Improve Ransomware Live connector

[yassine-ouaamou]

Description

Following some tests, here are some behaviours to fix in ransomware.live connector :

• The connector creates Intrusion Sets as Threat Actors
• The connector adds "related-to" relationships between reports and entities/observables instead of embedding them in the report

[Lhorus6]

Further information:
The connector creates Reports, Organizations, and Threat actors. From what I understand, its purpose is to reference ransomware attacks. The reports it creates seem completely useless as is. It should:

• Either put information in the reports, choose an interesting name, etc (if such information are available).
• Or maybe not create any reports at all. Simply create Threat -> Target -> Victim (Organization) relationships.

From my point of view, we need to:

• Evaluate how to make reports useful (add information). We have only external ref at this moment.
• If you keep the reports, don't create any more “related to” relationships with the reports.
• Create Intrusion sets rather than Threat actors.
• Study the possibility of creating and linking malware.
• No longer create an “attributed to” relationship with a victim Organization.

"targets" and "attributed to" relation with the same Organization ?!

"related to" relation with Report

Threat actor that might be Intrusion set

[yassine-ouaamou]

Hey @sudesh0sudesh,

First, I wanted to thank you for your contribution. Your work is greatly appreciated within our community.
Could you consider adding the improvements highlighted in this issue so it meets the necessary standards for a production use?

Thanks!

[sudesh0sudesh]

@yassine-ouaamou I will make changes from threat actors to intrusion sets

[sudesh0sudesh]

@Lhorus6 Thank you for recommendations.
I will consider ways to limit the relationships.

We create reports because we don't always have information about the organization and we use reports to track victims. We could include the information that the organization was compromised within the organization itself, but at that point, it wouldn't be useful to anyone.

I'm not sure how to link it to malware because only the organization that was attacked knows what malware was used.

[Lhorus6]

Hi @sudesh0sudesh,

I see. Perhaps create Incidents rather than Reports in this case. 🤔 It’s debatable, both would be possible in reality.

But if we stay with the Reports, to improve them a little:

• Put a title based on pattern would be interesting. For example, instead of just putting the victim's name in the title, we could think about using a pattern like "Ransomware activity tracking - [victim name] victim of [ransomware group name]"
• Same idea for the description, something like : “On [today's date], the ransomware group [group name] mentioned [victim name] as one of its victims."
• Put TLP:CLEAR marking
• Add “Ransomware Live” as “Author

These are small things that would make a Report cleaner

[screencoffee]

I just tested the newest version, it seems to be broken due to missing dependencies.
While i got an error for the missing tldextract, i fear the validators library might also be missing.

opencti-connector-ransomware-1  | Traceback (most recent call last):
opencti-connector-ransomware-1  |   File "/opt/connector/main.py", line 5, in <module>
opencti-connector-ransomware-1  |     from lib.ransomConn import RansomwareAPIConnector
opencti-connector-ransomware-1  |   File "/opt/connector/lib/ransomConn.py", line 8, in <module>
opencti-connector-ransomware-1  |     import tldextract
opencti-connector-ransomware-1  | ModuleNotFoundError: No module named 'tldextract'

Great work on the connector nonetheless! @sudesh0sudesh

[sudesh0sudesh]

@screencoffee Sorry for that just created a new pull request.

[screencoffee]

Happy to say that it works!
And these improvements are amazing!

[helene-nguyen]

Solved by #2474

[yassine-ouaamou]

Hi @sudesh0sudesh,
Great Job! Thanks for your contribution.
I just tested the connector. I see two tiny improvements that I noted in this new issue: #2665