search

mitre-attack / attack-website

MITRE ATT&CK Website
https://attack.mitre.org
Apache License 2.0
494 stars 144 forks source link

Broken citations can bypass our citation tests #21

Closed isaisabel closed 1 year ago

isaisabel commented 5 years ago

Because of how citations work, in some places broken citations will show up as an empty reference in the external references table without leaving (Citation: on the built page. This means our citation tests never detects an issue.

To reproduce, replace APT18 in the STIX data with this intentionally broken object:

        {
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "APT18",
            "description": "[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movemente)",
            "type": "intrusion-set",
            "aliases": [
                "APT18",
                "TG-0416",
                "Dynamite Panda",
                "Threat Group-0416"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648",
            "external_references": [
                {
                    "external_id": "G0026",
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/groups/G0026"
                },
                {
                    "source_name": "APT18",
                    "description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)"
                },
                {
                    "source_name": "TG-0416",
                    "description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)"
                },
                {
                    "source_name": "Dynamite Panda",
                    "description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)"
                },
                {
                    "source_name": "Threat Group-0416",
                    "description": "(Citation: ThreatStream Evasion Analysis)"
                },
                {
                    "source_name": "Dell Lateral Movement",
                    "description": "Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.",
                    "url": "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
                },
                {
                    "source_name": "ThreatStream Evasion Analysis",
                    "description": "Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.",
                    "url": "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
                },
                {
                    "source_name": "Anomali Evasive Maneuvers July 2015",
                    "description": "Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.",
                    "url": "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
                }
            ],
            "modified": "2019-05-30T18:05:32.461Z",
            "x_mitre_version": "2.0",
            "created": "2017-05-31T21:31:57.733Z"
        },

Example of how this is represented:

image

image-1

jondricek commented 1 year ago

This has been addressed in ATT&CK Workbench 1.2.0, so the website code doesn't need to check for this anymore