Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security][Detections] Support many -> many threat techniques #69166

Closed
rw-access opened this issue Jun 15, 2020 · 3 comments
Closed

[Security][Detections] Support many -> many threat techniques #69166

rw-access opened this issue Jun 15, 2020 · 3 comments
Assignees
@dplumlee
Labels
Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@rw-access
Copy link
Contributor

Right now, techniques and techniques are related as a parent-child. For each tactic, list all of the techniques.

This doesn't exactly map to how MITRE ATT&CK approaches it, since a single technique can be used in multiple tactics. If we line up a little better, we can make the mappings more clear and more concise.

I&A would love to map this way. Also, there are use cases for linking to an ATT&CK tactic, without having any particular techniques. We don't have any practical cases for referencing a technique without a tactic, so it's not a full decoupling.

Ideally, we would be able to build a mapping like this (verbose example to cover many use cases)

  • Privilege Escalation, Persistence
    • New Service
    • Scheduled Task
  • Execution
    • Service Execution
  • Lateral Movement

This would correspond to a threat like this:

"threat": [
  {
    "framework": "MITRE ATT&CK",
    "tactics": [
      {
        "id": "TAXXX",
        "name": "Privilege Escalation",
        "reference": "https://attack.mitre.org/..."
      },
      {
        "id": "TAXXX",
        "name": "Persistence",
        "reference": "https://attack.mitre.org/..."
      },
    ],
    "techniques": [
      {
        "id": "TXXX",
        "name": "New Service",
        "reference": "https://attack.mitre.org/..."
      },
      {
        "id": "TXXX",
        "name": "Scheduled Task",
        "reference": "https://attack.mitre.org/..."
      },
    ]
  },
  {
    "framework": "MITRE ATT&CK",
    "tactics": [
      {
        "id": "TAXXX",
        "name": "Execution",
        "reference": "https://attack.mitre.org/..."
      },
    ],
    "techniques": [
      {
        "id": "TXXX",
        "name": "Service Execution",
        "reference": "https://attack.mitre.org/..."
      },
    ]
  },
  {
    "framework": "MITRE ATT&CK",
    "tactics": [
      {
        "id": "TAXXX",
        "name": "Lateral Movement",
        "reference": "https://attack.mitre.org/..."
      },
    ],
    "techniques": []
  },
]

cc @elastic/security-intelligence-analytics
@rw-access rw-access added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Detection Rules Anything related to Security Solution's Detection Rules labels Jun 15, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@rw-access rw-access added Team:SIEM and removed Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Jun 15, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@rw-access rw-access mentioned this issue Jul 13, 2020
Closed
This was referenced Aug 24, 2020
Closed
Closed
@threat-punter threat-punter mentioned this issue Sep 8, 2020
Closed
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@peluja1012 peluja1012 assigned dplumlee and unassigned spong Nov 4, 2020
@peluja1012 peluja1012 added the Team:Detections and Resp Security Detection Response Team label Dec 8, 2020
@rw-access
Copy link
Contributor Author

I'm going to close this issue. Since tactics are now optional, I think this gives good enough flexibility, so we can focus efforts elsewhere. We can always reopen later if this is pressing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peluja1012 @MindyRS @spong @elasticmachine @rw-access @dplumlee