1 Semantic data model MRS-001
The data model of SATRAP-DL SHALL build upon knowledge representation formalisms that natively capture the semantics of information.
Rationale
Flexible storage and management of contextualized CTI and support for automated reasoning
Child links: SRS-001 Data modelling language
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
2 CTI knowledge base MRS-002
SATRAP-DL SHALL host a native semantic CTI repository (a.k.a. CTI semantic knowledge base or CTI SKB) to enable by design the storage, management, and retrieval of information by means of semantic technologies.
Rationale
The main goal of the project is to enrich the automation capabilities of current approaches by working with semantically enriched data and automated reasoning on such data.
Child links: SRS-002 Database paradigm, SRS-003 Semantic search
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
3 CTI SKB extensibility MRS-003
The CTI SKB SHALL support the integration of new concepts (e.g., facts, entities, or relationships) while maintaining the existing core data model.
Rationale
Extensibility of the data model allows for gradual enrichment of the CTI SKB by combining multiple threat frameworks, as CTI might not be expressible in a single one.
Child links: SRS-004 Extensibility of the data model
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
4 SKB data model flexibility MRS-004
The CTI SKB SHALL rely on a database solution supporting structural modifications to the data model without requiring a data schema migration, e.g., in a relational DBMS needing a schema migration tool.
Rationale
CTI relationships are complex and often uncertain, thus, subject to frequent changes. A flexible data model accommodates for those evolving requirements.
Child links: SRS-005 NoSQL data model
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R,T |
| release | Alpha |
5 Default CTI content MRS-005
The CTI SKB SHALL contain some cyber threat intelligence (CTI) content such as cyber attack campaigns and intrusion sets (including TTPs) by default, e.g., the ATT&CK data sets published by MITRE.
Rationale
Ground knowledge (terminological axioms in DL) of the knowledge base
Child links: SRS-006 Integration of common CTI
| Attribute | Value |
|---|---|
| type | Q |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
6 Domain-specific CTI MRS-006
The CTI SKB SHOULD contain publicly available domain-specific CTI content about less commonly documented threats, such as those dealing with PQC schemes.
Rationale
To enrich the CTI SKB ground knowledge and enlarge the scope of coverage.
| Attribute | Value |
|---|---|
| type | Q |
| importance | 3 |
| urgency | 3 |
| vm | R,I |
| release | FID (First Industrial Deployment) |
7 Semantic CTI and MITRE D3FEND MRS-007
The CTI SKB SHOULD contain data from existing open-source semantic CTI repositories, including at least MITRE D3FEND.
Rationale
To incorporate other efforts dealing with semantic CTI.
| Attribute | Value |
|---|---|
| type | Q |
| importance | 3 |
| urgency | 3 |
| vm | R,I |
| release | Beta |
8 CTI SKB data integrity MRS-008
The CTI SKB technology choice SHALL enforce data integrity by design.
Rationale
To ensure consistency, stability, accuracy and reliability of data, preventing among others contradictory and repeated data to be stored.
Child links: SRS-007 Semantic data integrity
| Attribute | Value |
|---|---|
| type | Q |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
9 Policy-driven automated SKB update MRS-009
SATRAP-DL SHALL provide an automated process to maintain the CTI SKB up to date according to some update policy.
Rationale
To automatically address one of the major challenges related to keeping up with the fast evolving nature of CTI.
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | R |
| release | Beta |
10 Removal of expired intelligence MRS-010
SATRAP-DL MAY enforce an automated process to deal with the identification and removal of expired intelligence in the CTI SKB.
Rationale
To maintain an up to date CTI SKB.
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 1 |
| vm | T |
| release | FID (First Industrial Deployment) |
11 Ingestion of standardized CTI MRS-011
The data integration module SHALL allow for the import of threat data expressed in a standard CTI representation format, such as STIX.
Rationale
To enable the ingestion of data observed in a specific system, thereby allowing to effectively tailor the CTI knowledge obtained from the world to protect the referred system.
Child links: SRS-008 ETL orchestrator, SRS-009 ETL Transformer, SRS-010 Database manager
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
12 CyFORT CTI repository MRS-012
The SATRAP-DL system SHALL implement a mechanism for raw (i.e., prior to SATRAP inference) CTI storage in a CTI repository maintained using at least one open-source TIP with sharing capabilities (e.g., MISP or OpenCTI). This upstream SATRAP CTI repository maintained by one or more open-source TIPs will be referred to as the CyFORT CTI repository.
Rationale
To leverage the mature and robust data collection, storage and sharing capabilities of existing TIPs and because many CSIRT/CERT and SOC teams already maintain their repositories in such platforms.
Child links: SRS-011 Ingestion of internal and external CTI, SRS-044 Open-source TIP integration
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | R |
| release | Alpha |
13 OSINT ingestion MRS-013
The CyFORT CTI repository SHOULD ingest open-source threat intelligence (OSINT), e.g. government feeds, according to predefined parameters, such as sources and frequency.
Rationale
To integrate relevant and up to date publicly available data about threats around the world.
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | I |
| release | Beta |
14 Automated CTI enrichment MRS-014
The data integration module SHOULD automatically enrich the information imported from external systems with CTI available in the CyFORT CTI repository.
Rationale
To address one of the major challenges for incident responders, namely, manual data correlation and contextualization of collected IoCs.
Child links: SRS-012 Inference rules
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
| release | Alpha |
15 Semantic relations preservation MRS-015
The data integration module SHALL store imported threat data in the CTI SKB by maintaining the semantic relations defined in the input data.
Rationale
To ensure integrity of imported threat data.
Child links: SRS-013 STIX 2.1 data model
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
16 Configuration management MRS-016
The data integration module SHALL provide a configuration management mechanism with a set of predefined values for the user to adjust settings related to the data ingestion process.
Rationale
To allow tunning the system performance.
Child links: SRS-041 Configuration management mechanism
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 3 |
| vm | T |
| release | Alpha |
17 Conformance with user settings MRS-017
The data integration SHALL execute its data import function according to settings defined by the user.
Rationale
To ensure enforcement of user defined settings
Child links: SRS-041 Configuration management mechanism
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
18 Automated reasoning MRS-018
SATRAP-DL SHALL provide native automated reasoning capabilities over the information in the CTI SKB to infer new relations and provide insights to the CTI analyst.
Rationale
Automated reasoning capabilities are expected not only to simplify analysis tasks over large amounts of data, but also to efficiently infer relations that would otherwise require dedicated time and effort from a CTI analyst.
Child links: SRS-014 Native reasoning engine
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
19 CTI sharing MRS-019
SATRAP-DL SHOULD facilitate sharing of CTI stored in the CTI SKB by exporting to a machine-readable format expressing standardized CTI.
Rationale
Providing tools that simplify CTI sharing potentially encourages this activity, which is one of factors that contributes to faster detection and response times.
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 3 |
| vm | T |
| release | Beta |
20 Interactive frontend MRS-020
SATRAP-DL SHALL provide and/or incorporate at least one frontend to enable interactive analysis of CTI, e.g., a command line interface (CLI), a web interface, a Jupyter Notebook or a desktop GUI application.
Rationale
To enhance and extend the toolset for CTI analysts.
Child links: SRS-015 Jupyter Notebook frontend, SRS-042 Command line interface (CLI), SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
21 Self-defined CTI queries MRS-021
The SATRAP-DL frontend SHALL allow the user to run self-defined CTI queries using a high-level language/representation, e.g., Python code encapsulating TypeQL.
Rationale
To provide enhanced capabilities accessible to end users for performing CTI analysis according to their investigative needs and objectives.
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
22 Saved queries MRS-022
The frontend SHALL allow the user to save self-defined CTI queries using a high-level language/representation.
Rationale
To provide enhanced capabilities accessible to end users for performing CTI analysis according to their investigative needs and objectives.
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
23 Query parameterization MRS-023
The frontend SHALL allow the user to customize parametrized pre-defined CTI queries in a high-level language/representation.
Rationale
For usability and adoption by removing the need for end users to know the native CTI SKB query language.
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
24 Frontend and CTI SKB mediator MRS-024
SATRAP-DL SHALL have a control module (a.k.a. the controller) in charge of the CTI analysis operational logic, i.e., charged with orchestrating the interaction between the frontend and the CTI SKB.
Rationale
For separation of duties in SATRAP-DL.
Child links: SRS-008 ETL orchestrator
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Beta |
25 Reasoning engine controller MRS-025
The controller SHALL process CTI queries provided via the frontend, relay them to the reasoning engine and return a response based on the engine output.
Rationale
Instead of navigating the data space, CTI analysts can directly ask what they want to learn about the CTI data and obtain answers automatically.
Child links: SRS-008 ETL orchestrator, SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
26 Query result viewer MRS-026
The SATRAP-DL frontend SHALL display the data set resulting from a user query to the user.
Rationale
For providing a natural user experience (UX), users expect to get an answer in the interface where they asked a question.
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
27 Frontend query status MRS-027
The frontend SHALL inform the user about the status of their queries, e.g., when the result is ready, a set wait time is exceeded, or errors have occurred, etc.
Rationale
For supporting a good user experience (UX).
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
28 Native query execution MRS-028
The SATRAP-DL frontend SHALL provide the means to execute queries in the native query language of the CTI SKB.
Rationale
For convenience of advanced users.
Child links: SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
29 Frontend design MRS-029
The frontend design SHALL adhere to well-established guidelines for UI design.
Rationale
To facilitate ease of use, intuitiveness, and efficiency in completing tasks.
Child links: SRS-015 Jupyter Notebook frontend, SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
30 Frontend terminology MRS-030
Wherever applicable, the frontend SHALL use terms specified in relevant standards to refer to CTI concepts.
Rationale
Among other features, usage of a common vocabulary is essential for the adoption of tools in a given application domain.
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | I |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
31 Frontend STIX compliance MRS-031
When terms coming from different CTI sources are used to refer to the same CTI concept, the frontend SHOULD provide a mapping to the equivalent concept in STIX.
Rationale
Among other features, usage of a common vocabulary is essential for the adoption of tools in a given application domain.
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
32 User-controlled CTI curation MRS-032
The frontend SHOULD allow the user to update the information stored in its CTI SKB.
Rationale
To enable CTI curation by the users themselves.
Child links: SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 2 |
| vm | T |
| release | Alpha |
33 File-based SKB update MRS-033
The frontend MAY allow the user to update the SKB by loading CTI content from files encoded using a predefined format (e.g., JSON) and according to a well-defined specification (e.g., STIX).
Rationale
To keep the CTI updated by the users themselves.
Child links: SRS-042 Command line interface (CLI)
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 2 |
| vm | T |
| release | Alpha |
34 Frontend cross-platform support MRS-034
The frontend SHALL be cross-platform compatible, either by providing dedicated platform-dependent deployment artifacts (e.g., build binaries for GNU/Linux and MacOS) or rely on technology enabling cross-platform support by design, e.g., web-based stacks or containerization solutions.
Rationale
For portability and compatibility with prevailing operating systems
Child links: SRS-015 Jupyter Notebook frontend, SRS-042 Command line interface (CLI)
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
35 SATRAP as software library MRS-037
SATRAP-DL SHALL include a native library grouping together a set of low-level algorithms to provide high-level CTI analysis services (functionality) and to facilitate the use of SATRAP as a software library for developing other applications.
Rationale
For interoperability with the ecosystem, to enable the automation of the CTI lifecycle through the integration of multiple complementary solutions.
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | A |
| importance | 4 |
| urgency | 3 |
| vm | I |
| release | Alpha |
36 Platform-independent API MRS-038
SATRAP-DL SHALL provide a platform-independent API (e.g., a web-based one such as a REST API) enabling programmatic access to the data and services provided by the SATRAP-DL system.
Rationale
To enable automatic generation of documentation and automated API testing and validation, providing a language-agnostic and human and machine readable specification.
Child links: SRS-016 API based on OAS
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 2 |
| vm | T |
| release | Beta |
37 CTI ingestion from IDPS-ESCAPE MRS-039
SATRAP-DL, through its CyFORT CTI repository handled by an open-source TIP (e.g., MISP), SHALL ingest CTI from the monitoring subsystem of IDPS-ESCAPE using a standard CTI representation format following a pre-defined integration policy.
Rationale
To provide integration between the different components in the CyFORT stack.
Child links: SRS-017 Integration of behavioral data, SRS-018 IDPS-ESCAPE ingestion policy, SRS-044 Open-source TIP integration
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
| release | Alpha |
38 Automated CTI ingestion MRS-040
The SATRAP-DL system SHOULD automatically ingest monitoring events (e.g., alerts, notifications) from the IDPS-ESCAPE central server using a standard CTI representation format and according to a pre-defined integration policy.
Rationale
To provide integration between the different components in the CyFORT stack.
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
| release | Beta |
39 Inferred CTI export MRS-041
The SATRAP-DL system SHALL provide the means to export inferred CTI to at least one CTI representation standard, e.g., STIX.
