0xtf
commented
4 years ago Hi @hxnoyd,
Not exactly sure what happened but I completely missed this! Apologizes.
That's a very fair point. I would assume that MITRE is defining their data sources in an ideal situation or using sources with the best return of coverage.
One of the reasons I started adding the payload was exactly to have evidence of the coverage, as some ATT&CK coverage mappings can quickly become, well ... creative.
There is still a lot that needs to be done in this project but I will definitely keep this open as a reminder that we should provide MITRE with information of coverage EVEN if NIDS, or more generally speaking, NSM, isn't listed as a source for the techniques present in this project.
Another change that also needs to happen in this project is the inclusion of NSM parsing capabilities, ideally with examples, even if there are no IDS rules in the rulesets.
Thank you for your comment and suggestion.
If anyone ends up here and feels like working on this, we're hiring. :sunglasses:
Hi! First of all, kudos for the initiative, and reminding us that ATT&CK is not EDR only.
Many (if not all) of the techniques you have mapped don't have the 'Network intrusion detection system' data source. Depending on how you are using ATT&CK, this might be an issue if you are planing to perform gap/coverage analysis. Are you planning to request the ATT&CK team to add the NIDS data source as you map the techniques?
Thanks! RD