From 5d46e2d40fe28210e46034d67c630280339d32d0 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Wed, 22 Jan 2025 02:06:45 +0100 Subject: [PATCH 1/7] add d3fend --- backend/library/libraries/d3fend.yaml | 2220 +++++++++++++++++++++++++ tools/convert_library.py | 25 +- tools/mitre/d3fend.csv | 219 +++ tools/mitre/d3fend.py | 79 + tools/mitre/d3fend.xlsx | Bin 0 -> 21210 bytes 5 files changed, 2534 insertions(+), 9 deletions(-) create mode 100644 backend/library/libraries/d3fend.yaml create mode 100644 tools/mitre/d3fend.csv create mode 100644 tools/mitre/d3fend.py create mode 100644 tools/mitre/d3fend.xlsx diff --git a/backend/library/libraries/d3fend.yaml b/backend/library/libraries/d3fend.yaml new file mode 100644 index 000000000..ced32e1db --- /dev/null +++ b/backend/library/libraries/d3fend.yaml @@ -0,0 +1,2220 @@ +urn: urn:intuitem:risk:library:mitre-d3fend +locale: en +ref_id: d3fend +name: Mitre D3FEND +description: A cybersecurity ontology designed to standardize vocabulary for employing + techniques to counter malicious cyber threats. +copyright: "Terms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you\ + \ a non-exclusive, royalty-free license to use D3FEND for research, development,\ + \ and commercial purposes. Any copy you make for such purposes is authorized provided\ + \ that you reproduce MITRE\u2019s copyright designation and this license in any\ + \ such copy.\nDISCLAIMERS\nALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE\ + \ PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS\ + \ OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS,\ + \ AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING\ + \ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT\ + \ INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR\ + \ A PARTICULAR PURPOSE.\n" +version: 1 +publication_date: '2025-01-22' +provider: Mitre D3FEND +packager: intuitem +objects: + reference_controls: + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-om + ref_id: D3-OM + name: Organization Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Organization Mapping + + definition: Organization mapping identifies and models the people, roles, and + groups with an organization and the relations between them.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ora + ref_id: D3-ORA + name: Operational Risk Assessment + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Operational Risk Assessment + + definition: Operational risk assessment identifies and models the vulnerabilities + of, and risks to, an organization''s activities individually and as a whole.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-odm + ref_id: D3-ODM + name: Operational Dependency Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Operational Dependency Mapping + + definition: Operational dependency mapping identifies and models the dependencies + of the organization''s activities on each other and on the organization''s performers + (people, systems, and services.) This may include modeling the higher- and + lower-level activities of an organization forming a hierarchy, or layering, + of the dependencies in an organization''s activities.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-am + ref_id: D3-AM + name: Access Modeling + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Access Modeling + + definition: Access modeling identifies and records the access permissions granted + to administrators, users, groups, and systems.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-plm + ref_id: D3-PLM + name: Physical Link Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Physical Link Mapping + + definition: Physical link mapping identifies and models the link connectivity + of the network devices within a physical network.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dplm + ref_id: D3-DPLM + name: Direct Physical Link Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Physical Link Mapping + + technique level 2: Direct Physical Link Mapping + + definition: Direct physical link mapping creates a physical link map by direct + observation and recording of the physical network links.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-aplm + ref_id: D3-APLM + name: Active Physical Link Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Physical Link Mapping + + technique level 2: Active Physical Link Mapping + + definition: Active physical link mapping sends and receives network traffic + as a means to map the physical layer.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-nva + ref_id: D3-NVA + name: Network Vulnerability Assessment + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Network Vulnerability Assessment + + definition: Network vulnerability assessment relates all the vulnerabilities + of a network''s components in the context of their configuration and interdependencies + and can also include assessing risk emerging from the network''s design as a + whole, not just the sum of individual network node or network segment vulnerabilities.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ntpm + ref_id: D3-NTPM + name: Network Traffic Policy Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Network Traffic Policy Mapping + + definition: Network traffic policy mapping identifies and models the allowed + pathways of data at the network, tranport, and/or application levels.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-llm + ref_id: D3-LLM + name: Logical Link Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Logical Link Mapping + + definition: Logical link mapping creates a model of existing or previous node-to-node + connections using network-layer data or metadata.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pllm + ref_id: D3-PLLM + name: Passive Logical Link Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Logical Link Mapping + + technique level 2: Passive Logical Link Mapping + + definition: Passive logical link mapping only listens to network traffic as + a means to map the the whole data link layer, where the links represent logical + data flows rather than physical connections.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-allm + ref_id: D3-ALLM + name: Active Logical Link Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Logical Link Mapping + + technique level 2: Active Logical Link Mapping + + definition: Active logical link mapping sends and receives network traffic as + a means to map the whole data link layer, where the links represent logical + data flows rather than physical connection' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-swi + ref_id: D3-SWI + name: Software Inventory + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Software Inventory + + definition: Software inventorying identifies and records the software items + in the organization''s architecture.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-nni + ref_id: D3-NNI + name: Network Node Inventory + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Network Node Inventory + + definition: Network node inventorying identifies and records all the network + nodes (hosts, routers, switches, firewalls, etc.) in the organization''s architecture.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-hci + ref_id: D3-HCI + name: Hardware Component Inventory + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Hardware Component Inventory + + definition: Hardware component inventorying identifies and records the hardware + items in the organization''s architecture.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-di + ref_id: D3-DI + name: Data Inventory + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Data Inventory + + definition: Data inventorying identifies and records the schemas, formats, volumes, + and locations of data stored and used on the organization''s architecture.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ci + ref_id: D3-CI + name: Configuration Inventory + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Configuration Inventory + + definition: Configuration inventory identifies and records the configuration + of software and hardware and their components throughout the organization.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ave + ref_id: D3-AVE + name: Asset Vulnerability Enumeration + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Asset Vulnerability Enumeration + + definition: Asset vulnerability enumeration enriches inventory items with knowledge + identifying their vulnerabilities.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cia + ref_id: D3-CIA + name: Container Image Analysis + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Asset Vulnerability Enumeration + + technique level 2: Container Image Analysis + + definition: Analyzing a Container Image with respect to a set of policies.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sysva + ref_id: D3-SYSVA + name: System Vulnerability Assessment + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: System Vulnerability Assessment + + definition: System vulnerability assessment relates all the vulnerabilities + of a system''s components in the context of their configuration and internal + dependencies and can also include assessing risk emerging from the system''s + design as a whole, not just the sum of individual component vulnerabilities.