Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to select and annotate a single instance of a technique spanning multiple tactics #8

Closed
jburns12 opened this issue Mar 5, 2018 · 4 comments
Closed

Ability to select and annotate a single instance of a technique spanning multiple tactics #8

jburns12 opened this issue Mar 5, 2018 · 4 comments
Labels
enhancement New feature or request priority/high High priority Issue
Milestone
Version 2.0

Comments

@jburns12
Copy link
Contributor

jburns12 commented Mar 5, 2018

As a user I would like the ability to select a technique that spans multiple tactic categories but only have the selection be for a specific tactic and then be able to annotate just that instance of the technique.

For example, I want to be able to select "Exploitation of Vulnerability" under "Persistence" but not the other three tactics it falls under and give that one score/color/comment and then select "Exploitation of Vulnerability" under "Credential Access" and give it a completely different set of annotations, with the other two instances of the technique unaffected.

This requires discussion with the ATT&CK team as it may imply a need to uniquely identify tactics by ID or techniques within a specific tactic by ID.
@jburns12 jburns12 added enhancement New feature or request priority/high High priority Issue labels Mar 5, 2018
@isaisabel
Copy link
Contributor

@CollinFingar and I think that there are two possible ways to go about implementing this. Neither would require significantly more effort from an implementation standpoint, however there is a large difference in how the layer file format would be formatted. There is also a difference in how the techniques in the layer might be understood with regards to multi-tactic techniques, possibly biasing users to understand instances of techniques across multiple tactics as inherently similar or different.

Currently, the ATT&CK Navigator Layer file's techniques array has a single technique object for each technique, and techniques in multiple tactics refer to the same object. The changes to the layer file format are necessitated by the need to track annotations (score, comment, etc) by both technique and tactic.

For reference, this is how the technique objects in layer files are currently formatted:

{
    "techniqueID": "T####",
    "score": 32,
    "color": "",
    "comment": "some comment",
    "enabled": true
}

Method 1

In this method, the techniques array would be changed to contain an instances of a technique for each tactic the technique is contained in, and add a tactic field to track which tactic the instance of the technique is contained within.

For example, if the technique with the ID "T0001" were in tactics "tactic_a" and "tactic_b", you would have the following objects in the technique array:

"techniques": [
   {
      "techniqueID": "T0001",
      "tactic": "tactic_a",
      "score": 23,
      "color": "",
      "comment": "this technique is in tactic_a",
      "enabled": true,
   },
   {
      "techniqueID": "T0001",
      "tactic": "tactic_b",
      "score": 23,
      "color": "",
      "comment": "this technique is in tactic_b",
      "enabled": true,
   }
]

We feel that this method logically separates multi-tactic techniques because they would have different objects in the array. Multi-tactic techniques might be understood as inherently dissimilar since they do not share the same object.

Advantages

The major advantage of this method is that it is not a major change from the current layer format on a per-technique basis. Some programs or scripts may have an easier time adapting to this method if they are able to adapt to the duplication of techniques in the techniques array.

Disadvantages

A technique array which contains essentially duplicative objects may be unintuitive, especially if the user does not edit instances of techniques. Techniques in the array could no longer be uniquely identified by their techniqueID field, rather, the joining of their techniqueID and tactic would be the new UID. This could mean major changes are required for some programs or scripts which generate or parse layer files.

Backwards compatibility

Uploading a technique without the tactic field would copy the annotations to all instances of that technique (all techniques in the array with the same techniqueID).

Method 2

In this method, the techniques array would still have unique technique objects. The techniqueID field could still be used as a unique identifier. Each technique object would contain annotations for each tactic in which it is contained.

For example, if the technique with the ID "T0001" were in tactics "tactic_a" and "tactic_b", you would have the following technique object in the technique array:

{
   "techniqueID": "T0001",
   "annotations": {
      "tactic_a": {
         "score": 23,
         "color": "",
         "comment": "this technique is in tactic_a",
         "enabled": true
      },
      "tactic_b": {
         "score": 23,
         "color": "",
         "comment": "this technique is in tactic_b",
         "enabled": true
      }
   }
}

We feel that this method promotes the understanding that multi-tactic techniques are inherently similar since they would share the same base object, and that their annotations are the main difference in how they should be understood to behave between tactics.

Advantages

In this method, the techniques array would have a single object for each technique, and thus the techniqueID field could still be used as a unique identifier. Some programs or scripts may have an easier time adapting to this method if they are more adaptable to how they parse technique annotations.

Disadvantages

This is a major change to how techniques are formatted in the array. Programs or scripts which are inflexible in how they parse technique annotations could major changes to account for the new annotations format.

Backwards compatibility

Uploading a layer file with the old style of annotations (not annotations by tactic) would copy those annotations to every tactic of the technique.

@johnwunder
Copy link
Collaborator

Method 1 seems much more intuitive to me and how I've been programmatically generating layer files.

Would it be possible to allow users to omit the tactic property, even if they're generating v2 layer files, and have it implicitly apply that technique to all tactics similar to how it works for backwards compatibility? That way people who don't care about the tactic distinctions can still generate layers as they do now (no cost to upgrade), and those who need the extra functionality can just add that property.

@isaisabel
Copy link
Contributor

isaisabel commented Apr 25, 2018
edited

@johnwunder Yes, as noted in the backwards compatibility section of method 1,

Uploading a technique without the tactic field would copy the annotations to all instances of that technique (all techniques in the array with the same techniqueID).

@CollinFingar CollinFingar self-assigned this Apr 26, 2018
@isaisabel isaisabel added this to the Version 2.0 milestone May 10, 2018
@CollinFingar
Copy link

Pushed to develop along with documentation on selecting single instances.

gitbook-com bot referenced this issue in FuNianTongXue/attack-navigator Dec 15, 2021
@FuNianTongXue @gitbook-bot
GitBook: [#8] No subject
3a1147c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request priority/high High priority Issue
Projects
None yet
Milestone
Version 2.0
Development

No branches or pull requests
4 participants
@johnwunder @CollinFingar @jburns12 @isaisabel