[FR] Implement possibility to map TTPs to MITRE ATT&CK

[m-terlinde]

Is your feature request related to a problem? Please describe. It's hard to track, which methods and TTPs attacker used in an incident. Defenders need to have a clear understanding of the used TTPs in order to choose proper remediation techniques.

Describe the solution you'd like I'd like to see a MITRE ATT&CK implementation for the case, where analysts can note all used TTPs according to the matrix. An editor should show the analyst all possible TTPs, the analyst should be able to click on the used ones and the case page should show only the selected TTPs.

Describe alternatives you've considered An other possibility would be, that the analysts could select a TTP for every timeline event and IRIS could render a matrix for the whole case instead of the "free editor" described above.

Additional context I suspect, that this feature needs huge implementation effort. Not sure, but it could be possible to leverage https://github.com/mitre-attack/attack-navigator/ or the Python lib https://github.com/mitre-attack/attack-scripts/. I'd love to see an offline version, which would not be dependant on an internet API of MITRE.

[whikernel]

Hi @m-terlinde !

Thanks for the feature request and your ideas. This is something we planned, as you can see on our roadmap.
This is indeed a quite a big bit and we don't have any ETA yet on it. We'll create a new branch referencing this issue when we start implementing it.

[m-terlinde]

Ohh, I was not aware of the roadmap, thanks for pointing out!

Maybe you could add the roadmap to the FR template, so I will remember for sure? :D

[whikernel]

No worries we know the roadmap isn't very visible. We might include it directly in the DFIR-IRIS project here. It will be easier to track and for us to update :)

Good point for the FR template 👍

[davester1]

Any update on when ATT&CK TTPs might be added to IRIS?