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sysdm + ref_id: D3-SYSDM + name: System Dependency Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: System Dependency Mapping + + definition: System dependency mapping identifies and models the dependencies + of system components on each other to carry out their function.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-svcdm + ref_id: D3-SVCDM + name: Service Dependency Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Service Dependency Mapping + + definition: Service dependency mapping determines the services on which each + given service relies.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dem + ref_id: D3-DEM + name: Data Exchange Mapping + category: technical + csf_function: identify + description: 'tactic: Model + + technique level 1: Data Exchange Mapping + + definition: Data exchange mapping identifies and models the organization''s + intended design for the flows of the data types, formats, and volumes between + systems at the application layer.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-vtv + ref_id: D3-VTV + name: Variable Type Validation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Variable Type Validation + + definition: Ensuring that a variable has the correct type.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-vi + ref_id: D3-VI + name: Variable Initialization + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Variable Initialization + + definition: Setting variables to a known value before use.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-tl + ref_id: D3-TL + name: Trusted Library + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Trusted Library + + definition: A trusted library is a collection of pre-verified and secure code + modules or components that are used within software applications to perform + specific functions. These libraries are considered reliable and have been vetted + for security vulnerabilities, ensuring they do not introduce risks into the + application.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rn + ref_id: D3-RN + name: Reference Nullification + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Reference Nullification + + definition: Invalidating all pointers that reference a specific memory block, + ensuring that the block cannot be accessed or modified after deallocation.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pv + ref_id: D3-PV + name: Pointer Validation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Pointer Validation + + definition: Ensuring that a pointer variable has the required properties for + use.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-npc + ref_id: D3-NPC + name: Null Pointer Checking + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Pointer Validation + + technique level 2: Null Pointer Checking + + definition: Checking if a pointer is NULL.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-mbsv + ref_id: D3-MBSV + name: Memory Block Start Validation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Pointer Validation + + technique level 2: Memory Block Start Validation + + definition: Ensuring that a pointer accurately references the beginning of a + designated memory block.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-irv + ref_id: D3-IRV + name: Integer Range Validation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Integer Range Validation + + definition: Ensuring that an integer is within a valid range.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cs + ref_id: D3-CS + name: Credential Scrubbing + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Credential Scrubbing + + definition: The systematic removal of hard-coded credentials from source code + to prevent accidental exposure and unauthorized access.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-tba + ref_id: D3-TBA + name: Token-based Authentication + category: technical + csf_function: protect + description: "tactic: Harden\ntechnique level 1: Token-based Authentication\n\ + definition: Token-based authentication is an authentication protocol where users\ + \ verify their identity in exchange for a\_unique access token. Users can then\ + \ access the website, application, or resource for the life of the token without\ + \ having to re-enter their credentials." + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pwa + ref_id: D3-PWA + name: Password Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Password Authentication + + definition: Password authentication is a security mechanism used to verify the + identity of a user or entity attempting to access a system or resource by requiring + the input of a secret string of characters, known as a password, that is associated + with the user or entity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-mfa + ref_id: D3-MFA + name: Multi-factor Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Multi-factor Authentication + + definition: Requiring proof of two or more pieces of evidence in order to authenticate + a user.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cban + ref_id: D3-CBAN + name: Certificate-based Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Certificate-based Authentication + + definition: Requiring a digital certificate in order to authenticate a user.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ban + ref_id: D3-BAN + name: Biometric Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Biometric Authentication + + definition: Using biological measures in order to authenticate a user.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-taan + ref_id: D3-TAAN + name: Transfer Agent Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Transfer Agent Authentication + + definition: Validating that server components of a messaging infrastructure + are authorized to send a particular message.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-mencr + ref_id: D3-MENCR + name: Message Encryption + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Message Encryption + + definition: Encrypting a message body using a cryptographic key.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-man + ref_id: D3-MAN + name: Message Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Message Authentication + + definition: Authenticating the sender of a message and ensuring message integrity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-tb + ref_id: D3-TB + name: Token Binding + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Token Binding + + definition: Token binding is a security mechanism used to enhance the protection + of tokens, such as cookies or OAuth tokens, by binding them to a specific connection.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-spp + ref_id: D3-SPP + name: Strong Password Policy + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Strong Password Policy + + definition: Modifying system configuration to increase password strength.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cro + ref_id: D3-CRO + name: Credential Rotation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Credential Rotation + + definition: Credential rotation is a security procedure in which authentication + credentials, such as passwords, API keys, or certificates, are regularly changed + or replaced to minimize the risk of unauthorized access.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pr + ref_id: D3-PR + name: Password Rotation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Credential Rotation + + technique level 2: Password Rotation + + definition: Password rotation is a security policy that mandates the periodic + change of user account passwords to mitigate the risk of unauthorized access + due to compromised credentials.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-otp + ref_id: D3-OTP + name: One-time Password + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Credential Rotation + + technique level 2: One-time Password + + definition: A one-time password is valid for only one user authentication.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cero + ref_id: D3-CERO + name: Certificate Rotation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Credential Rotation + + technique level 2: Certificate Rotation + + definition: Certificate rotation involves replacing digital certificates and + their private keys to maintain cryptographic integrity and trust, mitigating + key compromise risks and ensuring continuous secure communications.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cp + ref_id: D3-CP + name: Certificate Pinning + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Certificate Pinning + + definition: Persisting either a server''s X.509 certificate or their public + key and comparing that to server''s presented identity to allow for greater + client confidence in the remote server''s identity for SSL connections.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dencr + ref_id: D3-DENCR + name: Disk Encryption + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Disk Encryption + + definition: Encrypting a hard disk partition to prevent cleartext access to + a file system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-tbi + ref_id: D3-TBI + name: TPM Boot Integrity + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: TPM Boot Integrity + + definition: Assuring the integrity of a platform by demonstrating that the boot + process starts from a trusted combination of hardware and software and continues + until the operating system has fully booted and applications are running. Sometimes + called Static Root of Trust Measurement (STRM).' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rfs + ref_id: D3-RFS + name: RF Shielding + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: RF Shielding + + definition: Adding physical barriers to a platform to prevent undesired radio + interference.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ba + ref_id: D3-BA + name: Bootloader Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Bootloader Authentication + + definition: Cryptographically authenticating the bootloader software before + system boot.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-scp + ref_id: D3-SCP + name: System Configuration Permissions + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: System Configuration Permissions + + definition: Restricting system configuration modifications to a specific user + or group of users.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fe + ref_id: D3-FE + name: File Encryption + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: File Encryption + + definition: Encrypting a file using a cryptographic key.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-su + ref_id: D3-SU + name: Software Update + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Software Update + + definition: Replacing old software on a computer system component.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dlic + ref_id: D3-DLIC + name: Driver Load Integrity Checking + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Driver Load Integrity Checking + + definition: Ensuring the integrity of drivers loaded during initialization of + the operating system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sfcv + ref_id: D3-SFCV + name: Stack Frame Canary Validation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Stack Frame Canary Validation + + definition: Comparing a value stored in a stack frame with a known good value + in order to prevent or detect a memory segment overwrite.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-saor + ref_id: D3-SAOR + name: Segment Address Offset Randomization + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Segment Address Offset Randomization + + definition: Randomizing the base (start) address of one or more segments of + memory during the initialization of a process.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-psep + ref_id: D3-PSEP + name: Process Segment Execution Prevention + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Process Segment Execution Prevention + + definition: Preventing execution of any address in a memory region other than + the code segment.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pan + ref_id: D3-PAN + name: Pointer Authentication + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Pointer Authentication + + definition: Comparing the cryptographic hash or derivative of a pointer''s value + to an expected value.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ehpv + ref_id: D3-EHPV + name: Exception Handler Pointer Validation + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Exception Handler Pointer Validation + + definition: Validates that a referenced exception handler pointer is a valid + exception handler.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dce + ref_id: D3-DCE + name: Dead Code Elimination + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Dead Code Elimination + + definition: Removing unreachable or "dead code" from compiled source code.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ach + ref_id: D3-ACH + name: Application Configuration Hardening + category: technical + csf_function: protect + description: 'tactic: Harden + + technique level 1: Application Configuration Hardening + + definition: Modifying an application''s configuration to reduce its attack surface.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rta + ref_id: D3-RTA + name: RPC Traffic Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: RPC Traffic Analysis + + definition: Monitoring the activity of remote procedure calls in communication + traffic to establish standard protocol operations and potential attacker activities.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ipcta + ref_id: D3-IPCTA + name: IPC Traffic Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: IPC Traffic Analysis + + definition: Analyzing standard inter process communication (IPC) protocols to + detect deviations from normal protocol activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rtsd + ref_id: D3-RTSD + name: Remote Terminal Session Detection + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Remote Terminal Session Detection + + definition: Detection of an unauthorized remote live terminal console session + by examining network traffic to a network host.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rpa + ref_id: D3-RPA + name: Relay Pattern Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Relay Pattern Analysis + + definition: The detection of an internal host relaying traffic between the internal + network and the external network.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pmad + ref_id: D3-PMAD + name: Protocol Metadata Anomaly Detection + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Protocol Metadata Anomaly Detection + + definition: Collecting network communication protocol metadata and identifying + statistical outliers.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-phdura + ref_id: D3-PHDURA + name: Per Host Download-Upload Ratio Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Per Host Download-Upload Ratio Analysis + + definition: Detecting anomalies that indicate malicious activity by comparing + the amount of data downloaded versus data uploaded by a host.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dnsta + ref_id: D3-DNSTA + name: DNS Traffic Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: DNS Traffic Analysis + + definition: Analysis of domain name metadata, including name and DNS records, + to determine whether the domain is likely to resolve to an undesirable host.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fc + ref_id: D3-FC + name: File Carving + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: File Carving + + definition: Identifying and extracting files from network application protocols + through the use of network stream reassembly software.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-isva + ref_id: D3-ISVA + name: Inbound Session Volume Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Inbound Session Volume Analysis + + definition: Analyzing inbound network session or connection attempt volume.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ntcd + ref_id: D3-NTCD + name: Network Traffic Community Deviation + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Network Traffic Community Deviation + + definition: Establishing baseline communities of network hosts and identifying + statistically divergent inter-community communication.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cspp + ref_id: D3-CSPP + name: Client-server Payload Profiling + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Client-server Payload Profiling + + definition: Comparing client-server request and response payloads to a baseline + profile to identify outliers.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-anaa + ref_id: D3-ANAA + name: Administrative Network Activity Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Administrative Network Activity Analysis + + definition: Detection of unauthorized use of administrative network protocols + by analyzing network activity against a baseline.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-caa + ref_id: D3-CAA + name: Connection Attempt Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Connection Attempt Analysis + + definition: Analyzing failed connections in a network to detect unauthorized + activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ntsa + ref_id: D3-NTSA + name: Network Traffic Signature Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Network Traffic Signature Analysis + + definition: Analyzing network traffic and compares it to known signatures' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-bse + ref_id: D3-BSE + name: Byte Sequence Emulation + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Byte Sequence Emulation + + definition: Analyzing sequences of bytes and determining if they likely represent + malicious shellcode.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ca + ref_id: D3-CA + name: Certificate Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Certificate Analysis + + definition: Analyzing Public Key Infrastructure certificates to detect if they + have been misconfigured or spoofed using both network traffic, certificate fields + and third-party logs.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pca + ref_id: D3-PCA + name: Passive Certificate Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Certificate Analysis + + technique level 2: Passive Certificate Analysis + + definition: Collecting host certificates from network traffic or other passive + sources like a certificate transparency log and analyzing them for unauthorized + activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-aca + ref_id: D3-ACA + name: Active Certificate Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Certificate Analysis + + technique level 2: Active Certificate Analysis + + definition: Actively collecting PKI certificates by connecting to the server + and downloading its server certificates for analysis.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sra + ref_id: D3-SRA + name: Sender Reputation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Sender Reputation Analysis + + definition: Ascertaining sender reputation based on information associated with + a message (e.g. email/instant messaging).' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-smra + ref_id: D3-SMRA + name: Sender MTA Reputation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Sender MTA Reputation Analysis + + definition: Characterizing the reputation of mail transfer agents (MTA) to determine + the security risk in emails.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fapa + ref_id: D3-FAPA + name: File Access Pattern Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: File Access Pattern Analysis + + definition: Analyzing the files accessed by a process to identify unauthorized + activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dqsa + ref_id: D3-DQSA + name: Database Query String Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Database Query String Analysis + + definition: Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ssc + ref_id: D3-SSC + name: Shadow Stack Comparisons + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Shadow Stack Comparisons + + definition: Comparing a call stack in system memory with a shadow call stack + maintained by the processor to determine unauthorized shellcode activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sea + ref_id: D3-SEA + name: Script Execution Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Script Execution Analysis + + definition: Analyzing the execution of a script to detect unauthorized user + activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-psa + ref_id: D3-PSA + name: Process Spawn Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Process Spawn Analysis + + definition: Analyzing spawn arguments or attributes of a process to detect processes + that are unauthorized.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pla + ref_id: D3-PLA + name: Process Lineage Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Process Spawn Analysis + + technique level 2: Process Lineage Analysis + + definition: Identification of suspicious processes executing on an end-point + device by examining the ancestry and siblings of a process, and the associated + metadata of each node on the tree, such as process execution, duration, and + order relative to siblings and ancestors.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ibca + ref_id: D3-IBCA + name: Indirect Branch Call Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Indirect Branch Call Analysis + + definition: Analyzing vendor specific branch call recording in order to detect + ROP style attacks.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sca + ref_id: D3-SCA + name: System Call Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: System Call Analysis + + definition: Analyzing system calls to determine whether a process is exhibiting + unauthorized behavior.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fca + ref_id: D3-FCA + name: File Creation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: System Call Analysis + + technique level 2: File Creation Analysis + + definition: Analyzing the properties of file create system call invocations.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-psmd + ref_id: D3-PSMD + name: Process Self-Modification Detection + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Process Self-Modification Detection + + definition: Detects processes that modify, change, or replace their own code + at runtime.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pcsv + ref_id: D3-PCSV + name: Process Code Segment Verification + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Process Code Segment Verification + + definition: Comparing the "text" or "code" memory segments to a source of truth.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fh + ref_id: D3-FH + name: File Hashing + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: File Hashing + + definition: Employing file hash comparisons to detect known malware.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fcoa + ref_id: D3-FCOA + name: File Content Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: File Content Analysis + + definition: Employing a pattern matching algorithm to statically analyze the + content of files.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fcr + ref_id: D3-FCR + name: File Content Rules + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: File Content Analysis + + technique level 2: File Content Rules + + definition: Employing a pattern matching rule language to analyze the content + of files.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-efa + ref_id: D3-EFA + name: Emulated File Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Emulated File Analysis + + definition: Emulating instructions in a file looking for specific patterns.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-da + ref_id: D3-DA + name: Dynamic Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Dynamic Analysis + + definition: Executing or opening a file in a synthetic "sandbox" environment + to determine if the file is a malicious program or if the file exploits another + program such as a document reader.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dam + ref_id: D3-DAM + name: Domain Account Monitoring + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Domain Account Monitoring + + definition: Monitoring the existence of or changes to Domain User Accounts.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sda + ref_id: D3-SDA + name: Session Duration Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Session Duration Analysis + + definition: Analyzing the duration of user sessions in order to detect unauthorized activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-uglpa + ref_id: D3-UGLPA + name: User Geolocation Logon Pattern Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: User Geolocation Logon Pattern Analysis + + definition: Monitoring geolocation data of user logon attempts and comparing + it to a baseline user behavior profile to identify anomalies in logon location.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-wsaa + ref_id: D3-WSAA + name: Web Session Activity Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Web Session Activity Analysis + + definition: Monitoring changes in user web session behavior by comparing current + web session activity to a baseline behavior profile or a catalog of predetermined + malicious behavior.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-jfapa + ref_id: D3-JFAPA + name: Job Function Access Pattern Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Job Function Access Pattern Analysis + + definition: Detecting anomalies in user access patterns by comparing user access + activity to behavioral profiles that categorize users by role such as job title, + function, department.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ccsa + ref_id: D3-CCSA + name: Credential Compromise Scope Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Credential Compromise Scope Analysis + + definition: Determining which credentials may have been compromised by analyzing + the user logon history of a particular system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-azet + ref_id: D3-AZET + name: Authorization Event Thresholding + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Authorization Event Thresholding + + definition: Collecting authorization events, creating a baseline user profile, + and determining whether authorization events are consistent with the baseline + profile.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-anet + ref_id: D3-ANET + name: Authentication Event Thresholding + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Authentication Event Thresholding + + definition: Collecting authentication events, creating a baseline user profile, + and determining whether authentication events are consistent with the baseline + profile.