update to ATT&CK v12

[MoD01]

Hi,

I tried to upload the Azure and GCP json from your official website to the ATT&CK Navigator:

• Microsoft Azure Security Control Mappings to MITRE ATT&CK® Google Cloud Platform Security Control Mappings to MITRE ATT&CK®)

Then I hit the export Button on the Navigator and re-imported. When prompted, I choose yes, upgrade to ATT&CK Navigator v12 for both of the files. I need a common version because otherwise I cannot run a comparison with the Attack Navigator between the two Azure&GCP.

The GUI (Attack Navigator) represents the content correctly but when I hit export in the Navigator and then directly re-import that export, some entries in the matrix disappear (e.g. in Azure the Phishing in the third row is completely empty). I verified that this issue is not present after exporting/importing when I choose "no" to not upgrade to ATT&CK Navigator v12.

But by not upgrading to a common Version I cannot use the Mitre Att&ck Navigator comparison feature.

PS: I need the export because I wrote a python script that deleted everything but the features in the "protect" category, so I can compare the two cloud providers. Thatwhy I am dependent of the export/import feature. PPS: Before I wrote the python script, I studied your github Tool section. You have a nice option in your python script to filter on --category Protect but unfortunately this is only for direct console output. It is not possible to have the Navigator JSON exporten with a filter for "only category=protect". Would be nice if this is possible - so I would not need my own python script.

[mehaase]

I am able to reproduce the problem, but unsure what the root cause is. I noticed that if I open the layer without upgrading to v12 then the data is captured fine, so I suspect this is an issue/limitation with the way Navigator upgrades layers. Azure is v8 → v12 and GCP is v10 → v12. @clemiller can you weigh in on this?

Ideally we will get the mappings updated to v12 this year, but no firm timeline on that.

[mehaase]

@MoD01 I talked with @clemiller (who knows the Navigator tool much better than I do) and I think the solution is to use the Navigator upgrade wizard to copy annotations over from the old versions to new. This document explains how to handle annotations: https://github.com/mitre-attack/attack-navigator/blob/master/USAGE.md#upgrading-a-layer-to-the-current-version

Here's a screenshot showing the process e.g. for T1189 Drive-by Compromise. You can click the "Show annotated techniques only" checkbox to make this process faster.