d3fend-ontology icon indicating copy to clipboard operation
d3fend-ontology copied to clipboard

Published 20 hours ago verified publisher icon d3fend

Add tactics, techniques, and mitigations from MITRE ATLAS

Open aamedina opened this issue 9 months ago • 5 comments

Addresses #245

  • added new external threat model thing (ATLASThing) and subclasses ATLASTactic, ATLASTechnique, and ATLASMitigation, as well as a new datatype property atlas-id
  • added make update-atlas command to generate mappings following example of make update-attack
  • maps tactics, techniques and mitigations from the ATLAS STIX data into D3FEND using the new classes

Please help me review and correct any mistakes in this mapping, especially in the Python code I could use another pair of eyes. Thank you.

aamedina avatar May 09 '24 17:05 aamedina

needs a few minor tweaks

  • [ ] rename tactics to Credential Access - ATLAS, add a prefLabel for Credential Access

currently: Credential Access (ATLAS Tactic)

  • [ ] we're missing "Credential Access - ATLAS - Technique" classes to group their techniques.

netfl0 avatar May 10 '24 15:05 netfl0

needs a few minor tweaks

* [ ]  rename tactics to `Credential Access - ATLAS`, add a prefLabel for `Credential Access`

currently: Credential Access (ATLAS Tactic)

* [ ]  we're missing "Credential Access - ATLAS - Technique" classes to group their techniques.

First point makes sense. Can you clarify the second point concretely with an example?

aamedina avatar May 10 '24 15:05 aamedina

  • [ ] we're missing "Credential Access - ATLAS - Technique" classes to group their techniques.

Like we do here:

image

netfl0 avatar May 14 '24 18:05 netfl0

Can you revert the actual ontology changes in this pull so its just the generative code. Also, were there any other additions necessary? I think you added the convenience classes I requested.

netfl0 avatar Sep 16 '24 14:09 netfl0

Can you revert the actual ontology changes in this pull so its just the generative code. Also, were there any other additions necessary? I think you added the convenience classes I requested.

Which ontology changes? Do you mean d3f:atlas-id, d3f:ATLASTactic, d3f:ATLASTechnique, etc? We need the Tactics, Techniques, and Mitigations to have superclasses, as they aren't ATT&CK Enterprise tactics and techniques.

Keep this to group them? But remove ATLASTechnique and Tactic? What should the replacement superclasses be? I kind of want technique classes, like d3f:ReconnaissanceTechnique, to be ideally decoupled from ATT&CK Enterprise so we can reuse it as a superclass to organize techniques across all ATT&CK frameworks.

:ATLASReconnaissanceTechnique a owl:Class ;
    rdfs:label "Reconnaissance - ATLAS - Technique" ;
    rdfs:subClassOf :ATLASTechnique,
        :OffensiveTechnique,
        [ a owl:Restriction ;
            owl:onProperty :enables ;
            owl:someValuesFrom :AML.TA0002 ] .

aamedina avatar Sep 16 '24 14:09 aamedina