
+
+            </stix:Incident>
+    </stix:Incidents>
+</stix:STIX_Package>
+
+
+
+

From be9137c7b54ca11f4af8eadc32364ad7fcf4ab8a Mon Sep 17 00:00:00 2001
From: Ben Schmoker <bschmoker@users.noreply.github.com>
Date: Tue, 2 Jun 2015 17:11:01 -0400
Subject: [PATCH 2/2] move to extension namespace (out of default)

---
 extensions/deception/deception.xsd | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/extensions/deception/deception.xsd b/extensions/deception/deception.xsd
index 4d28cc5..9214afe 100644
--- a/extensions/deception/deception.xsd
+++ b/extensions/deception/deception.xsd
@@ -1,5 +1,5 @@
 <!-- Deception  Vocabulary -->
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:stixCommon="http://stix.mitre.org/common-1" targetNamespace="http://stix.mitre.org/default_vocabularies-1" elementFormDefault="qualified" version="1.2.0" xml:lang="en">
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:stixCommon="http://stix.mitre.org/common-1" targetNamespace="http://stix.mitre.org/extensions/deception-1" elementFormDefault="qualified" version="1.2.0" xml:lang="en">
 
 	<xs:complexType name="DeceptionVocab-1.0">
 		<xs:annotation>
@@ -11,7 +11,7 @@
 					<xs:union memberTypes="stixVocabs:DeceptionEnum-1.0"/>
 				</xs:simpleType>
 				<xs:attribute name="vocab_name" type="xs:string" use="optional" fixed="STIX Deception Vocabulary"/>
-				<xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd#DeceptionVocab-1.0"/>
+				<xs:attribute name="vocab_reference" type="xs:anyURI" use="optional" fixed="http://stix.mitre.org/XMLSchema/extensions/deception.xsd#DeceptionVocab-1.0"/>
 			</xs:restriction>
 		</xs:simpleContent>
 	</xs:complexType>
@@ -74,4 +74,4 @@
 			
 		</xs:restriction>
 	</xs:simpleType>
-</xs:schema>	
\ No newline at end of file
+</xs:schema>