Informing the End User When Technique Numbers Numbers Change

[ghost]

Is there an efficient way to cross reference, or to be updated in some way, when Technique numbers change ?

For example, T1196 changed to T1196 to T1218.002. Now no one would have known that unless someone, luckily, just happened to look at the old MITRE website.

Is this really how end users are expected to keep track of Technique number changes ?

When a new version of the Navigator is released, the release notes don't even list the Technique number changes.

Really ?

[isaisabel]

Hi @AppGuard,

These are tracked in our source data on our MITRE/CTI repo as revocations. Techniques which are removed (but not replaced) are tracked as deprecations. There are several ways to detect this:

• Reading the release notes for the update.
• Using our diff_stix script (which is what generates the release notes) to detect changes. diff_stix can be used in larger systems to detect and categorize changes between releases in an automated way in addition to simply generating release notes.
• Parse the data on MITRE/CTI (which is basically just what diff_stix is doing). I recommend reading the Working with deprecated and revoked objects section of our USAGE document for more information about how you might do this.

We also have plans to better track ATT&CK versions in the Navigator to help users upgrade layers built with previous versions of the data. See #181 for our plans around this. A short term solution has been implemented with our layer update script.

[isaisabel]

Hope that helps. Generally the release notes are the easiest way to figure out what changed.

[ghost]

The Release Notes do not list the Technique Number re-assingments.

And nobody wants to make a local install and run scripts; they just want to look on the website where MITRE provides the number re-assignments.

[isaisabel]

You may be able to get the ATT&CK IDs from the sub-technique crosswalks (see our medium post here for more details: https://medium.com/mitre-attack/attack-subs-what-you-need-to-know-99bce414ae0b)

We don't generally do a lot of revocations and deprecations in the ATT&CK knowledge base. This recent update was somewhat of an outlier since the introduction of sub-techniques required a good deal of restructuring.

[ghost]

This is a ridiculous usability issue. As if people have the time to sort out changes. It doesn't matter how few there are. Y'all do realize this, right ?

I looked at the Release Notes repeatedly, and not all Technique #s changes are listed. Some are definitely unclear. And your suggestion is for me to spend probably and hour going on a fishing expedition across multiple methods for information that should be accurately reported clearly by MITRE in the first place.

Just sayin'.

Thank you.

[jcwilliamsATmitre]

@AppGuard yeah as @isaisabel said you can see the TID changes here - https://attack.mitre.org/docs/subtechniques/subtechniques-crosswalk.json

For example, here's the change you referenced:

We do recognize and acknowledge that this was a major change, but one that was necessary to accommodate the growth of ATT&CK. This level of change is not the new normal though, as we will continue to grow ATT&CK upon the new sub-techniques structure so future updates will be closer to what you are used to.

It is also worth mentioning that previous versions of ATT&CK are still accessible (ex: https://attack.mitre.org/versions/v6/) in the meantime during your transition.