Add Mitre vs Thales RosettaStone

[Th4nat0s]

Hi,

Since the release of https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf and the ATK nomenclature...

I definitively need a new rosetta stone !...

I am personally convinced that ATT&CK Group IDs should be the pivot :)

[adulau]

Thanks a lot for the work! Do you think Thales will maintain it or will provide a machine parseable document in the future?

I tend to agree with you for the pivot but the main issues are the following:

• Many threat actor names start with a vendor deciding for the name;
• ATT&CK Group IDs are set late and often some skipped because not having some relevance for MITRE;

Maybe something we could do for the future is to create a unique meta for each threat-actor name with the ATT&CK Group IDs. This would allow us to keep the flexibility and even allows other users of the galaxy to decide from which point to pivot from. I think we could do it automatically if Group ID exists and update the JSON accordingly.

[adulau]

I was reading the PDF and I found there are a lot of potential relationships to add.

[Th4nat0s]

Hi @adulau

I dunno if Thales give it in a parsable way.. Maybe the futur could tell us :)
I still have 12 groups in the rapport not present in ATT&CK ( event old one like animal farm (ATK8)).

Anyway
I do agree main name should stay the discoverer one. some are nice :)

I agree also that Mitre is a bit late always, but in another hand very complete, and more or less a new "standard" to me.
For librairians and firm that do not feed by themselves the threat intel group zoo, it is the best source to use .
I just don't know how to contribute efficiently to them.

The Real problem for me is the split or merge...
For example in threat actor i see a of fusion APT38 and Corellite ( G0032& G0082).
I never see their "work" so , I'am not qualified to say that it is the same or a different group.
And it could happen.

To conclude.. It's a Mess, and we rely on it :)