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rapa + ref_id: D3-RAPA + name: Resource Access Pattern Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Resource Access Pattern Analysis + + definition: Analyzing the resources accessed by a user to identify unauthorized + activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-lam + ref_id: D3-LAM + name: Local Account Monitoring + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Local Account Monitoring + + definition: Analyzing local user accounts to detect unauthorized activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-udta + ref_id: D3-UDTA + name: User Data Transfer Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: User Data Transfer Analysis + + definition: Analyzing the amount of data transferred by a user.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ua + ref_id: D3-UA + name: URL Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: URL Analysis + + definition: Determining if a URL is benign or malicious by analyzing the URL + or its components.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ira + ref_id: D3-IRA + name: Identifier Reputation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Identifier Reputation Analysis + + definition: Analyzing the reputation of an identifier.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ura + ref_id: D3-URA + name: URL Reputation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Identifier Reputation Analysis + + technique level 2: URL Reputation Analysis + + definition: Analyzing the reputation of a URL.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ipra + ref_id: D3-IPRA + name: IP Reputation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Identifier Reputation Analysis + + technique level 2: IP Reputation Analysis + + definition: Analyzing the reputation of an IP address.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fhra + ref_id: D3-FHRA + name: File Hash Reputation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Identifier Reputation Analysis + + technique level 2: File Hash Reputation Analysis + + definition: Analyzing the reputation of a file hash.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dnra + ref_id: D3-DNRA + name: Domain Name Reputation Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Identifier Reputation Analysis + + technique level 2: Domain Name Reputation Analysis + + definition: Analyzing the reputation of a domain name.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-iaa + ref_id: D3-IAA + name: Identifier Activity Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Identifier Activity Analysis + + definition: Taking known malicious identifiers and determining if they are present + in a system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-hd + ref_id: D3-HD + name: Homoglyph Detection + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Homoglyph Detection + + definition: Comparing strings using a variety of techniques to determine if + a deceptive or malicious string is being presented to a user.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-osm + ref_id: D3-OSM + name: Operating System Monitoring + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + definition: The operating system software, for D3FEND''s purposes, includes + the kernel and its process management functions, hardware drivers, initialization + or boot logic. It also includes and other key system daemons and their configuration. + The monitoring or analysis of these components for unauthorized activity constitute + **Operating System Monitoring**.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-usica + ref_id: D3-USICA + name: User Session Init Config Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: User Session Init Config Analysis + + definition: Analyzing modifications to user session config files such as .bashrc + or .bash_profile.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sica + ref_id: D3-SICA + name: System Init Config Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: System Init Config Analysis + + definition: Analysis of any system process startup configuration.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sfa + ref_id: D3-SFA + name: System File Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: System File Analysis + + definition: Monitoring system files such as authentication databases, configuration + files, system logs, and system executables for modification or tampering.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sbv + ref_id: D3-SBV + name: Service Binary Verification + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: Service Binary Verification + + definition: Analyzing changes in service binary files by comparing to a source + of truth.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sdm + ref_id: D3-SDM + name: System Daemon Monitoring + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: System Daemon Monitoring + + definition: Tracking changes to the state or configuration of critical system + level processes.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sja + ref_id: D3-SJA + name: Scheduled Job Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: Scheduled Job Analysis + + definition: Analysis of source files, processes, destination files, or destination + servers associated with a scheduled job to detect unauthorized use of job scheduling.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-mbt + ref_id: D3-MBT + name: Memory Boundary Tracking + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: Memory Boundary Tracking + + definition: Analyzing a call stack for return addresses which point to unexpected memory + locations.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ida + ref_id: D3-IDA + name: Input Device Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: Input Device Analysis + + definition: Operating system level mechanisms to prevent abusive input device + exploitation.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ehb + ref_id: D3-EHB + name: Endpoint Health Beacon + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Operating System Monitoring + + technique level 2: Endpoint Health Beacon + + definition: Monitoring the security status of an endpoint by sending periodic + messages with health status, where absence of a response may indicate that the + endpoint has been compromised.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fv + ref_id: D3-FV + name: Firmware Verification + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Firmware Verification + + definition: Cryptographically verifying firmware integrity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-sfv + ref_id: D3-SFV + name: System Firmware Verification + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Firmware Verification + + technique level 2: System Firmware Verification + + definition: Cryptographically verifying installed system firmware integrity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pfv + ref_id: D3-PFV + name: Peripheral Firmware Verification + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Firmware Verification + + technique level 2: Peripheral Firmware Verification + + definition: Cryptographically verifying peripheral firmware integrity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-femc + ref_id: D3-FEMC + name: Firmware Embedded Monitoring Code + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Firmware Embedded Monitoring Code + + definition: Monitoring code is injected into firmware for integrity monitoring + of firmware and firmware data.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fba + ref_id: D3-FBA + name: Firmware Behavior Analysis + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: Firmware Behavior Analysis + + definition: Analyzing the behavior of embedded code in firmware and looking + for anomalous behavior and suspicious activity.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fim + ref_id: D3-FIM + name: File Integrity Monitoring + category: technical + csf_function: detect + description: 'tactic: Detect + + technique level 1: File Integrity Monitoring + + definition: Detecting any suspicious changes to files in a computer system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-scf + ref_id: D3-SCF + name: System Call Filtering + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: System Call Filtering + + definition: Controlling access to local computer system resources with kernel-level + capabilities.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-lfam + ref_id: D3-LFAM + name: Local File Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: System Call Filtering + + technique level 2: Local File Access Mediation + + definition: Restricting access to a local file by configuring operating system + functionality.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pam + ref_id: D3-PAM + name: Physical Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Physical Access Mediation + + definition: Physical access mediation is the process of granting or denying + specific requests to enter specific physical facilities (e.g., Federal buildings, + military establishments, border crossing entrances.)' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-nram + ref_id: D3-NRAM + name: Network Resource Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Resource Access Mediation + + definition: Control of access to organizational systems and services by users + or processes over a network.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-wsam + ref_id: D3-WSAM + name: Web Session Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Resource Access Mediation + + technique level 2: Web Session Access Mediation + + definition: Web session access mediation secures user sessions in web applications + by employing robust authentication and integrity validation, along with adaptive + threat mitigation techniques, to ensure that access to web resources is authorized + and protected from session-related attacks.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pbwsam + ref_id: D3-PBWSAM + name: Proxy-based Web Server Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Resource Access Mediation + + technique level 2: Proxy-based Web Server Access Mediation + + definition: Proxy-based web server access mediation focuses on the regulation + of web server access through intermediary proxy servers.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ebwsam + ref_id: D3-EBWSAM + name: Endpoint-based Web Server Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Resource Access Mediation + + technique level 2: Endpoint-based Web Server Access Mediation + + definition: Endpoint-based web server access mediation regulates web server + access directly from user endpoints by implementing mechanisms such as client-side + certificates and endpoint security software to authenticate devices and ensure + compliant access.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rfam + ref_id: D3-RFAM + name: Remote File Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Resource Access Mediation + + technique level 2: Remote File Access Mediation + + definition: Remote file access mediation is the process of managing and securing + access to file systems over a network to ensure that only authorized users or + processes can interact with remote files.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-nam + ref_id: D3-NAM + name: Network Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Access Mediation + + definition: Network access mediation is the control method for authorizing access + to a system by a user (or a process acting on behalf of a user) communicating + through a network, including a local area network, a wide area network, and + the Internet.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ram + ref_id: D3-RAM + name: Routing Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Access Mediation + + technique level 2: Routing Access Mediation + + definition: Routing access mediation is a network security approach that manages + and controls access at the network layer using VPNs, tunneling protocols, firewall + rules, and traffic inspection to ensure secure and efficient data routing.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-lamed + ref_id: D3-LAMED + name: LAN Access Mediation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Access Mediation + + technique level 2: LAN Access Mediation + + definition: LAN access mediation encompasses the application of strict access + control policies, systematic verification of devices, and authentication mechanisms + to govern connectivity to a Local Area Network.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-iopr + ref_id: D3-IOPR + name: IO Port Restriction + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: IO Port Restriction + + definition: Limiting access to computer input/output (IO) ports to restrict + unauthorized devices.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cts + ref_id: D3-CTS + name: Credential Transmission Scoping + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Credential Transmission Scoping + + definition: Limiting the transmission of a credential to a scoped set of relying + parties.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-kbpi + ref_id: D3-KBPI + name: Kernel-based Process Isolation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Kernel-based Process Isolation + + definition: Using kernel-level capabilities to isolate processes.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-hbpi + ref_id: D3-HBPI + name: Hardware-based Process Isolation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Hardware-based Process Isolation + + definition: Preventing one process from writing to the memory space of another + process through hardware based address manager implementations.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-edl + ref_id: D3-EDL + name: Executable Denylisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Executable Denylisting + + definition: Blocking the execution of files on a host in accordance with defined + application policy rules.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-eal + ref_id: D3-EAL + name: Executable Allowlisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Executable Allowlisting + + definition: Using a digital signature to authenticate a file before opening.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-abpi + ref_id: D3-ABPI + name: Application-based Process Isolation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Application-based Process Isolation + + definition: Application code which prevents its own subroutines from accessing + intra-process / internal memory space.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-uap + ref_id: D3-UAP + name: User Account Permissions + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: User Account Permissions + + definition: Restricting a user account''s access to resources.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-lfp + ref_id: D3-LFP + name: Local File Permissions + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Local File Permissions + + definition: Restricting access to a local file by configuring operating system + functionality.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dtp + ref_id: D3-DTP + name: Domain Trust Policy + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Domain Trust Policy + + definition: Restricting inter-domain trust by modifying domain configuration.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ntf + ref_id: D3-NTF + name: Network Traffic Filtering + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Traffic Filtering + + definition: Restricting network traffic originating from any location.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-otf + ref_id: D3-OTF + name: Outbound Traffic Filtering + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Traffic Filtering + + technique level 2: Outbound Traffic Filtering + + definition: Restricting network traffic originating from a private host or enclave + destined towards untrusted networks.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-itf + ref_id: D3-ITF + name: Inbound Traffic Filtering + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Traffic Filtering + + technique level 2: Inbound Traffic Filtering + + definition: Restricting network traffic originating from untrusted networks + destined towards a private host or enclave.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ef + ref_id: D3-EF + name: Email Filtering + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Network Traffic Filtering + + technique level 2: Email Filtering + + definition: Filtering incoming email traffic based on specific criteria.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-et + ref_id: D3-ET + name: Encrypted Tunnels + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Encrypted Tunnels + + definition: Encrypted encapsulation of routable network traffic.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dnsdl + ref_id: D3-DNSDL + name: DNS Denylisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: DNS Denylisting + + definition: Blocking DNS Network Traffic based on criteria such as IP address, + domain name, or DNS query type.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rrid + ref_id: D3-RRID + name: Reverse Resolution IP Denylisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: DNS Denylisting + + technique level 2: Reverse Resolution IP Denylisting + + definition: Blocking a reverse lookup based on the query''s IP address value.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fridl + ref_id: D3-FRIDL + name: Forward Resolution IP Denylisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: DNS Denylisting + + technique level 2: Forward Resolution IP Denylisting + + definition: Blocking a DNS lookup''s answer''s IP address value.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-frddl + ref_id: D3-FRDDL + name: Forward Resolution Domain Denylisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: DNS Denylisting + + technique level 2: Forward Resolution Domain Denylisting + + definition: Blocking a lookup based on the query''s domain name value.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-hdl + ref_id: D3-HDL + name: Homoglyph Denylisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: DNS Denylisting + + technique level 2: Homoglyph Denylisting + + definition: Blocking DNS queries that are deceptively similar to legitimate + domain names.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-hddl + ref_id: D3-HDDL + name: Hierarchical Domain Denylisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: DNS Denylisting + + technique level 2: Hierarchical Domain Denylisting + + definition: Blocking the resolution of any subdomain of a specified domain name.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dnsal + ref_id: D3-DNSAL + name: DNS Allowlisting + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: DNS Allowlisting + + definition: Permitting only approved domains and their subdomains to be resolved.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-bdi + ref_id: D3-BDI + name: Broadcast Domain Isolation + category: technical + csf_function: protect + description: 'tactic: Isolate + + technique level 1: Broadcast Domain Isolation + + definition: Broadcast isolation restricts the number of computers a host can + contact on their LAN.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-duc + ref_id: D3-DUC + name: Decoy User Credential + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Decoy User Credential + + definition: A Credential created for the purpose of deceiving an adversary.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dst + ref_id: D3-DST + name: Decoy Session Token + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Decoy Session Token + + definition: An authentication token created for the purposes of deceiving an + adversary.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dpr + ref_id: D3-DPR + name: Decoy Public Release + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Decoy Public Release + + definition: Issuing publicly released media to deceive adversaries.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dp + ref_id: D3-DP + name: Decoy Persona + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Decoy Persona + + definition: Establishing a fake online identity to misdirect, deceive, and or + interact with adversaries.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dnr + ref_id: D3-DNR + name: Decoy Network Resource + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Decoy Network Resource + + definition: Deploying a network resource for the purposes of deceiving an adversary.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-df + ref_id: D3-DF + name: Decoy File + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Decoy File + + definition: A file created for the purposes of deceiving an adversary.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-shn + ref_id: D3-SHN + name: Standalone Honeynet + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Standalone Honeynet + + definition: An environment created for the purpose of attracting attackers and + eliciting their behaviors that is not connected to any production enterprise + systems.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ihn + ref_id: D3-IHN + name: Integrated Honeynet + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Integrated Honeynet + + definition: The practice of setting decoys in a production environment to entice + interaction from attackers.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-chn + ref_id: D3-CHN + name: Connected Honeynet + category: technical + csf_function: protect + description: 'tactic: Deceive + + technique level 1: Connected Honeynet + + definition: A decoy service, system, or environment, that is connected to the + enterprise network, and simulates or emulates certain functionality to the network, + without exposing full access to a production system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-st + ref_id: D3-ST + name: Session Termination + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Session Termination + + definition: Forcefully end all active sessions associated with compromised accounts + or devices.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-pt + ref_id: D3-PT + name: Process Termination + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Process Termination + + definition: Terminating a running application process on a computer system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-ps + ref_id: D3-PS + name: Process Suspension + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Process Suspension + + definition: Suspending a running process on a computer system.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-hs + ref_id: D3-HS + name: Host Shutdown + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Host Shutdown + + definition: Initiating a host''s shutdown sequence to terminate all running + processes.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-hr + ref_id: D3-HR + name: Host Reboot + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Host Shutdown + + technique level 2: Host Reboot + + definition: Initiating a host''s reboot sequence to terminate all running processes.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-rkd + ref_id: D3-RKD + name: Registry Key Deletion + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Registry Key Deletion + + definition: Delete a registry key.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-fev + ref_id: D3-FEV + name: File Eviction + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: File Eviction + + definition: File eviction techniques delete files from system storage.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-er + ref_id: D3-ER + name: Email Removal + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: File Eviction + + technique level 2: Email Removal + + definition: The email removal technique deletes email files from system storage.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-drt + ref_id: D3-DRT + name: Domain Registration Takedown + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Domain Registration Takedown + + definition: The process of performing a takedown of the attacker''s domain registration + infrastructure.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dkf + ref_id: D3-DKF + name: Disk Formatting + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Disk Formatting + + definition: Disk Formatting is the process of preparing a data storage device, + such as a hard drive, solid-state drive, or USB flash drive, for initial use.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dkp + ref_id: D3-DKP + name: Disk Partitioning + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Disk Formatting + + technique level 2: Disk Partitioning + + definition: Disk Partitioning is the process of dividing a disk into multiple + distinct sections, known as partitions.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dke + ref_id: D3-DKE + name: Disk Erasure + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Disk Formatting + + technique level 2: Disk Erasure + + definition: Disk Erasure is the process of securely deleting all data on a disk + to ensure that it cannot be recovered by any means.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-dnsce + ref_id: D3-DNSCE + name: DNS Cache Eviction + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: DNS Cache Eviction + + definition: Flushing DNS to clear any IP addresses or other DNS records from + the cache.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-cr + ref_id: D3-CR + name: Credential Revocation + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Credential Revocation + + definition: Deleting a set of credentials permanently to prevent them from being + used to authenticate.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-anci + ref_id: D3-ANCI + name: Authentication Cache Invalidation + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Authentication Cache Invalidation + + definition: Removing tokens or credentials from an authentication cache to prevent + further user associated account accesses.' + - urn: urn:intuitem:risk:reference-controls:mitre-d3fend:d3-al + ref_id: D3-AL + name: Account Locking + category: technical + csf_function: respond + description: 'tactic: Evict + + technique level 1: Account Locking + + definition: The process of temporarily disabling user accounts on a system or + domain.' diff --git a/tools/convert_library.py b/tools/convert_library.py index 7d26d35d8..b5e227230 100644 --- a/tools/convert_library.py +++ b/tools/convert_library.py @@ -11,7 +11,7 @@ The first tab shall be named "library_content" and contain the description of the library in the other tabs library_urn | library_version | - library_publication_date | + library_publication_date | (default value: now) library_locale | library_ref_id | library_name | @@ -112,7 +112,7 @@ import yaml from pprint import pprint from collections import defaultdict - +import datetime LIBRARY_VARS = ( "library_urn", @@ -160,7 +160,7 @@ description="convert an Excel file in a library for CISO Assistant", ) parser.add_argument("input_file_name") -parser.add_argument("--compat", action='store_true') +parser.add_argument("--compat", action="store_true") args = parser.parse_args() ref_name = re.sub(r"\.