Upload ae_ontology.ttl

docs/ae_ontology.ttl

@@ -0,0 +1,794 @@
+
+@prefix attack: <https://ontology.adversaryengagement.org/ae/attack/> .
+@prefix engagement: <https://ontology.adversaryengagement.org/ae/engagement/> . 
+@prefix identity: <https://ontology.adversaryengagement.org/ae/identity/> .
+@prefix objective: <https://ontology.adversaryengagement.org/ae/objective/> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix role: <https://ontology.adversaryengagement.org/ae/role/> .
+@prefix sh: <http://www.w3.org/ns/shacl#> .
+@prefix uco-action: <https://ontology.unifiedcyberontology.org/uco/action/> .
+@prefix uco-core: <https://ontology.unifiedcyberontology.org/uco/core/> . 
+@prefix uco-identity: <https://ontology.unifiedcyberontology.org/uco/identity/> .
+@prefix uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/> . 
+@prefix uco-role: <https://ontology.unifiedcyberontology.org/uco/role/> .
+@prefix uco-types: <https://ontology.unifiedcyberontology.org/uco/types/> . 
+@prefix vocabulary: <https://ontology.adversaryengagement.org/ae/vocabulary/> . 
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+
+
+
+
+attack:AttackPattern a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "AttackPattern"@en ;
+    rdfs:comment "An attack pattern is a common approach (set of actions) utilized by a person or organization to carry out malicious activity intended to achieve some particular objective (within a particular context) against a targeted victim."@en ;
+    rdfs:subClassOf uco-action:ActionPattern ;
+    sh:property
+      [
+        sh:class engagement:Objective ;
+	sh:nodeKind sh:IRI ;
+	sh:path objective:hasObjective
+      ] ;
+    sh:targetClass attack:AttackPattern .
+
+
+
+attack:CyberKillChain a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "CyberKillChain"@en ;
+    rdfs:comment "An cyber kill chain is an ordered sequence of actions or events describing a lifecycle from some framework."@en ;
+    rdfs:subClassOf uco-action:ActionLifecycle ;
+    sh:targetClass attack:CyberKillChain .
+
+
+
+
+attack:DefensePattern a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "AttackPattern"@en ;
+    rdfs:comment "A defense pattern is a common approach (set of actions) utilized by a person or organization to carry out defensive activity intended to achieve some particular objective (within a particular context) against malicious activity."@en ;
+    rdfs:subClassOf uco-action:ActionPattern ;
+    sh:property
+      [
+        sh:class engagement:Objective ;
+	sh:nodeKind sh:IRI ;
+	sh:path objective:hasObjective 
+      ] ;
+    sh:targetClass attack:DefensePattern .
+
+
+# Actions
+
+	#Release Version: 0.1.8
+engagement:Access a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "Access"@en ; 
+    rdfs:comment "An Access action refers to an observed or deduced interaction between an entity and an object."@en ; 
+    rdfs:subClassOf uco-action:Action ; 
+	sh:property 
+		[
+			sh:datatype xsd:string ;
+			sh:hasValue "Access" ;
+			sh:maxCount "1"^^xsd:integer ;
+			sh:minCount "1"^^xsd:integer ;
+			sh:nodeKind sh:Literal ;
+			sh:path uco-core:name ;
+		] ;
+    sh:targetClass engagement:Access . 
+
+engagement:Alert a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "Alert"@en ; 
+    rdfs:comment "An Alert action involves notification to some entity that some condition or event of particular interest has occurred."@en ; 
+    rdfs:subClassOf uco-action:Action ; 
+	sh:property 
+		[
+			sh:datatype xsd:string ;
+			sh:hasValue "Alert" ;
+			sh:maxCount "1"^^xsd:integer ;
+			sh:minCount "1"^^xsd:integer ;
+			sh:nodeKind sh:Literal ;
+			sh:path uco-core:name ;
+		] ;
+    sh:targetClass engagement:Alert . 
+
+
+	#Date Added: 2023-03-31
+	#Recent Date Modified: 2023-07-02
+	#Release Version: 0.2.0
+	#On-going Challenges: How to restrict the performer to be any UcoObject except Identity 
+engagement:Beacon a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "Beacon"@en ; 
+    rdfs:comment "An Beacon action is refer to communication between two objects where the performer is an object and the object property is an object or dataTarqet. Beacon is designed to differentiate between actions performed by and onto objects and actions performed by and onto identities. "@en ; 
+    rdfs:subClassOf uco-action:Action ; 
+	sh:property 
+		[
+			sh:datatype xsd:string ;
+			sh:hasValue "Beacon" ;
+			sh:maxCount "1"^^xsd:integer ;
+			sh:minCount "1"^^xsd:integer ;
+			sh:nodeKind sh:Literal ;
+			sh:path uco-core:name ;
+		] ;
+    sh:targetClass engagement:Beacon . 
