adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f31db6f83fc2b455c19a3b6ef63c1710e606050c
cti/ATTACK
T
History
Michael Kouremetis f31db6f83f Update README.md
2017-06-28 14:45:18 -04:00
..
attack-pattern
proper directory structure
2017-06-05 14:02:34 -04:00
course-of-action
proper directory structure
2017-06-05 14:02:34 -04:00
identity
proper directory structure
2017-06-05 14:02:34 -04:00
intrusion-set
proper directory structure
2017-06-05 14:02:34 -04:00
malware
proper directory structure
2017-06-05 14:02:34 -04:00
marking-definition
proper directory structure
2017-06-05 14:02:34 -04:00
relationship
proper directory structure
2017-06-05 14:02:34 -04:00
tool
proper directory structure
2017-06-05 14:02:34 -04:00
mitre-attack.json
proper directory structure
2017-06-05 14:02:34 -04:00
README.md
Update README.md
2017-06-28 14:45:18 -04:00

README.md

ATT&CK - STIX Content

The STIX content found here is the unabridged conversion of the MITRE ATT&CK catalog in its entirety. All of the converted STIX Objects can be found individually in all the subdirectories enumerated here (i.e. organized by STIX object type) OR compiled in a single json file (mitre-attack.json). The STIX 2.0 content is in the json format.

ATT&CK -> STIX 2.0 Mapping (High-Level)

  • ATT&CK Technique -> STIX Attack-Pattern
  • ATT&CK Tactic -> STIX Attack-Pattern.Kill-Chain-Phase, STIX Tool.Kill-Chain-Phase, STIX Malware.Kill-Chain-Phase
  • ATT&CK Group -> STIX Intrusion-Set
  • ATT&CK Software -> STIX Malware (OR) STIX Tool
  • ATT&CK Mitigation -> STIX Course-of-Action

ATT&CK -> STIX 2.0 Mapping (Detailed)

Bold signifies data pulled from ATT&CK model objects

(Custom) signifies STIX object properties that are not apart of the standard STIX 2.0 data model but were added for further fidelity in the mapping from ATT&CK.

ATT&CK Technique -> STIX Attack-Pattern

Attack-Pattern.type = "attack-pattern"
Attack-Pattern.id = "attack-pattern-uuid"
Attack-Pattern.created = [date created]
Attack-Pattern.modified = [date modified]
Attack-Pattern.name = Name of ATT&CK software
Attack-Pattern.labels = (Hand selected)
Attack-Pattern.description = Taken from ATT&CK page entry - also includes ATT&CK fields for effective permissions, data sources, requires network, supports remote, and detection
Attack-Pattern.external_references = References from ATT&CK
Attack-Pattern.kill_chain_phases = ATT&CK Tactic
Attack-Pattern.x_mitre_contributors (Custom) = ATT&CK Technique.Contributors
Attack-Pattern.x_mitre_data_sources (Custom) = ATT&CK Technique.Data Sources
Attack-Pattern.x-mitre_platforms (Custom) = ATT&CK Technique.Platforms

ATT&CK Tactic -> STIX Attack-Pattern.Kill-Chain-Phase, STIX Tool.Kill-Chain-Phase, STIX Malware.Kill-Chain-Phase

Attack-Pattern.kill_chain_phases = ATT&CK Tactic

Malware.kill_chain_phases = ATT&CK Tactic

Tool.kill_chain_phases = ATT&CK Tactic

ATT&CK Group -> STIX Intrusion-Set

Intrusion-Set.type = "intrusion-set"
Intrusion-Set.id = "intrusion-set-uuid"
Intrusion-Set.created = [date created]
Intrusion-Set.modified = [date modified]
Intrusion-Set.name = Name of ATT&CK Group
Intrusion-Set.aliases = List of ATT&CK Group.aliases
Intrusion-Set.description = Taken from ATT&CK page entry
Intrusion-Set.external_references = References from ATT&CK

ATT&CK Software -> STIX Malware (OR) STIX Tool

Malware.type = "malware"
Malware.id = "malware-uuid"
Malware.created = [date created]
Malware.modified = [date modified]
Malware.name = Name of ATT&CK software
Malware.labels = (hand selected)
Malware.description = Taken from ATT&CK page entry
Malware.external_references = References from ATT&CK
Malware.kill_chain_phases = Taken from ATT&CK page entry: backtracked from technique to tactic
Malware.x_mitre-aliases (custom) = ATT&CK Software.aliases

Tool.type = "tool"
Tool.id = "tool-uuid"
Tool.created = [date created]
Tool.modified = [date modified]
Tool.name = Name of ATT&CK software
Tool.labels = (hand selected)
Tool.description = Taken from ATT&CK page entry
Tool.external_references = References from ATT&CK
Tool.kill_chain_phases = Taken from ATT&CK page entry: backtracked from technique to tactic Tool.x_mitre_aliases (custom) = ATT&CK Software.aliases

ATT&CK Mitigation -> STIX Course-of-Action

Course-of-Action.type = "course-of-action"
Course-of-Action.id = "course-of-action-uuid"
Course-of-Action.created = [date created]
Course-of-Action.modified = [date modified]
Course-of-Action.name = Name of ATT&CK software
Course-of-Action.description = Taken from ATT&CK page entry
Course-of-Action.external_references = References from ATT&CK

External References

All translated ATT&CK - STIX objects are tagged with an external reference linking to the corresponding ATT&CK object (Tactic, Technique, Software, Group) and webpage that it stems from. For example:


{  
     "id": "bundle--b72f49c0-cd74-42df-bbcd-3ef053685cd7",  
     "objects": [  
         {  
             "created": "2017-05-31T21:32:13.051026Z",  
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",  
             "description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]",  
             "external_references": [  
                 ``` **{  
                     "external_id": "S0006",  
                     "source_name": "mitre-attack",  
                     "url": "https://attack.mitre.org/wiki/Software/S0006"  
                 }** ```
             ],  
             "id": "tool--9de2308e-7bed-43a3-8e58-f194b3586700",  
             "labels": [  
                 "tool"  
             ],  
            "modified": "2017-05-31T21:32:13.051026Z",  
            "name": "pwdump",  
            "type": "tool"  
         }  
     ],  
    "spec_version": "2.0",  
    "type": "bundle"  
}

Life Cycle

As the MITRE ATT&CK catalog - to include Tactics, Techniques, Groups, Software, and Mitigations - is further developed and expanded, so to will this repository of translated STIX content. Any modification to the ATT&CK catalog triggers an immediate process to assess and update the existing STIX content found here.

Explicit concern is paid to the maintenance of the STIX Object versions. All converted ATT&CK content follows the STIX versioning policy (read the docs: https://oasis-open.github.io/cti-documentation/).

Reference in New Issue View Git Blame Copy Permalink