Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attack-Defense trees modeling with Attack Flow #57

Open
banzo opened this issue Dec 14, 2022 · 4 comments
Open

Attack-Defense trees modeling with Attack Flow #57

banzo opened this issue Dec 14, 2022 · 4 comments

Comments

@banzo
Copy link
Contributor

banzo commented Dec 14, 2022

Hello, we are looking for a solution to build and model Attack Defense Trees.

We discovered Attack Flow at the EU MITRE ATT&CK® Community Workshop X. We are wondering if it would make sense to extend Attack Flow to include the Defense aspects.
@xtheorycrafter
Copy link

xtheorycrafter commented Dec 14, 2022 via email

@banzo
Copy link
Contributor Author

banzo commented Dec 14, 2022

Thank you for your response.

By defense aspects I mean mechanisms such as IDS, access control, etc. In MITRE Att&ck, I guess it would be similar to the Mitigations.

Here is a sample ADT, where attack nodes are in red and defense nodes are in green (source).

image

@mticmtic
Copy link

mticmtic commented Jan 3, 2023

We have had discussions about how to account for defensive actions, but haven't settled on anything yet. This area gets a bit tricky, however, because there is a large amount of defensive actions that someone can take against 1 offensive action. This could quickly bloat the ontology. We will continue our discussions until we find an appropriate way to model defensive actions, along with ATT&CK.

@juancerezo
Copy link

Hello everyone,

I hope this can help. Currently, I am working to improve cybersecurity processes using Attack Flow Builder, to perform what @banzo indicates, what I am using are STIX Objects. To indicate how to perform searches and produce detections I suggest using Indicator and for actions in the @banzo 's diagram Course of Action could be used.

STIX SDO Indicator spec: https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070633
STIX SDO Course of Action spec: https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070624

I think that could be the right approach.

Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@banzo @juancerezo @xtheorycrafter @mticmtic