+
+
+	#Release Version: 0.1.8
+engagement:Deploy a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Deploy"@en ;
+    rdfs:comment "A Deploy action involves instantiating some deception objects prior or during an operation."@en ;
+    rdfs:subClassOf uco-action:Action ; 
+	sh:property 
+		[
+			sh:datatype xsd:string ;
+			sh:hasValue "Deploy" ;
+			sh:maxCount "1"^^xsd:integer ;
+			sh:minCount "1"^^xsd:integer ;
+			sh:nodeKind sh:Literal ;
+			sh:path uco-core:name ;
+		] ;
+    sh:targetClass engagement:Deploy .
+
+engagement:Obfuscate a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Obfuscate"@en ;
+    rdfs:comment "An Obfuscate action is a transformative action an entity or tool performs to some object to reduce available information associated with that object."@en ;
+    rdfs:subClassOf uco-action:Action ; 
+	sh:property 
+		[
+			sh:datatype xsd:string ;
+			sh:hasValue "Obfuscate" ;
+			sh:maxCount "1"^^xsd:integer ;
+			sh:minCount "1"^^xsd:integer ;
+			sh:nodeKind sh:Literal ;
+			sh:path uco-core:name ;
+		] ;
+    sh:targetClass engagement:Obfuscate .
+
+engagement:Respond a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Respond"@en ;
+    rdfs:comment "A Respond action is a reactive, defensive action to some adversarial detection or alert."@en ;
+    rdfs:subClassOf uco-action:Action ;
+	sh:property 
+		[
+			sh:datatype xsd:string ;
+			sh:hasValue "Respond" ;
+			sh:maxCount "1"^^xsd:integer ;
+			sh:minCount "1"^^xsd:integer ;
+			sh:nodeKind sh:Literal ;
+			sh:path uco-core:name ;
+		] ;
+    sh:targetClass engagement:Respond .
+ 
+
+# Objects
+
+	#Date Added: 2023-03-31
+	#Recent Date Modified: 2023-03-31
+	#Release Version: 0.1.9
+engagement:Breadcrumb a owl:Class,
+        sh:NodeShape ;
+	rdfs:label "Breadcrumb"@en ;
+	rdfs:comment "A Breadcrumb is a set of objects placed to be at least partially, sequentially interacted by an adversary to ellicit an explicit response, often in the context of lateral movement."@en ;
+	rdfs:subClassOf engagement:LureObject ;
+	sh:property
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:breadcrumbTargetObject
+		],
+		[
+			sh:class uco-core:UcoObject ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasCharacterization
+		] ;
+	sh:targetClass engagement:Breadcrumb .
+
+
+	#Date Added: 2023-03-31
+	#Recent Date Modified: 2023-03-31
+	#Release Version: 0.1.9
+engagement:BreadcrumbTrail a owl:Class,
+        sh:NodeShape ;
+	rdfs:label "BreadcrumbTrail"@en ;
+	rdfs:comment "A breadcrumb trail is a sequence of observed breadcrumbs where partial order of observation of breadcrumbs matter."@en ;
+	rdfs:subClassOf uco-core:UcoObject ;
+	sh:property
+		[
+			sh:class objective:Objective ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasObjective
+		],
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:breadcrumbTargetObject
+		],
+		[
+			sh:class uco-types:Thread ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasBreadcrumb
+		] ;
+	sh:targetClass engagement:BreadcrumbTrail .
+
+
+	#Release Version: 0.1.8
+engagement:DataSource a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "DataSource"@en ; 
+    rdfs:comment "A datasource is a grouping of characteristics unique to a specific source of data (e.g. a tool that generates event logs)."@en ; 
+    rdfs:subClassOf uco-core:UcoObject ; 
+    sh:targetClass engagement:DataSource . 
+
+
+	#Release Version: 0.1.9
+engagement:DataTarget a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "DataTarget"@en ; 
+    rdfs:comment "A datatarget is a grouping of characteristics unique to a specific target/listener that receives data (e.g. a listening port)."@en ; 
+    rdfs:subClassOf uco-core:UcoObject ; 
+    sh:targetClass engagement:DataTarget . 
+
+	#Release Version: 0.1.8
+engagement:Decoy a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "Decoy"@en ; 
+    rdfs:comment " A decoy is a placed object that has the perception of enough value to an adversary to pursue but contains no real value."@en ; 
+    rdfs:subClassOf engagement:LureObject ; 
+    sh:targetClass engagement:Decoy . 
+
+engagement:HoneyObject a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "HoneyObject"@en ; 
+    rdfs:comment " An domain object that is created to be percieved by an adversary to have high value to pursue in an adversary engagement operation that has no value out of scope of the operation's intended perception."@en ; 
+    rdfs:subClassOf engagement:LureObject ; 
+    sh:targetClass engagement:HoneyObject . 
