TTP-Tagging and Extension Ignore Versions and Assume ATT&CK Not Loaded

[brettforbes]

Hi,
In general the Kestrel extensions appear straightforward.

However, there are some issues with the TTP-Tagging and Extension.

Firstly, there is no version on the TTP, and yet MITRE release new versions every 6 months

Secondly, the definition assumes that MITRE ATT&CK is not loaded. This seems a poor assumption. Surely it would be better to have two scenarios, one where ATT&CK is not loaded, one where it is. Assuming I have ATTACK loaded as well as Kestrel, how should I connect the specific TTP object to the TTP-Tagging object, and handle the version???

There needs to be as a minimum an embedded link, or do i just remove the extension and actually connect in the ATT&CK object? How to?

Please advise, thanks

[subbyte]

Thanks for the comments, @brettforbes !

The versioning is a good point. We are happy to include that. Feel free to do a PR and @aviv1ron1 will review it.

Regarding the second point, could you say a little more about "loaded"? By "MITRE ATT&CK is not loaded", do you mean whether the "MITRE ATT&CK extension" is not loaded/used?

[brettforbes]

There are two scenarios for storage of Kestrel objects:

1. They are in a datastore by themselves, in which case your data model is fine
2. They are in a datastore with other standard Stix objects, ATT&CK objects and CACAO objects, in which case we want to do different things.

Firstly, with regard to this issue we want to directly link (through an embedded relation) to the actual ATT&CK object being referenced. Currently, your TTP Extension describes the TTP, it doesn't link to the actual Mitre ATT&CK object, as one assumes you were not anticipating it would be in the same database.

A description is fine, but it is doubling up on the data if I have the Mitre ATT&CK object already loaded in the same datastore. Instead I should just link to it through an embedded relation, or an SRO if needed (probably an embedded relation is better),.

In short, by loaded, i mean the ATT&CK objects are in the same datastore as the Kestrel objects, in their Stix form and therefore a description of the TTP seems to be violating normalisation rules. It would seem better to link directly to the object.

Finally, ATT&CK objects are versioned, and apportioned to domains (Enterprise, Mobile, ICS). It would be best to carry this information, and find a way to integrate with the latest versions (e.g. https://github.com/mitre-attack/attack-stix-data)

[subbyte]

I see. I think we need to distinguish between the following items:

• STIX objects/bundles
  • This repo defines additional/custom STIX SCOs/properties to better capture information in such objects
• Kestrel huntflow (just like a Python/Perl script)
• Exported instances of Kestrel variables
  • This is the return of the Investigate command in OpenC2
  • It can be encoded in dataframe or JSON
• MITRE ATT&CK objects
• CACAO objects

When we started defining the custom STIX SCO: x-ibm-ttp-tagging, we may not be comprehensive enough to cover all piece of information. Versioning you mentioned is a good point we missed. We are happy to add it (feel free to make a PR or we can add it).

Regarding the requirement of putting x-ibm-ttp-tagging into a store with CACAO objects, could you provide the requirements for it? And do standard STIX SCOs/SDOs meet the requirements?