MaurizioCasciano
commented
8 months ago Equal to what found for STIX 2.0 dataset repository https://github.com/mitre/cti/issues/223
Closed MaurizioCasciano closed 8 months ago
MaurizioCasciano
commented
8 months ago Equal to what found for STIX 2.0 dataset repository https://github.com/mitre/cti/issues/223
jondricek
commented
8 months ago @MaurizioCasciano the reason for this is that the ICS domain had been using the x_mitre_platforms field as a placeholder for what ultimately was the Asset STIX object which was introduced in the v14 release on Oct. 31 this year. More information about Assets can be found in the ATT&CK v14 blog post. At that time, the Assets were removed from the x_mitre_platforms field and intentionally replaced with [ "None" ] because the STIX specification doesn't allow empty arrays and at present we want to keep that field in every Technique object even if there is no value to make parsing more straightforward, even though the value of "None" might be confusing.
This is the same answer to https://github.com/mitre/cti/issues/223
MaurizioCasciano
commented
8 months ago Hi @jondricek thanks for the response. My doubt is why we are not using the platforms as a connection point between assets and techniques? How are they linked instead? Do we have new relationships in the bundle to define the connections between assets and techniques?
I was thinking to model other assets based on the platforms in order to filter the possible techniques. However, if the platforms of the techniques are left to None then there is no way for me to link logically the possible techniques for a particular asset/platform.
Am I missing something else about the logical relationship among assets and techniques? Thanks in advance.
jondricek
commented
8 months ago You actually got it right with your comment about new Relationships between Assets and Techniques. For instance:
relationship_type field)So while the Techniques themselves don't directly identify the Asset they target, there are STIX Relationships with "relationship_type": "targets" in the bundle for every targeted Asset you see on the website.
Does that help?
MaurizioCasciano
commented
8 months ago It partially helps. Thanks.
I see that the relationships <Technique.ID> ---targets---> <Asset.ID> are being explicitly defined.
However, considering that the A0012 Jump Host Asset STIX Object (website) has Platforms: Embedded, Linux, Windows, I would also expect that the technique T0890 (STIX object, website) Exploitation for Privilege Escalation had at least one of these platforms. Maybe the Windows, Embedded platforms, based on the Procedure Examples and the other Targeted Assets.
What is missing for me is the logical rationale behind these relationships. This would be covered by having common platforms among the technique and the targeted assets. Moreover, it would also allow to easily model new (external or internal) assets without having to explicitly define the targets relationships.
Something like this:
IF {Technique.platforms} ∩ {Asset.platforms} != ∅
THEN
<Technique.ID> ---targets---> <Asset.ID>
FIWhat do you think? Hope it makes sense.
MaurizioCasciano
commented
8 months ago Moreover, it has to be aligned among the different domains (Enterprise, Mobile, ICS). Indeed, the same technique Exploitation for Privilege Escalation appears in all domains but it only has the platforms filled in for Enterprise and Mobile.
Enterprise
https://attack.mitre.org/techniques/T1068/
MaurizioCasciano
commented
7 months ago Hi @jondricek @ElJocko, can you consider reopening this issue based on my above comments ? I'm willing to contribute if you can explain me how to proceed for generating the bundles. Thanks.
Hi @ElJocko, I have found that the platforms of all MITRE ATT&CK ICS Techniques have not been added. All ICS Techniques have "x_mitre_platforms": [ "None" ]
E.g.
The same happens also on the website https://attack.mitre.org/techniques/T0889/ where the associated assets
have Embedded platform:
