Kill Chain (phase_name) may not match Tactic (x_mitre_shortname)

[aedenmurray]

In the 13.0 release, some techniques in the ICS bundle have kill_chain_phases.phase_name that don't match the x_mitre_shortname in any of the tactics in the bundle. Relevant documentation here.

For example, technique: attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a has a collection-ics kill_chain_phases.phase_name. However, there is no x-mitre-tactic with a collection-ics x_mitre_shortname.

[ElJocko]

Thanks for catching this. For ATT&CK v13.0 we modified the x_mitre_shortname for ICS tactics to fit the pattern used for other tactics. We also updated the ICS techniques to match. But we didn't update the deprecated and revoked techniques.

In this particular case, attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a (T0825) is deprecated. The x_mitre_shortname of the corresponding tactic was changed to 'collection', but the technique kill_chain_phases.phase_name was not updated to match.

We generally try to avoid updating deprecated and revoked techniques, but this may be a case where it's necessary to maintain data integrity. We'll put this on the list of issues to address with v13.1.

[edited to fix the ATT&CK ID of the technique]