-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate mappings to data sources in attack_update script #238
Comments
not sure what why commit didn't show up from the linked branch... |
How can I help on this? |
@ikiril01 is going to have something here shortly, I stubbed out the onto design pattern. |
I added the remaining ATT&CK data source mappings here: feature/238-automate-mappings-to-data-sources-in-attack_update-script...ikiril01:d3fend-ontology:feature/238-automate-mappings-to-data-sources-in-attack_update-script Here are some comments on the data sources that didn't have exact mappings. EDIT - strikethrough for those that have been added as new digital artifacts or are deemed no longer necessary:
|
Added Malware/Malware Repository and related classes for having a more accurate mapping to DS0004: Added Malware/MalwareRepository classes |
Added Disk Image for having a more accurate mapping to DS0007 Added DiskImage for use with VM images etc.; update DS0007 mapping ac… |
In the DBPedia entry for Event Logging (https://dbpedia.org/page/Logging_(software)) they mention as errors etc. being events, so this actually lines up with the ATT&CK data source description for Sensor Health. Accordingly, I updated DS0013 as being an exact mapping to Event Log. |
Struggling a bit on how to accurately model Kubernetes Pods (based on https://attack.mitre.org/datasources/DS0014/) in D3FEND. The problem is that pods are an abstraction (i.e., grouping containers that share namespaces and volumes and are typically designed for a single use-case) on Containers, and therefore they don't inherently encapsulate Container Images or Container Runtimes. Kubernetes has their definition here: https://kubernetes.io/docs/concepts/workloads/pods/ |
Can you share a draft class for the Pod? My initial impression are its basic semantics are |
What you suggested is along the lines of what was I thinking of: |
The way I interpret this is not that every individual pod is necessarily "running", but that semantically Pods "run" ContainerProcesses. Also I think this is where the some/all logical distinction comes into play w/OWL but I am not 100% on that... |
Thanks - that is helpful. I agree, if we say |
Added Pod and subsequently updated DS0014 mappings to "exactly". |
Added NamePipe and subsequently updated DS0023 mapping to "exactly". |
After reading the Wikipedia page on Secondary Storage more closely, I think it maps nearly exactly to ATT&CK's definition of "Drive", so I updated the mapping accordingly. |
Added SoftwareTelemetryLog/EndpointSensorTelemetryLog for mapping to DS0013: Sensory Health. |
Added Snapshot/VM Snapshot/Volume Snapshot. |
Added User Profile for mapping to DS0021 (Persona). |
No description provided.
The text was updated successfully, but these errors were encountered: