ATT&CK's STIX Property Extensions Use Deprecated Standard

[fffe0d0a]

Object property extensions are currently being implemented under the depreciated 2.0 standard. Where custom properties are inserted into the object's json, with 'x_' appended to the property name. This mode of extension was deprecated in the STIX 2.1 standard, making way for a new standard documented in section 7.3 of the current documentation.

To keep in line with the 2.1 standard, all Mitre implemented property extensions will need to be converted to the new format.

This will involve implementing an 'extension-definition' for each set of extended properties made to existing STIX objects, then referencing said 'extension-definition' under the 'extensions' property found in most STIX objects.

I have included an example of what is needed below. Section 7.3 of the current documentation has better examples.

Below defines an extension definition.

{
    "id": "extension-definition--12345678-GUID-GUID-0000",
    "type": "extension-definition",
...
    "extension_types": [ "toplevel-property-extension" ],
    "extension_properties": [
        "mitre_platforms",
        "mitre_domains"
    ]
}

Below defines an extended object.

{
    "id": "attack-pattern--12345678-GUID-GUID-1111",
    "type": "attack-pattern",
...
    "mitre_platforms": [
        "Windows"
     ],
    "mitre_domains": [
        "enterprise-attack"
    ],
    "extensions": {
        "extension-definition--12345678-GUID-GUID-0000" : {
            "extension_type": "toplevel-property-extension"
        }
    }
}

[Philipp-Eisermann]

Hi, are you familiar with other (recent) work that aims of integrating/defining STIX extensions for any of MITRE's standards (ATT&CK, D3FEND, or CPE, CAPEC, CVE, CWE etc...)?