Re: [cti-users] Product capability mapping in STIX with Mitre ?

[Jerome Athias <jeromeathias2018@gmail.com>]

Hi,

Sounds like you could look at:

https://attackevals.mitre.org/methodology/

for EDR, SOC/Detection, IDS/IPS [1], SOAR kind of products with focus onÂhttps://attack.mitre.org/ from a technique/attack-(sub)patterns (TIDs/CAPEC)/TTPs (Use Cases) point of view

==> From SOC/Detection (Blue Team) perspective, I would recommend focusing on logging capabilities (data sources) and settings, for mappings.

Note here that work would have to be done for mapping between MITRE (ATT&CK) data sources categories and real world class of products categories (eg: Firewall, Antivirus, Proxy, CASB, Sysmon, EDR...) and then products names/versions (CPE/SWID) with their specific capabilities/settings (ie. CCE).

DeTT&CT approach

While direct 1-for-1 mappings are not always possible/effective, I recommend mappings (with vendors specific categories of alerts/threats/malwares, etc.)

For malware analysis, that would focus on MAEC support (eg: cuckoo)

So a schemas-based approach/mappings is also interesting (but efforts needed)

[1]Âhttps://github.com/mitre-attack/bzar

My 2c

/JA

On Mon, Oct 7, 2019 at 8:01 AM Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:

Hello Team,

Â

What would be your recommendation to use STIX for product capabilities mapping to present the coverage against malware+intrusion set/campaigns.

Â

I would like to use Mitre techniques + Mitre and LM kill-chains to map those techniques (attack-patterns) to right kill-chain phase.

Also indicators to map those to attack-patters positioned in the right phase of kill-chain.

And now provide additional information about product coverage for each attack-pattern and correlated indicator.

Â

Obviously product coverage for attack-patterns will be generic: product_class + maybe a bit more specific vendor_product

(some of those shared by Mitre).

Â

But product coverage for specific indicator might be very specific: vendor_product + vendor_product_features(list of features which needs to be enabled on product to detect or block)

Â

Are there any similar works within STIX community ?

Any recommendations / hints ?

Â

Thanks,

Michal

Â

----

Michal GarcarzÂÂÂÂÂÂÂÂ ÂÂÂÂÂÂ| Managed Security Services ArchitectÂÂÂÂÂÂ ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|

Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|

Krakow SOC, PolandÂÂÂÂÂ | tel. +48123211296 email:Âmgarcarz@cisco.comÂÂÂÂÂÂÂÂ|

GPG FingerprintÂÂÂÂ ÂÂÂÂÂÂÂÂ| 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |

Working HoursÂÂÂÂÂÂÂ ÂÂÂÂÂÂÂ| M-F 8-17 EMEA/CET,Âata-soc-ext@cisco.comÂÂ ÂÂÂÂÂÂÂÂÂÂÂ|Â

Â