Skip to content

Commit

Permalink
Update USAGE.md
Browse files Browse the repository at this point in the history
  • Loading branch information
clemiller authored Oct 30, 2023
1 parent b95e977 commit 5e31610
Showing 1 changed file with 26 additions and 2 deletions.
28 changes: 26 additions & 2 deletions USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ We also recommend reading the [ATT&CK Design and Philosophy Paper](https://attac
- [Software](#software)
- [Data Sources and Data Components](#data-sources-and-data-components)
- [Campaigns](#campaigns)
- [Assets](#assets)
- [Relationships](#relationships)
- [Collections](#collections)
- [Accessing ATT&CK data in python](#accessing-attck-data-in-python)
Expand Down Expand Up @@ -96,8 +97,9 @@ ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK conc
| [Group](#groups) | [intrusion-set](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230941) | no |
| [Software](#software) | [malware](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230945) or [tool](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230961) | no |
| [Collection](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/docs/collections.md)<sup>1</sup> | `x-mitre-collection` | yes |
| [Data Source](#data-source) | `x-mitre-data-source` | yes |
| [Data Source](#data-sources) | `x-mitre-data-source` | yes |
| [Campaign](#campaigns) | [campaign](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230925) | no |
| [Asset](#assets) | `x-mitre-asset` | yes |

<sup>1</sup> This type was added in the upgrade to STIX 2.1 and is not available in [the STIX 2.0 dataset](https://github.com/mitre/cti).

Expand Down Expand Up @@ -157,8 +159,9 @@ The most commonly used ID format is what is referred to as the ATT&CK ID or simp
| [Mitigation](#mitigations) | `Mxxxx` |
| [Group](#groups) | `Gxxxx` |
| [Software](#software) | `Sxxxx` |
| [Data Source](#data-source) | `DSxxxx` |
| [Data Source](#data-sources) | `DSxxxx` |
| [Campaign](#campaigns) | `Cxxxx` |
| [Asset](#assets) | `Axxxx` |

ATT&CK IDs are typically, but not always, unique. See [Collisions with Technique ATT&CK IDs](#collisions-with-technique-attck-ids) for an edge case involving ID collisions between mitigations and techniques. Matrices that exist within the same domain will have the same ATT&CK ID.

Expand Down Expand Up @@ -321,6 +324,26 @@ Campaigns extend the generic SDO format with the following fields:
| `x_mitre_first_seen_citation` | string | One to many citations for when the Campaign was first reported in the form “(Citation: \<citation name>)” where \<citation name> can be found as one of the source_name of one of the external_references. |
| `x_mitre_last_seen_citation` | string | One to many citations for when the Campaign was last reported in the form “(Citation: \<citation name>)” where \<citation name> can be found as one of the source_name of one of the external_references.

### Assets

An Asset in ATT&CK is defined by an `x-mitre-asset` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920).

Assets extend the generic SDO format with the following fields:

| Field | Type | Description |
|:------|:-----|-------------|
| `x_mitre_sectors` | string[] | List of industry sector(s) an asset may be commonly observed in. |
| `x_mitre_related_assets` | related_asset[] | Related assets describe sector specific device names or alias that may be commonly associated with the primary asset page name or functional description. Related asset objects include a description of how the related asset is associated with the page definition. |

#### Extended Subtypes
The `related_asset` subtype is an object with the properties:

| Field | Type |
|-------------|---------|
| `name` | string |
| `related_asset_sectors` | string[] |
| `description` | string |

### Relationships

Objects in ATT&CK are related to each other via STIX [relationship](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230970) objects. These relationships convey concepts like groups using techniques (also called "procedure examples" on the technique pages), the hierarchy of techniques and sub-techniques, and so on.
Expand All @@ -338,6 +361,7 @@ Relationships oftentimes have descriptions which contextualize the relationship
| `course-of-action` | `mitigates` | `attack-pattern` | No | Mitigation mitigating technique. |
| `attack-pattern` | `subtechnique-of` | `attack-pattern` | Yes | Sub-technique of a technique, where the `source_ref` is the sub-technique and the `target_ref` is the parent technique. |
| `x-mitre-data-component` | `detects` | `attack-pattern` | Yes | Data component detecting a technique. |
| `attack-pattern` | `targets` | `x-mitre-asset` | Yes | Technique targets an asset. |
| any type | `revoked-by` | any type | Yes | The target object is a replacement for the source object. Only occurs where the objects are of the same type, and the source object will have the property `revoked = true`. See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information on revoked objects. |

Note that because groups use software and software uses techniques, groups can be considered indirect users of techniques used by their software. See [Getting techniques used by a group's software](#Getting-techniques-used-by-a-groups-software).
Expand Down

0 comments on commit 5e31610

Please sign in to comment.