Data

Accessing EMB3D Data

EMB3D in STIX

The Structured Threat Information Expression (STIX) language is a machine-readable JSON format used for capturing and sharing cyber threat information. The EMB3D dataset is available in STIX 2.1 format.

EMB3D STIX v2.0

Data representation

The EMB3D data is represented using primarily standard STIX data objects (SDOs) with some custom extensions:

  • EMB3D Threats are expressed as vulnerability objects
  • EMB3D Mitigations are expressed as course-of-action objects
  • EMB3D Propeties do not map well to a standard STIX data types and are instead expressed as custom objects with a type x-mitre-emb3d-property

Links between objects are represented as STIX relationship types:

  • Property to Threat mappings use the relationship type relates-to with the Property SDO as the source_ref and corresponding Threat SDO as the target_ref.
  • Threat to Mitigation mappings use the relationship type mitigates with the Mitigation SDO as the source_ref and the Threat SDO as the target_ref.
  • The hierarchy of Properties and sub-Properties is captured in relationship objects with the custom relation type subproperty-of, a the child sub-property SDO as the source_ref, and the parent property SDO as the target-ref.

Threat and Mitigation description text is contained in the description field of each object. The contents of this field is the Markdown format text corresponding to the similar section on each TID and MID web page.

Evidence and reference text for Threats and Mitigations is similarly encoded as Markdown text (see the Limitations below).

Threat object property fields:

  • x_mitre_emb3d_threat_evidence: Contents of the ‘Threat Maturity and Evidence’ section of each TID page.
  • x_mitre_emb3d_threat_CWEs: Contents of the ‘CWE’ section of each TID page as a Markdown bullet list.
  • x_mitre_emb3d_threat_CVEs: Contents of the ‘CVE’ section of each TID page as a Markdown bullet list.

Mitigation object property fields:

  • x_mitre_emb3d_mitigation_references: Contents of the ‘References’ section of each MID page. Each reference is a numbered paragraph.
  • x_mitre_emb3d_mitigation_IEC_62443_mappings: Contents of the ‘IEC 62443 4-2 Mappings’ section of each MID page as a Markdown bullet list.

Encoding

The EMB3D data is generated using the OASIS CTI TC’s Python STIX2 library in UTF-8 text encoding.

Limitations of the current version

The EMB3D 2.0 release contains the initial release of the STIX data representation. All of the model data is contained with the STIX JSON file, however not all of it is represented using the full extent of the STIX feature set. In particular, the evidence and reference link material associated with Threats and Mitigations is represented as free form Markdown text. In a future EMB3D release these will be encoded as objects using the STIX external-reference data type mechanism.