Closed MaurizioCasciano closed 1 year ago
Equal to what found for STIX 2.0 dataset repository https://github.com/mitre/cti/issues/223
@MaurizioCasciano the reason for this is that the ICS domain had been using the x_mitre_platforms
field as a placeholder for what ultimately was the Asset STIX object which was introduced in the v14 release on Oct. 31 this year. More information about Assets can be found in the ATT&CK v14 blog post. At that time, the Assets were removed from the x_mitre_platforms
field and intentionally replaced with [ "None" ]
because the STIX specification doesn't allow empty arrays and at present we want to keep that field in every Technique object even if there is no value to make parsing more straightforward, even though the value of "None"
might be confusing.
This is the same answer to https://github.com/mitre/cti/issues/223
Hi @jondricek thanks for the response. My doubt is why we are not using the platforms as a connection point between assets and techniques? How are they linked instead? Do we have new relationships in the bundle to define the connections between assets and techniques?
I was thinking to model other assets based on the platforms in order to filter the possible techniques. However, if the platforms of the techniques are left to None then there is no way for me to link logically the possible techniques for a particular asset/platform.
Am I missing something else about the logical relationship among assets and techniques? Thanks in advance.
You actually got it right with your comment about new Relationships between Assets and Techniques. For instance:
relationship_type
field)So while the Techniques themselves don't directly identify the Asset they target, there are STIX Relationships with "relationship_type": "targets"
in the bundle for every targeted Asset you see on the website.
Does that help?
It partially helps. Thanks.
I see that the relationships <Technique.ID> ---targets---> <Asset.ID>
are being explicitly defined.
However, considering that the A0012 Jump Host Asset STIX Object (website) has Platforms: Embedded, Linux, Windows
, I would also expect that the technique T0890 (STIX object, website) Exploitation for Privilege Escalation had at least one of these platforms. Maybe the Windows, Embedded
platforms, based on the Procedure Examples and the other Targeted Assets.
What is missing for me is the logical rationale behind these relationships. This would be covered by having common platforms among the technique and the targeted assets. Moreover, it would also allow to easily model new (external or internal) assets without having to explicitly define the targets
relationships.
Something like this:
IF {Technique.platforms} ∩ {Asset.platforms} != ∅
THEN
<Technique.ID> ---targets---> <Asset.ID>
FI
What do you think? Hope it makes sense.
Moreover, it has to be aligned among the different domains (Enterprise, Mobile, ICS). Indeed, the same technique Exploitation for Privilege Escalation appears in all domains but it only has the platforms filled in for Enterprise and Mobile.
Enterprise https://attack.mitre.org/techniques/T1068/
Hi @jondricek @ElJocko, can you consider reopening this issue based on my above comments ? I'm willing to contribute if you can explain me how to proceed for generating the bundles. Thanks.
Hi @ElJocko, I have found that the platforms of all MITRE ATT&CK ICS Techniques have not been added. All ICS Techniques have "x_mitre_platforms": [ "None" ]
E.g.
The same happens also on the website https://attack.mitre.org/techniques/T0889/ where the associated assets have Embedded platform: