As MITRE ATTACK v10 dropped on October 21, we are busy exploring its ramifications for Elemendar and the wider CTI ecosystem. Also, our CTO Syra Marshall has given us her initial thoughts here.

‘As a company that focuses on STIX as an output, we’re excited to see MITRE create custom objects to represent their Data Source and Data Component entities in the ATT&CK v10 release. These relatively new additions to the ATT&CK framework will, as they start to be used more widely, really enable defenders to more easily understand how to best watch their systems for adversarial attacks.

My only minor quibble, from a deeper dive into the many custom fields Mitre include on their STIX representations, is why there isn’t a custom field that gives the ATT&CK ID (such as Txxxx for techniques, or Sxxxx for software) for an object rather than needing to get it from one of the objects within the external_references array; this would make mapping between the two more straightforward than having to check through the array. Not a big problem given that the data is there, but a low-hanging fruit which would make mapping from STIX IDs to ATT&CK IDs that little bit easier for all of us.

All in all, the Data Source and Data Component concepts will be useful to help close the circle of connecting defensive data and mitigations to adversarial techniques, especially as D3FEND matures through its beta. I would love to see these become part of the STIX standard in v2.2 and, as a question to MITRE and OASIS-TC, I’d love to know if this is something that’s already being proposed or even planned.’