+
+engagement:Honeypot a owl:Class,
+        sh:NodeShape ;
+	rdfs:label "Honeypot"@en ;
+	rdfs:comment " A controlled environment intended to be probed, compromised or attacked by adversaries or malware."@en ;
+	rdfs:subClassOf engagement:HoneyObject ;
+	sh:property
+		[
+			sh:datatype vocabulary:HoneypotInteractionTypeVocab ;
+			sh:message "Value is outside the default vocabulary HoneypotInteractionTypeVocab." ;
+			sh:path engagement:honeypotInteractionType ;
+			sh:severity sh:Info ;
+		] ,
+		[
+			sh:maxCount "1"^^xsd:integer ;
+			sh:nodeKind sh:Literal ;
+			sh:or ([ sh:datatype vocabulary:HoneypotInteractionTypeVocab ;] [ sh:datatype xsd:string ;]) ;
+			sh:path engagement:honeypotInteractionType ;
+		] ,
+		[
+			sh:message "Value is not member of the vocabulary HoneypotInteractionTypeVocab." ;
+			  sh:or ([ sh:datatype vocabulary:HoneypotInteractionTypeVocab ;
+					sh:in (
+						"High"^^vocabulary:HoneypotTypeVocab
+						"Low"^^vocabulary:HoneypotTypeVocab
+						"Dynamic"^^vocabulary:HoneypotTypeVocab
+					) ;
+					] [ sh:datatype xsd:string ;]) ;
+			  sh:path engagement:honeypotInteractionType ;
+		] ;
+    sh:targetClass engagement:Honeypot .
+
+engagement:HoneyToken a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "HoneyToken"@en ; 
+    rdfs:comment "A honey token gives an adversary direct access to a honeypot."@en ; 
+    rdfs:subClassOf engagement:HoneyObject ;
+    sh:targetClass engagement:HoneyToken . 
+
+engagement:LureObject a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "LureObject"@en ; 
+    rdfs:comment " An object or set of objects used to attract an adversary that has the perception of high value regardless if it actually has high value."@en ; 
+    rdfs:subClassOf uco-core:UcoObject ;
+    sh:property 
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasCharacterization 
+		] ,
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasPerceptionCharacterization 
+		] ,
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasAttackSurface 
+		] ;
+    sh:targetClass engagement:LureObject . 
+
+engagement:Malware a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Malware"@en ;
+    rdfs:comment "Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms are usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially."@en ;
+    rdfs:subClassOf uco-core:UcoObject ;
+    sh:targetClass engagement:Malware .
+
+ 
+# Planning & Narrative Concepts
+
+	#Release Version: 0.1.8
+engagement:Event a owl:Class,
+        sh:NodeShape ;
+	rdfs:label "Event"@en ;
+	rdfs:comment "An Event characterizes some occurence."@en ;
+	rdfs:subClassOf uco-core:UcoObject ;
+	sh:property
+		[
+		  sh:datatype xsd:string ;
+		  sh:nodeKind sh:Literal ;
+		  sh:path engagement:eventType ;
+		],
+		[
+		sh:nodeKind sh:IRI ;
+			sh:class uco-core:UcoObject ;
+		sh:path engagement:eventContext ;
+		],
+		[
+		sh:datatype xsd:string ;
+		sh:nodeKind sh:Literal ;
+		sh:path uco-core:startTime ;
+		],
+		[
+		sh:datatype xsd:string ;
+		sh:nodeKind sh:Literal ;
+		sh:path uco-core:endTime ;
+		],
+		[
+		sh:nodeKind sh:IRI ;
+			sh:class uco-types:Dictionary ;
+		sh:path engagement:eventAttribute ;
+		] ;
+	sh:targetClass engagement:Event .
+
+engagement:Narrative a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "Narrative"@en ; 
+    rdfs:comment "A narrative is a script of all expected sequence of actions, events, entities and their interactions."@en ; 
+    rdfs:subClassOf uco-core:UcoObject ; 
+    sh:property 
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasStoryline 
+		] ,
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasObjective 
+		] ;
+    sh:targetClass engagement:Narrative . 
+
+engagement:PlannedEvent a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "PlannedEvent"@en ; 
+    rdfs:comment "A PlannedEvent is a collection of actions, entities, interactions designated to be performed at some sequentially indexed time in a Storyline or Narrative"@en ; 
+    rdfs:subClassOf uco-core:UcoObject ; 
+    sh:property 
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:eventContext 
+		] ,
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasObjective 
+		] ;
+    sh:targetClass engagement:PlannedEvent . 
+
+engagement:PocketLitter a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "PocketLitter"@en ; 
+    rdfs:comment "Pocket litter describes objects placed prior or during an adversary engagement operation for the purpose of realism."@en ; 
+    rdfs:subClassOf uco-core:UcoObject ; 
+    sh:property 
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasCharacterization 
+		] ;
+    sh:targetClass engagement:PocketLitter . 
+
+engagement:Resource a owl:Class, 
+        sh:NodeShape ; 
+    rdfs:label "Resource"@en ; 
+    rdfs:comment " A resource can be a tool, location or object which requires some operational cost to enable availability."@en ; 
+    rdfs:subClassOf uco-core:UcoObject ; 
+    sh:targetClass engagement:Resource . 
+
+engagement:Sandbox a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Sandbox"@en ;
+    rdfs:comment " A controlled environment intended for malware detonation and malware analysis."@en ;
+    rdfs:subClassOf uco-core:UcoObject ;
+    sh:property
+		[
+			sh:class uco-core:UcoObject ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasCharacterization
+		] ;
+    sh:targetClass engagement:Sandbox .
+
+
+engagement:Storyline a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Storyline"@en ;
+    rdfs:comment "A Storyline is a sequence of semi-ordered planned events as an expected trajectory for a narrative."@en ;
+    rdfs:subClassOf uco-core:UcoObject ;
+    sh:property
+		[
+			sh:class uco-types:Thread ;
+			sh:minCount 1 ;
+			sh:nodeKind sh:IRI ;
+			sh:path engagement:hasEvent ;
+		] ;
+    sh:targetClass engagement:Storyline .
+	
+
+
+# Properties
+
+	#Release Version: 0.1.8
+engagement:alertContext a owl:ObjectProperty;
+    rdfs:label "alertContext"@en ; 
+    rdfs:comment "An alert context describes the association of actions and objects relating to an alert."@en ; 
+    rdfs:range uco-core:UcoObject .
+
+	#Date Added: 2023-07-23
+	#Release Version: 0.2.0
+engagement:hasAttackSurface a owl:ObjectProperty, 
+        sh:NodeShape ; 
+    rdfs:label "hasAttackSurface"@en ; 
+    rdfs:comment "hasAttackSurface is an object property which describes the UcoObjects which compose the attack surface which is expected to interacted with by an adversary."@en ; 
+    rdfs:range uco-core:UcoObject .
+
+	#Release Version: 0.1.8
+engagement:eventContext a owl:ObjectProperty; 
+    rdfs:label "eventContext"@en ; 
+    rdfs:comment "An event context describes the association of actions and objects relating to an event."@en ; 
+    rdfs:range uco-core:UcoObject .
+	
+engagement:eventAttribute a owl:ObjectProperty;
+    rdfs:label "eventAttribute"@en ;
+    rdfs:comment "An event attribute specifies an ad-hoc attribute/value for an event."@en ;
+    rdfs:range uco-types:Dictionary .
+ 
+engagement:eventType a owl:DatatypeProperty;
+    rdfs:label "eventType"@en ;
+    rdfs:comment "An event type specifies a classification type for the event."@en ;
+    rdfs:range xsd:string .
+
+	#Date Added: 2023-03-31
+	#Recent Date Modified: 2023-03-31
+	#Release Version: 0.1.9
+engagement:breadcrumbTargetObject a owl:ObjectProperty;
+    rdfs:label "breadcrumbTargetObject"@en ;
+    rdfs:comment "breadcrumbTargetObject specifies the target object or resource which the breadcrumb is luring an adversary to."@en ;
+    rdfs:range uco-core:UcoObject .
+
+	#Release Version: 0.1.8
+engagement:hasCharacterization a owl:ObjectProperty, 
+        sh:NodeShape ; 
+    rdfs:label "hasCharacterization"@en ; 
+    rdfs:comment "hasCharacterization is an object property which describes the UcoObjects which compose a deception object or adversary engagement concept."@en ; 
+    rdfs:range uco-core:UcoObject .
+
+	#Date Added: 2023-07-23
+	#Release Version: 0.2.0
+engagement:hasPerceptionCharacterization a owl:ObjectProperty, 
+        sh:NodeShape ; 
+    rdfs:label "hasPerceptionCharacterization"@en ; 
+    rdfs:comment "hasPerceptionCharacterization is an object property which describes the UcoObjects which compose the perception object which an adversary perceives."@en ; 
+    rdfs:range uco-core:UcoObject .
+	
+
+engagement:hasEvent a owl:ObjectProperty;
+    rdfs:label "hasEvent"@en ;
+    rdfs:comment "hasEvent specifies an ordered list of associated Events."@en ;
+    rdfs:range uco-types:Thread .
+ 
+engagement:hasBreadcrumb a owl:ObjectProperty;
+    rdfs:label "hasBreadcrumb"@en ;
+    rdfs:comment "hasBreadcrumb specifies an ordered list of associated Breadcrumbs."@en ;
+    rdfs:range uco-types:Thread .
+
+engagement:hasStoryline a owl:ObjectProperty;
+    rdfs:label "hasStoryline"@en ;
+    rdfs:comment "hasStoryline identifies a Storyline that is part of a Narrative."@en ;
+    rdfs:range engagement:Storyline .
+
+engagement:honeypotInteractionType a owl:DatatypeProperty ;
+    rdfs:label "honeypotInteractionType"@en ;
+    rdfs:comment "The interaction class intended for a honeypot."@en ;
+    rdfs:range [ a rdfs:Datatype ;
+            owl:unionOf ( vocabulary:HoneypotInteractionTypeVocab xsd:string ) ] .
+				
+
+
+
+
+ 
+
+identity:Persona a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Persona"@en ;
+    rdfs:comment " An persona is a facticious entity created to serve a purpose in a deception operation."@en ;
+    rdfs:subClassOf uco-identity:Identity ;
+    sh:targetClass identity:Persona .
+
+
+identity:Team a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Team"@en ;
+    rdfs:comment "The conventional reference to group of identities that are associated with some unified identity with a team objective"@en ;
+    rdfs:subClassOf uco-identity:Organization ;
+    sh:property
+      [
+        sh:class objective:Objective ;
+        sh:nodeKind sh:IRI ;
+        sh:path objective:hasObjective
+      ] ;
+    sh:targetClass identity:Team .
+
+
+# Classes
+
+objective:Objective a owl:Class,
+        sh:NodeShape ;
+    rdfs:label "Objective"@en ;
+    rdfs:comment "An objective is some particular condition or state that is desired to be achieved and toward which effort is directed: an aim, goal, or end of action."@en ;
+    rdfs:subClassOf uco-core:UcoObject ;
+    sh:targetClass objective:Objective .
+ 
+
+# Properties
+
+objective:hasObjective a owl:ObjectProperty,
+        sh:NodeShape ;
+    uco-core:name "hasObjective"@en ;
+    uco-core:description "An object which can be associated with an objective."@en ;
+    rdfs:range objective:Objective .
+
+# Individuals
+
+    # ATT&CK Objectives
+
+
+objective:CommandAndControl a objective:Objective ;
+    uco-core:name "Command and Control"@en ;
+    uco-core:description "A Command and Control objective is defined by MITRE ATT&CK Tactic TA0011 (Command and Control) and involves an adversary's capability to communicate with compromised systems to control them."@en ;
+	.
+
+ 
+
+objective:CredentialAccess a objective:Objective ;
+    uco-core:name "Access Credentials"@en ;
+    uco-core:description "An Access Credentials (Credential Access) objective is defined by MITRE ATT&CK Tactic TA0006 (Credential Access) and involves an adversary's capability to steal account names and passwords."@en ;
+	.
+ 
+
+objective:DevelopResource a objective:Objective ;
+    uco-core:name "Develop Resource"@en ;
+    uco-core:description "A Develop Resource (Resource Development) objective is defined by MITRE ATT&CK Tactic TA0042 (Resource Development) and involves an adversary's capability to establish resources they can use to support operations."@en ;
+	.
+	
+ 
+
+objective:Discover a objective:Objective ;
+    uco-core:name "Discover"@en ;
+    uco-core:description "A Discover (Discovery) objective is defined by MITRE ATT&CK Tactic TA0007 (Discovery) and involves an adversary's capability to learn about and understand details of a targeted environment."@en ;
+	.
+ 
+
+objective:EscalatePrivilege a objective:Objective ;
+    uco-core:name "Escalate Privilege"@en ;
+    uco-core:description "An Escalate Privilege (PrivilegeEscalation) objective is defined by MITRE ATT&CK Tactic TA0004 (Privilege Escalation) and involves an adversary's capability to gain higher-level permissions within a targeted environment."@en ;
+	.
+ 
+
+objective:Evade a objective:Objective ;
+    uco-core:name "Evade"@en ;
+    uco-core:description "An Evade (Defense Evasion) objective is defined by MITRE ATT&CK Tactic TA0005 (Defense Evasion) and involves an adversary's capability to avoid detection from some defense or entity."@en ;
+	.
+ 
+
+objective:Execute a objective:Objective ;
+    uco-core:name "Execute"@en ;
+    uco-core:description "An Execute (Execution) objective is defined by MITRE ATT&CK Tactic TA0002 (Execution) and involves an adversary's capability to run malicious code within a targeted environment."@en ;
+	.
+ 
+
+objective:Exfilitrate a objective:Objective ;
+    uco-core:name "Exfilitrate"@en ;
+    uco-core:description "An Exfilitrate (Exfiltration) is defined by MITRE ATT&CK Tactic TA0010 (Exfiltration) and involves an adversary's capability to remove stolen data from targeted environments."@en ;
+	.
+ 
+
+objective:GainInitialAccess a objective:Objective ;
+    uco-core:name "Gain Initial Access"@en ;
+    uco-core:description "A Gain Initial Access (InitialAccess) objective is defined by MITRE ATT&CK Tactic TA0001 (Initial Access) and involves an adversary's capability to penetrate and gain illicit access to a targeted environment."@en ;
+	.
+ 
+
+objective:Impact a objective:Objective ;
+    uco-core:name "Impact"@en ;
+    uco-core:description "An Impact objective is defined by MITRE ATT&CK Tactic TA0040 (Impact) and involves an adversary's capability to manipulate, interrupt, or destroy targeted systems and data."@en ;
+	.
+ 
+
+objective:MoveLaterally a objective:Objective ;
+    uco-core:name "MoveLaterally"@en ;
+    uco-core:description "A Move Laterally (Lateral Movement) objective is defined by MITRE ATT&CK Tactic TA0008 (Lateral Movement) and involves an adversary's capability to move through a targeted environment."@en ;
+	.
+
+
+objective:Persist a objective:Objective ;
+    uco-core:name "Persist"@en ;
+    uco-core:description "A Persist (Persistence) objective is defined by MITRE ATT&CK Tactic TA0003 (Persistence) and involves an adversary's capability to maintain their access foothold within a changing targeted environment."@en ;
+	.
+ 
+
+objective:Reconnaissance a objective:Objective ;
+    uco-core:name "Reconnaissance"@en ;
+    uco-core:description "A Reconnaissance objective is defined by MITRE ATT&CK Tactic TA0043 (Reconnaissance) and involves an adversary's capability to gather information they can use to plan future operations."@en ;
+	.
+ 
+
+   # ENGAGE Objectives
+
+objective:Affect a objective:Objective ;
+    uco-core:name "Affect"@en ;
+    uco-core:description "An Affect objective is defined by MITRE ENGAGE EGO0002 (Affect) and involves the capability to negatively impact an adversary's operations. Affect is ultimately about changing the cost-value proposition in cyber operations for the adversary. The defender may want to increase the adversary’s cost to operate or drive down the value they derive from their operations. For example, the defender can negatively impact the adversary’s on-network operations to drive up the resource cost of doing operations by slowing down or selectively resetting connections to impact exfiltration. This type of activity increases the adversary’s time on target and wastes their resources. To drive down the value of stolen data, a defender could provide an adversary deliberately conflicting information. Providing such information requires an adversary to either choose to believe one piece of data over another, disregard both, collect more data, or continue with uncertainty."@en ;
+	.
+
+objective:Collect a objective:Objective ;
+    uco-core:name "Collect"@en ;
+    uco-core:description "A Collect (Collection) objective is defined by MITRE ATT&CK Tactic TA0009 (Collection) and by MITRE ENGAGE EAP0001 (Collect) and involves the capability to gather data of interest to a particular goal. MITRE ATT&CK defines this within the context of an adversary's goal to gather data from a targeted environment. MITRE ENGAGE defines this within the context of a defender's goal to gather data about an adversary's tools, tactics, or other raw intelligence about the adversary’s activity."@en ;
+	.
+
+objective:Detect a objective:Objective ;
+    uco-core:name "Detect"@en ;
+    uco-core:description "A Detect objective is defined by MITRE ENGAGE EAP0002 (Detect) and involves the capability to establish or maintain awareness regarding adversary activity. Detection activities focus on the defender’s ability to monitor adversary activity throughout an environment, often by creating high-fidelity detections. These detections can be produced in several ways. For example, a defender can deploy lures as tripwires in the environment. The defender may create custom alerts based on TTPs or IOCs observed during a malware detonation operation. Finally, the defender may write customer decoders to analyze and alert on malicious traffic. In all these cases, detection activities allow the defender to produce a high-fidelity alert to monitor adversary activities. Often Detection activities are also good cybersecurity practices. However, in Engage, these activities will focus exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Expose the adversary."@en ;
+	.
+
+objective:Direct a objective:Objective ;
+    uco-core:name "Direct"@en ;
+    uco-core:description "A Direct objective is defined by MITRE ENGAGE EAP0004 (Direct) and involves the capability to encourage or discourage an adversary from conducting their operation as intended. Direction activities focus on moving the adversary towards or away from an intended path. This forced direction can be accomplished by removing or disabling some resources, while adding or enabling others. The defender can add lures or otherwise manipulate the environment to attempt to elicit specific responses from the adversary. Additionally, the defender can tighten some security controls while leaving others overly permissive or weakened. Finally, the defender can physically move the adversary by moving threats from their intended environment and into a safe engagement environment. For example, a suspicious email attachment can be moved from the intended target to an engagement environment for analysis. No matter how the direction is achieved, the defender hopes to force the adversary to take unintended actions or stop intended actions."@en ;
+	.
+
+objective:Disrupt a objective:Objective ;
+    uco-core:name "Disrupt"@en ;
+    uco-core:description "A Disrupt objective is defined by MITRE ENGAGE EAP0005 (Disrupt) and involves the capability to impair an adversary’s ability to conduct their operation as intended. Disruption activities are used to stop or discourage an adversary from conducting part or all of their mission. This disruption may increase the time, skills, or resources needed for the adversary to accomplish a specific task. For example, a defender may degrade network speeds as the adversary attempts to exfiltrate large blocks of data. As a second example, the defender may manipulate the output of commonly used discovery commands to show targets that do not exist or to hide real targets. In either case, the adversary may waste resources acting on partial or falsified data. Disruptions may also include planting misinformation designed to influence the adversary’s decision-makers to make the wrong decisions or to waste resources."@en ;
+	.