Rationale
For interoperability with tools in the ecosystem.
Child links: SRS-019 CTI export to STIX
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
| release | Beta |
40 TIP inference connector MRS-042
The SATRAP-DL system SHALL provide an enrichment mechanism to automatically run inference rules on newly ingested CTI entering the SATRAP TIP (maintaining the CyFORT CTI repository) according to an integration policy.
Rationale
For persistence of the analysis results in a standard human readable format, useful for sharing the findings.
Child links: SRS-011 Ingestion of internal and external CTI
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 2 |
| vm | T |
| release | Beta |
41 TIP enrichment connector MRS-043
The SATRAP-DL system SHALL provide an enrichment mechanism to automatically repopulate the SATRAP TIP (maintaining the CyFORT CTI repository) with new inferred CTI derived using the SATRAP TIP inference connector according to an integration policy.
Rationale
For sharing CTI findings into central repositories of an organization, which could be further shared with external communities.
Child links: SRS-011 Ingestion of internal and external CTI
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
| release | Beta |
42 Modular architecture MRS-044
The design of SATRAP-DL SHALL follow a modular architecture according to software design criteria specified, e.g., in the SWEBOK.
Rationale
As an open-source project, extensions by the community are expected, e.g., for supporting standards and tool interoperability. This requirement aims to facilitate smooth code integration.
Child links: SRS-020 System configuration file, SRS-021 Centralized logging, SRS-022 Centralized exception handling, SRS-024 Design and implementation principles
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
43 STIX compliance MRS-045
The SATRAP-DL system SHALL use the STIX (Structured Threat Information eXpression) language and serialization format for structured CTI representation.
Rationale
For interoperability
Child links: SRS-023 CTI representation in STIX 2.1
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
44 C5-DEC compliance MRS-046
The development of SATRAP-DL SHALL conform to the C5-DEC SSDLC method.
Rationale
To enforce security by design and a rigorous development process.
Child links: SRS-024 Design and implementation principles, SRS-025 Code readability
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
45 Open-source releases MRS-051
The source code, API specifications and technical documentation of SATRAP-DL SHALL be made available under open and permissive licenses to entities with legitimate interest in the cybersecurity dataspace.
Rationale
An open-source release allows contributions and usage by the community, which in turn foster adoption and exchange of feedback.
Child links: SRS-026 Public release, SRS-027 Open-source licensing
| Attribute | Value |
|---|---|
| type | Q |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
46 Secure programming compliance MRS-053
Software components of SATRAP-DL SHALL be implemented in agreement with secure coding best practices, such as those specified in the C5-DEC SSDLC.
Rationale
To enforce security by design as per the CyFORT SSDLC.
Child links: SRS-028 Input validation, SRS-029 Input sanitization, SRS-030 Resource management, SRS-031 Code static analysis, SRS-032 Dependencies management, SRS-033 Functional ETL events logging, SRS-034 Detailed event logging, SRS-035 Consistent logging format, SRS-036 Log validation, SRS-037 Sensitive information, SRS-038 Software identification
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I, R |
| release | Alpha |
47 Access control MRS-056
The SATRAP-DL connectors (for ingestion and enrichment) SHALL rely on the integrated open-source TIP (i.e., SATRAP TIP maintaining CyFORT CTI repository) built-in functionality to enforce access control and role-based access management.
Rationale
Separation of roles should be implemented to address security concerns, and to provide information and relevant functionalities according to the type of user.
Child links: SRS-040 Authentication and authorization
| Attribute | Value |
|---|---|
| type | S |
| importance | 4 |
| urgency | 4 |
| vm | T |
| release | Beta |
48 Secure channel to TIP MRS-057
The communication between separate components of SATRAP-DL crossing through different trust boundaries SHALL occur over confidential and authenticated channels.
Rationale
The data to be queried over is likely to include not only OSINT but also information collected from internal tools that might be available only to authorized users.
| Attribute | Value |
|---|---|
| type | S |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Beta |
49 Secure channel to IDPS-ESCAPE MRS-058
The communication between IDPS-ESCAPE and SATRAP-DL SHALL occur over confidential and authenticated channels if such channels are not located within the same trust boundaries.
Rationale
As this integration is likely to exchange internal information, the communication channel should be by default protected from external parties.
| Attribute | Value |
|---|---|
| type | S |
| importance | 4 |
| urgency | 4 |
| vm | T |
| release | Beta |