Add attack-version marking definition

[isaisabel]

As a user of the MITRE/CTI repository, I want to be able to check the version number of the overall ATT&CK content in the STIX data itself.

We should implement a new marking-definition object describing the current ATT&CK version and the date of the most recent update. This object, like our copyright statement, would be referenced from the object_marking_refs of every object in our repository.

The object marking definition would be formatted something like the following:

{
   "type": "marking-definition",
   "spec_version": "2.0",
   "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
   "created": "2019-10-30T00:00:00.000Z",
   "definition_type": "attack-version",
   "definition": {
       "version": "6.1",
       "release_date": "2019-10-30T00:00:00.000Z"
   }
}

[isaisabel]

Once this has been implemented, we should create additional documentation on the ATT&CK Website (https://attack.mitre.org, mitre-attack/attack-website) describing how versioning is tracked for individual objects and the overall ATT&CK catalogue.

[emmanvg]

Based on the example shared above I would add another property:

"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"

[isaisabel]

Right, yes we'd definitely add the created_by_ref as we do on all content in our catalogue. I had simply forgotten to add it in the example I posted.

[isaisabel]

We should consider calling this the catalog-version instead of attack-version so that the design can be extended to other datasets.

[isaisabel]

Hi all,

I wanted to follow up to mention that versioning information will be improved with the release of the ATT&CK Workbench project mentioned in the January ATT&CKcon Power Hour. I can't give a ton of details at this time, but the rough representation will be as follows:

• A STIX object will be included in each domain STIX bundle describing the "collection" of objects, e.g describing enterprise ATT&CK. This object will track:
  • Name (e.g "enterprise ATT&CK"), description information
  • The version of the data
  • The release date for the corresponding version
• A separate non-STIX JSON object available on GitHub will track all of ATT&CK's datasets and versions, and will be updated whenever a release is published. This can be polled to determine when a release has been published without having to pull the entire dataset and parse for the aforementioned STIX object.

The ATT&CK Workbench project will include the ability to "subscribe" to updates, and have your local infrastructure automatically pull down releases when they occur. You could also use the design patterns implemented by the workbench to inspire your own auto-update systems if you didn't need the whole workbench in your local infrastructure.

Sorry for the radio silence on this, we've been planning this change for a long time but we hadn't publicly announced the Workbench project until the January ATT&CKcon and therefore couldn't go into detail until now.

[isaisabel]

The collection and collection index types mentioned above are now available on our attack-stix-data GitHub repository. They will not be added to the contents of this repository due to maintenance requirements/

https://github.com/mitre-attack/attack-stix-data