+
+objective:Elicit a objective:Objective ;
+    uco-core:name "Elicit"@en ;
+    uco-core:description "An Elicit objective is defined by MITRE ENGAGE EGO0003 (Elicit) and involves the capability to learn about an adversary's tactics, techniques, and procedures (TTPs). Elicit encourages adversaries to reveal additional or more advanced TTPs and goals while operating in defender-controlled engagement environments. These high-fidelity, synthetic engagement environments are uniquely tailored to engage with specific adversaries. They may contain a combination of documents, browser artifacts, etc. to reassure an adversary and reduce suspicion. Further, they may offer enticing data and exploitable vulnerabilities to motivate an adversary to operate in the defender’s environment. These environments can either be left as a dangle, i.e., honeypot. Other times, the defender may self-infect with malware. In either case, observing an adversary as they operate can provide organizations with actionable cyber threat intelligence and potential understanding of the adversary’s goals."@en ;
+	.
+
+objective:Expose a objective:Objective ;
+    uco-core:name "Expose"@en ;
+    uco-core:description "An Expose objective is defined by MITRE ENGAGE EGO0001 (Expose) and involves the capability to reveal the presence of ongoing adversary operations. Expose is about discovering previously undetected adversaries engaging in one of two behaviors. First, the adversary may be attempting to gain access to the networks. Second, the adversary may be currently operating on the networks. Both categories of adversary behavior contain vulnerabilities that can be advantageous for a defender seeking to expose the adversary. As an example of such a vulnerability, when an adversary interacts with network or system resources, they are vulnerable to trigger tripwires. The defender can make and leak fake credentials both inside and outside of the network. The defender can then monitor for the use of these credentials. Then, when an adversary uses a fake credential, the defender will receive a high-fidelity alert. In addition, if the credentials are unique, a defender may be able to detect how and when an adversary collected the credentials. Whenever a defender seeks to engage with an adversary, operational safety is paramount. To maintain this safety, it is a best practice to monitor adversaries as they operate in an engagement environment. Additionally, the defender must be able to observe the adversary. Therefore, collection and detection activities can often be utilized even when a defender may have other strategic goals in mind."@en ;
+	.
+
+objective:Motivate a objective:Objective ;
+    uco-core:name "Motivate"@en ;
+    uco-core:description "A Motivate objective is defined by MITRE ENGAGE EAP0007 (Motivate) and involves the capability to encourage an adversary to conduct part or all of their mission. Motivating activities is used to encourage an adversary to conduct part or all of their mission by providing a target-rich environment. To do this, the defender can use unpatched versions of operating systems and software, remove end-point detection software, and use weak passwords. Additionally, the defender can open firewall ports, add proxy capabilities, or introduce elements that an adversary can easily leverage to bypass an obstacle in their operations. Finally, the defender can include enticing data to the environment to encourage the adversary to steal the data."@en ;
+	.
+
+objective:Plan a objective:Objective ;
+    uco-core:name "Plan"@en ;
+    uco-core:description "A Plan objective is defined by MITRE ENGAGE SAP0001 (Plan) and involves the capability to identify and align an operation with a desired end-state. Planning is used to identify and align an operation within the context of strategic goals. By helping the defender to first identify their goals, Planning ensures that all engagement activities are focused and driving forward progress. Additionally, planning ensures that the defender can integrate the inputs of the various stakeholders at the beginning of an operation to ensure that the operation is efficient, effective, and safe. Finally, Planning activities ensure that each operation is informed by the successes and learns from the failures of past operations."@en ;
+	.
+
+objective:Prepare a objective:Objective ;
+    uco-core:name "Prepare"@en ;
+    uco-core:description "A Prepare objective is defined by MITRE ENGAGE SGO0001 (Prepare) and involves the capability to help a defender think about what they want to accomplish with operations. Prepare is used to ensure the defender drives progress during adversary engagement operations towards a desired end-state or Strategic Goal. To support this aim, the defender must first generate a clear picture of their organization and the threat landscape. This understanding should include their current security posture, including known strengths and weaknesses, and an inventory of priority cyber assets, including key intellectual property. The defender should then examine and update the threat models for any identified adversaries. These various assessments and models should enable the defender to identify their strategic goal. At this point, all activities should be aligned with this goal. Once a goal has been selected, the defender must work to plan for the operation by identifying a target adversary, creating the necessary Personas, generating an operational storyboard, etc. Finally, the key stakeholders should be called on to establish rules for operational safety and acceptable risk. At each step in the planning process, the defender should incorporate intelligence gained from previous operations to ensure that future operations can run more effectively and efficiently. Engage seeks to highlight that denial, deception, and adversary engagement activities cannot be viewed as `fire and forget`. Unlike many defensive technologies, these activities must be viewed only in context of how they inform and drive progress towards larger strategic goals. To this end, Prepare is essential to ensure that every action taken in an engagement operation drives progress towards a unified goal."@en ;
+	.
+
+objective:Prevent a objective:Objective ;
+    uco-core:name "Prevent"@en ;
+    uco-core:description "A Prevent objective is defined by MITRE ENGAGE EAP0003 (Prevent) and involves the capability to stop all or part of an adversary’s ability to conduct their operation as intended. Prevention activities focus on stopping the adversary’s ability to conduct their operations as intended. The defender can physically or virtually remove or disable resources, tighten security controls, or otherwise impair the adversary’s ability to operate. A defender might prevent an adversary from operating to force them to reveal different, possibly more advanced, capabilities. Additionally, a defender can use prevention activities to discourage the adversary from operating against a specific target. In this case, the defender may be attempting to encourage the adversary to focus elsewhere in the engagement environment. There are many more prevention activities that are also good cybersecurity practices. However, in Engage, we are focused on a subset of activities. Those are focused exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Affect the adversary."@en ;
+	.
+
+objective:Reassure a objective:Objective ;
+    uco-core:name "Reassure"@en ;
+    uco-core:description "A Reassure objective is defined by MITRE ENGAGE EAP0006 (Reassure) and involves the capability to add authenticity to deceptive components to convince an adversary that an environment is real. Reassurance activities are used to add authenticity to deceptive components to reduce adversary suspicion about the legitimacy of the environment. Activities include adding realistic user accounts, files, system activity, and any other content that an adversary might expect to find on the system. These activities may add new artifacts, such as peripherals and pocket litter, while concealing others, such as how recently an environment was stood up. If done correctly, reassuring an adversary may help to make them feel more comfortable upon landing in a new environment. This initial level of comfort can help anchor the adversary in the environment, increasing their tolerance to faults or weaknesses discovered later."@en ;
+	.
+
+
+# Adversary Engagement Ontology Native Objectives
+
+objective:Deny a objective:Objective ;
+    uco-core:name "Deny"@en ;
+    uco-core:description "A Deny (Denial) objective is to limit an adversary's capabilities or accessibility to a resource."@en ;
+	.
+
+objective:ElicitBehavior a objective:Objective ;
+    uco-core:name "Elicit Behavior"@en ;
+    uco-core:description "An Elicit Behavior objective is to have an adversary or target object to exhibit some expected behavior."@en ;
+	.
+
+objective:Lure a objective:Objective ;
+    uco-core:name "Lure"@en ;
+    uco-core:description "A Lure objective is to have an adversary laterally move or take actions to reach some target lure, usually performed through the deployment of breadcrumbs and honeypots."@en ;
+	.
+
+objective:TimeSink a objective:Objective ;
+    uco-core:name "Time Sink"@en ;
+    uco-core:description "A Time Sink objective is to increase an adversary's operation time cost by having them interact with objects in a network."@en ;
+	.
+
+objective:Track a objective:Objective ;
+    uco-core:name "Track"@en ;
+    uco-core:description "A Track objective is to be capable of identifying and tracing an adversary throughout a network."@en ;
+	.
+
+objective:Trap a objective:Objective ;
+    uco-core:name "Trap"@en ;
+    uco-core:description "A Trap objective is to limit an adversary's scope of reachability to a confined environment."@en ;
+	.
+
+ 
+	
+role:Adversary a uco-role:Role ;
+	uco-core:name "Adversary"@en;
+	uco-core:description "An adversary is an instance of a contextualized role that holds opposing interests to a defender role."@en;
+	.
+
+role:BlueTeam a uco-role:Role ;
+	uco-core:name "Blue Team"@en;
+	uco-core:description "An organizational role focused on ensuring the defensibility of targeted environments against attack."@en;
+	.
+	
+role:Defender a uco-role:Role ;
+	uco-core:name "Defender"@en;
+	uco-core:description "An defender is an instance of a contextualized role that defends some object or asset for some objective."@en;
+	.
+	
+role:PurpleTeam a uco-role:Role ;
+	uco-core:name "Purple Team"@en;
+	uco-core:description "An organizational role focused on evaluating and ensuring the defensibility of targeted environments against attack through a collaborative combination of BlueTeam (outward focused defense) and RedTeam (inward focused emulation of adversary attack) roles."@en;
+	.
+	
+role:RedTeam a uco-role:Role ;
+	uco-core:name "Red Team"@en;
+	uco-core:description "An organizational role focused on evaluating the defensibility of targeted environments against attack by actively emulating the persona, perspective, practices and actions of adversaries."@en;
+	.
+
+
+
+
+vocabulary:HoneypotInteractionTypeVocab a rdfs:Datatype ;
+    rdfs:label "Action Name Vocabulary"@en-US ;
+    rdfs:comment "Defines a vocabulary of honeypot interaction characteristics."@en ;
+    rdfs:subClassOf rdfs:Resource ;
+    owl:oneOf ( "High"^^vocabulary:HoneypotTypeVocab "Low"^^vocabulary:HoneypotTypeVocab "Dynamic"^^vocabulary:HoneypotTypeVocab ) .
+