Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
"A reference for the action. May be a URL to an ATT&CK technique."
Because this is a "MAY", there is currently no way to know in code if it is actually a technique ID or not.
I would suggest that reference should always point at the ATT&CK technique if it is present. Otherwise, a new field should be added to this object to convey that information. Code that consumes this object needs a consistent way to know which technique ID is being referred to.
Currently the "reference" data type says
"A reference for the action. May be a URL to an ATT&CK technique."
Because this is a "MAY", there is currently no way to know in code if it is actually a technique ID or not.
I would suggest that reference should always point at the ATT&CK technique if it is present. Otherwise, a new field should be added to this object to convey that information. Code that consumes this object needs a consistent way to know which technique ID is being referred to.