Missing Attack Groups in ics-attack #163
Comments
|
@chrisante7 may have a more thorough answer, but I think the reason is that ICS simply doesn't track a lot of groups at present: https://collaborate.mitre.org/attackics/index.php/Groups |
|
@isaisabel is correct. There are not many dedicated groups targeting the ICS space and many of the groups overlap with what's in Enterprise. @lironbenbenishti I'm curious what you mean though by "It causes a partial creation db of groups in ics"? |
|
It causes the script to produce very small ics groups.csv with few
techniques.
How can I create full technique csv ("groups.csv) such as the enterprise?
…On Mon, May 24, 2021 at 3:42 PM chrisante7 ***@***.***> wrote:
@isaisabel <https://github.com/isaisabel> is correct. There are not many
dedicated groups targeting the ICS space and many of the groups overlap
with what's in Enterprise.
@lironbenbenishti <https://github.com/lironbenbenishti> I'm curious what
you mean though by "It causes a partial creation db of groups in ics"?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#163 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJBFGTV3SE6B6NBWC6QH3DTPJCVBANCNFSM45LUUUJA>
.
|
|
@lironbenbenishti what script are you referring to? The Excel representation of the knowledge base hosted on our Working with ATT&CK page doesn't limit output techniques to those mapped to groups, so I'm guessing you must be referring to a 3rd party script ingesting the knowledge base? |
|
right, I'm referring to the following script I've used that generates 3
csvs (groups, mitigations, software) and the "groups.csv" maps TID to
groups.
https://github.com/mitre-attack/attack-scripts/blob/master/scripts/technique_mappings_to_csv.py
…On Mon, May 24, 2021 at 6:11 PM Isabel Tuson ***@***.***> wrote:
@lironbenbenishti <https://github.com/lironbenbenishti> what script are
you referring to? The Excel representation of the knowledge base hosted on
our Working with ATT&CK
<https://attack.mitre.org/resources/working-with-attack/> page doesn't
limit output techniques to those mapped to groups, so I'm guessing you must
be referring to a 3rd party script ingesting the knowledge base?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#163 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJBFGVL3AV7S6H6K6775WTTPJUB3ANCNFSM45LUUUJA>
.
|
|
Ah yes that is actually our script -- we maintain that repo as well as all the other ones in the mitre-attack organization. That script actually generates a list of relationships (mappings). Since there are only a few groups in ICS, and they don't altogether have very many mappings, the output for that domain is quite small. So the small list of techniques is expected since it's only showing the mappings to techniques and not the techniques themselves. If you wanted a spreadsheet list of techniques for that (or any) domain I recommend checking out the aforementioned ATT&CK in Excel project (source code in mitreattack-python) which includes a full spreadsheet representing techniques. That project also includes spreadsheets for mappings which can be used instead of the |
Hi,
Why there are so few records in the intrusion-set folder?
https://github.com/mitre/cti/tree/master/ics-attack/intrusion-set
It causes a partial creation db of groups in ics.
The text was updated successfully, but these errors were encountered: