cti
cti copied to clipboard
mitre
Missing Attack Groups in ics-attack
Hi, Why there are so few records in the intrusion-set folder? https://github.com/mitre/cti/tree/master/ics-attack/intrusion-set It causes a partial creation db of groups in ics.
@chrisante7 may have a more thorough answer, but I think the reason is that ICS simply doesn't track a lot of groups at present: https://collaborate.mitre.org/attackics/index.php/Groups
@isaisabel is correct. There are not many dedicated groups targeting the ICS space and many of the groups overlap with what's in Enterprise.
@lironbenbenishti I'm curious what you mean though by "It causes a partial creation db of groups in ics"?
It causes the script to produce very small ics groups.csv with few techniques. How can I create full technique csv ("groups.csv) such as the enterprise?
On Mon, May 24, 2021 at 3:42 PM chrisante7 @.***> wrote:
@isaisabel https://github.com/isaisabel is correct. There are not many dedicated groups targeting the ICS space and many of the groups overlap with what's in Enterprise.
@lironbenbenishti https://github.com/lironbenbenishti I'm curious what you mean though by "It causes a partial creation db of groups in ics"?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mitre/cti/issues/163#issuecomment-847016158, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJBFGTV3SE6B6NBWC6QH3DTPJCVBANCNFSM45LUUUJA .
@lironbenbenishti what script are you referring to? The Excel representation of the knowledge base hosted on our Working with ATT&CK page doesn't limit output techniques to those mapped to groups, so I'm guessing you must be referring to a 3rd party script ingesting the knowledge base?
right, I'm referring to the following script I've used that generates 3 csvs (groups, mitigations, software) and the "groups.csv" maps TID to groups.
https://github.com/mitre-attack/attack-scripts/blob/master/scripts/technique_mappings_to_csv.py
On Mon, May 24, 2021 at 6:11 PM Isabel Tuson @.***> wrote:
@lironbenbenishti https://github.com/lironbenbenishti what script are you referring to? The Excel representation of the knowledge base hosted on our Working with ATT&CK https://attack.mitre.org/resources/working-with-attack/ page doesn't limit output techniques to those mapped to groups, so I'm guessing you must be referring to a 3rd party script ingesting the knowledge base?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mitre/cti/issues/163#issuecomment-847110625, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJBFGVL3AV7S6H6K6775WTTPJUB3ANCNFSM45LUUUJA .
Ah yes that is actually our script -- we maintain that repo as well as all the other ones in the mitre-attack organization.
That script actually generates a list of relationships (mappings). Since there are only a few groups in ICS, and they don't altogether have very many mappings, the output for that domain is quite small. So the small list of techniques is expected since it's only showing the mappings to techniques and not the techniques themselves.
If you wanted a spreadsheet list of techniques for that (or any) domain I recommend checking out the aforementioned ATT&CK in Excel project (source code in mitreattack-python) which includes a full spreadsheet representing techniques. That project also includes spreadsheets for mappings which can be used instead of the technique_mappings_to_csv script.