Add MITRE ATT&CK subtechniques

[rw-access]

Summary
MITRE is adding subtechniques to ATT&CK soon. It's in beta and soon will be in the major release. We should have integrations and update threat.* to add room for subtechniques.

Example of a subtechnique
https://attack.mitre.org/beta/techniques/T1548/003

Motivation:
Include any context around the suggestion and motivation for opening an issue.

Detailed Design:

Provide additional details around the design of the proposed changes.

• Field names: threat.subtechnique.{id, name, ref}
• Example values for the fields 003
• Suggested appropriate datatypes: same as the other threat fields
• Any example events that map to the proposed use case(s)
  No events yet, but here's a link
  https://attack.mitre.org/techniques/T1548/003/

[rw-access]

In elastic/kibana#75771, and with the relevant changes in elastic/detection-rules we've though about ways to structure this.

Right now, ECS does not define a strict schema for how threat.tactic and threat.technique relate to each other. Every field is basically a multi-valued field if you have any arrays. I think this is a really good thing and gives us flexibility in structure.

Since you can't have a subtechnique without a technique (unlike techniques and tactics, which could be defined independently, I think it makes the most sense to define the {id, name, ref} fields for subtechnique at threat.technique.subtechnique. I'll get a PR this week that has these recommended changes.

[rw-access]

PR #951