Group Hierarchy and Association Directionality
  • 27 Mar 2024
  • 6 Minutes to read
  • Dark
    Light

Group Hierarchy and Association Directionality

  • Dark
    Light

Article Summary

Important
When contributing a Group to a Community or Source in ThreatConnect version 7.5 or newer, you can use the Ignore Hierarchy option to specify whether to ignore the Group hierarchy rules discussed in this article when copying the contributed Group's associated Groups to the target Community or Source. See Contributing a Group to a Community or Source for more information.

Group Hierarchy Rules

Groups in ThreatConnect are related to each other according to the hierarchy in Figure 1, where the topmost Group (Report) is a superset that can contain all of the Groups “below” it, the next group down (Threat) is a superset that can contain all of the Groups “below” it (i.e., all of the Groups except itself and Report), and so on. Or, starting from the bottom of the list, a Document can contain only itself; a Course of Action can contain a Document; a Tool can contain a Course of Action and a Document; a Tactic can contain a Tool, a Course of Action, and a Document; and so on. The hierarchy is like a Russian nesting doll, where Document is the smallest doll and fits inside the Course of Action doll, which fits inside the Tool doll, which fits inside the Tactic doll, and so on.

Note
The Task Group is not listed in the hierarchy as it cannot be copied as an associated Group because this Group type may contain sensitive information and is specific to users in a given Organization.

Figure 1_Group Hierarchy and Association Directionality_7.5.0

 

This hierarchy is based on the definition of each Group and the way each Group can contain or be contained by other Groups. For example, a Document can be included in a Course of Action, but a Course of Action cannot be included inside a Document. An Adversary can be a component of an Intrusion Set, but an Intrusion Set is a “greater” structure and thus cannot be part of an Adversary. A Campaign is a collection of Incidents, and therefore it can contain Incidents, but an Incident cannot contain a Campaign. An Email can contain a Signature and a Document inside of it, but neither a Signature or a Document could have an Email as a component. An Email can be one of the components that are grouped together into an Event, but it would not make sense to say that an Event is a part of an Email.

Association Directionality

When contributing a Group to a Community or Source, Groups that are associated directly to that Group (i.e., one degree of association from the original Group) are also contributed if you selected Yes for the Copy Associated Groups option and if you selected the checkbox for the type of Group in the Group Types dropdown. However, Groups that are associated to the associated Groups (i.e., two or more degrees of association from the original Group) are contributed only if the association traverses up or down the hierarchy in the same direction as the association between the original Group and the associated Group. Also, a horizontal traversal (i.e., from one kind of Group to the same kind of Group, such as a Signature associated to another Signature) would be contributed regardless of the prior direction of traversal.

Important
If you select Yes for the Copy Associated Groups option during the Group contribution process, you can use the Limit Depth and Max Depth options to set a limit for the number of association levels to copy during the contribute operation. In addition, if you select Yes for the Limit Depth option during the Group contribution process, you can use the Ignore Hierarchy option to specify whether to ignore the Group hierarchy rules discussed in this article when associated Groups are copied during the contribute operation.

Examples

Note
The examples in this section assume that No was selected for the Limit Depth and Ignore Hierarchy options during the Group contribution process.

If a Group being contributed is an Event that is associated to an Incident, the Incident will be contributed along with the Event because it is directly associated to the Event (one degree). If the Incident is associated to an Adversary, the Adversary will also be contributed, because the chain of association began by traveling “up” the hierarchy (i.e., from Event to Incident) and continued “up” the hierarchy (i.e., from Incident to Adversary). However, if the Incident is also associated to a Signature, that Signature will not be contributed with the Email, because the initial association traveled “up” the hierarchy (i.e., from Event to Incident), but then traveled “down” the hierarchy (from Incident to Signature). This situation is illustrated in Figure 2, where the dashed gray line with the X over it indicates a contribution that will not happen.

Note
If, during the Group contribution process, you selected Yes for Limit Depth, set Max Depth to a value of 2 or greater, and selected Yes for Ignore Hierarchy, then the Signature Group would be contributed.

Graphical user interface  Description automatically generated with medium confidence

 

As another example, if the Group being contributed is a Campaign that is associated to an Adversary, a Threat that is associated to the Adversary will be contributed as well, because the chain of association from Campaign to Adversary to Threat is uniformly in the “up” direction. However, a different Campaign associated to the Adversary will not be contributed, because the chain of association from Campaign to Adversary to Campaign goes “up” and then “down.” Similarly, if a Signature is associated to the original Campaign, both the Signature and a Document associated to the Signature will be contributed with the Campaign, because the chain of association from Campaign to Signature to Document goes uniformly “down,” whereas an Email associated to the Signature will not be contributed, because the chain of association from Campaign to Signature to Email goes “down” and then “up.” This situation is illustrated in Figure 3.

Note
If, during the Group contribution process, you selected Yes for Limit Depth, set Max Depth to a value of 2 or greater, and selected Yes for Ignore Hierarchy, then the Campaign and Email Groups would be contributed.

A screen shot of a computer  Description automatically generated with medium confidence

 

As a final example, consider a Signature that is associated to a Campaign. If the Campaign (“Campaign 1”) is associated to another Campaign (“Campaign 2”), which is associated to an Adversary and an Incident, then when the Signature is contributed to a Community or Source, Campaign 1, Campaign 2, and the Adversary will be contributed as well, because the directionality of association is universally “up” or, in the case of the two Campaigns, horizontal, but the Incident would not be contributed, because the directionality initially goes “up” (from the Signature to the first Campaign), horizontal (from Campaign 1 to Campaign 2), and then “down” (from Campaign 2 to the Incident). This situation is illustrated in Figure 4.

Note
If, during the Group contribution process, you selected Yes for Limit Depth, set Max Depth to a value of 3 or greater, and selected Yes for Ignore Hierarchy, then the Incident Group would be contributed.

Graphical user interface, text, application  Description automatically generated

 

Note
The reason for this methodology is that traversal along the hierarchy in one direction and then in the other direction means that you are likely to encounter a separate chain of association not related to the original Group. For example, consider the scenario in Figure 2. The Email is a part of the Incident, which in turn is a component of the Adversary. But the Signature associated to the Incident may have nothing to do with the Email. The Signature may be associated to an Email, but there is no evidence that it is associated to the Email being contributed, and so including it as part of the contribution would mean that extraneous, unrelated data are being passed with the contribution. In the Russian nesting doll analogy, it is as if the Incident doll has two separate dolls—Email and Signature—rattling around inside of it. The presence of both of them inside the Incident doll does not mean they are related to each other.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20001-03 v.15.A


Was this article helpful?