\w+$", "", args.input_file_name).lower() @@ -477,21 +477,21 @@ def build_ids_set(tab_name): ) if skip_count: counter_fix += 1 - ref_id_urn = f"node{counter-counter_fix}-{counter_fix}" + ref_id_urn = f"node{counter - counter_fix}-{counter_fix}" else: ref_id_urn = ( ref_id.lower().replace(" ", "-") if ref_id - else f"node{counter-counter_fix}" + else f"node{counter - counter_fix}" ) urn = f"{root_nodes_urn}:{ref_id_urn}" else: if ref_id: - urn = f"{root_nodes_urn}:{ref_id.lower().replace(' ', '-')}" + urn = f"{root_nodes_urn}:{ref_id.lower().replace(' ', '-')}" else: p = parent_for_depth[depth] c = count_for_depth[depth] - urn =f"{p}:{c}" + urn = f"{p}:{c}" count_for_depth[depth] += 1 if urn in urn_unicity_checker: print("URN duplicate:", urn) @@ -679,7 +679,11 @@ def build_ids_set(tab_name): score = row[header["score"]].value name = row[header["name"]].value description = row[header["description"]].value - description_doc = row[header["description_doc"]].value if "description_doc" in header else None + description_doc = ( + row[header["description_doc"]].value + if "description_doc" in header + else None + ) translations = get_translations(header, row) current_score = { "score": score, @@ -837,6 +841,9 @@ def build_ids_set(tab_name): library_vars_dict["tab"][x] for x in library_vars_dict["tab"] ] +lib_date = library_vars.get("library_publication_date", datetime.datetime.now()) +if type(lib_date) == datetime.datetime: + lib_date = lib_date.date() library = { "urn": library_vars["library_urn"], "locale": library_vars["library_locale"], @@ -845,7 +852,7 @@ def build_ids_set(tab_name): "description": library_vars["library_description"], "copyright": library_vars["library_copyright"], "version": library_vars["library_version"], - "publication_date": library_vars["library_publication_date"].date(), + "publication_date": lib_date, "provider": library_vars["library_provider"], "packager": library_vars["library_packager"], } diff --git a/tools/mitre/d3fend.csv b/tools/mitre/d3fend.csv new file mode 100644 index 000000000..f180cc52d --- /dev/null +++ b/tools/mitre/d3fend.csv @@ -0,0 +1,219 @@ +ID,D3FEND Tactic,D3FEND Technique,D3FEND Technique Level 0,D3FEND Technique Level 1,Definition +D3-OAM,Model,Operational Activity Mapping,,, +D3-OM,Model,,Organization Mapping,,"Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them." +D3-ORA,Model,,Operational Risk Assessment,,"Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole." +D3-ODM,Model,,Operational Dependency Mapping,,"Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities." +D3-AM,Model,,Access Modeling,,"Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems." +D3-NM,Model,Network Mapping,,, +D3-PLM,Model,,Physical Link Mapping,,Physical link mapping identifies and models the link connectivity of the network devices within a physical network. +D3-DPLM,Model,,,Direct Physical Link Mapping,Direct physical link mapping creates a physical link map by direct observation and recording of the physical network links. +D3-APLM,Model,,,Active Physical Link Mapping,Active physical link mapping sends and receives network traffic as a means to map the physical layer. +D3-NVA,Model,,Network Vulnerability Assessment,,"Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities." +D3-NTPM,Model,,Network Traffic Policy Mapping,,"Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels." +D3-LLM,Model,,Logical Link Mapping,,Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata. +D3-PLLM,Model,,,Passive Logical Link Mapping,"Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections." +D3-ALLM,Model,,,Active Logical Link Mapping,"Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection" +D3-AI,Model,Asset Inventory,,, +D3-SWI,Model,,Software Inventory,,Software inventorying identifies and records the software items in the organization's architecture. +D3-NNI,Model,,Network Node Inventory,,"Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture." +D3-HCI,Model,,Hardware Component Inventory,,Hardware component inventorying identifies and records the hardware items in the organization's architecture. +D3-DI,Model,,Data Inventory,,"Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture." +D3-CI,Model,,Configuration Inventory,,Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization. +D3-AVE,Model,,Asset Vulnerability Enumeration,,Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities. +D3-CIA,Model,,,Container Image Analysis,Analyzing a Container Image with respect to a set of policies. +D3-SYSM,Model,System Mapping,,, +D3-SYSVA,Model,,System Vulnerability Assessment,,"System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities." +D3-SYSDM,Model,,System Dependency Mapping,,System dependency mapping identifies and models the dependencies of system components on each other to carry out their function. +D3-SVCDM,Model,,Service Dependency Mapping,,Service dependency mapping determines the services on which each given service relies. +D3-DEM,Model,,Data Exchange Mapping,,"Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer." +D3-SCH,Harden,Source Code Hardening,,, +D3-VTV,Harden,,Variable Type Validation,,Ensuring that a variable has the correct type. +D3-VI,Harden,,Variable Initialization,,Setting variables to a known value before use. +D3-TL,Harden,,Trusted Library,,"A trusted library is a collection of pre-verified and secure code modules or components that are used within software applications to perform specific functions. These libraries are considered reliable and have been vetted for security vulnerabilities, ensuring they do not introduce risks into the application." +D3-RN,Harden,,Reference Nullification,,"Invalidating all pointers that reference a specific memory block, ensuring that the block cannot be accessed or modified after deallocation." +D3-PV,Harden,,Pointer Validation,,Ensuring that a pointer variable has the required properties for use. +D3-NPC,Harden,,,Null Pointer Checking,Checking if a pointer is NULL. +D3-MBSV,Harden,,,Memory Block Start Validation,Ensuring that a pointer accurately references the beginning of a designated memory block. +D3-IRV,Harden,,Integer Range Validation,,Ensuring that an integer is within a valid range. +D3-CS,Harden,,Credential Scrubbing,,The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access. +D3-AA,Harden,Agent Authentication,,, +D3-TBA,Harden,,Token-based Authentication,,"Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the website, application, or resource for the life of the token without having to re-enter their credentials." +D3-PWA,Harden,,Password Authentication,,"Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the input of a secret string of characters, known as a password, that is associated with the user or entity." +D3-MFA,Harden,,Multi-factor Authentication,,Requiring proof of two or more pieces of evidence in order to authenticate a user. +D3-CBAN,Harden,,Certificate-based Authentication,,Requiring a digital certificate in order to authenticate a user. +D3-BAN,Harden,,Biometric Authentication,,Using biological measures in order to authenticate a user. +D3-MH,Harden,Message Hardening,,, +D3-TAAN,Harden,,Transfer Agent Authentication,,Validating that server components of a messaging infrastructure are authorized to send a particular message. +D3-MENCR,Harden,,Message Encryption,,Encrypting a message body using a cryptographic key. +D3-MAN,Harden,,Message Authentication,,Authenticating the sender of a message and ensuring message integrity. +D3-CH,Harden,Credential Hardening,,, +D3-TB,Harden,,Token Binding,,"Token binding is a security mechanism used to enhance the protection of tokens, such as cookies or OAuth tokens, by binding them to a specific connection." +D3-SPP,Harden,,Strong Password Policy,,Modifying system configuration to increase password strength. +D3-CRO,Harden,,Credential Rotation,,"Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access." +D3-PR,Harden,,,Password Rotation,Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromised credentials. +D3-OTP,Harden,,,One-time Password,A one-time password is valid for only one user authentication. +D3-CERO,Harden,,,Certificate Rotation,"Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise risks and ensuring continuous secure communications." +D3-CP,Harden,,Certificate Pinning,,Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections. +D3-PH,Harden,Platform Hardening,,, +D3-DENCR,Harden,,Disk Encryption,,Encrypting a hard disk partition to prevent cleartext access to a file system. +D3-TBI,Harden,,TPM Boot Integrity,,Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM). +D3-RFS,Harden,,RF Shielding,,Adding physical barriers to a platform to prevent undesired radio interference. +D3-BA,Harden,,Bootloader Authentication,,Cryptographically authenticating the bootloader software before system boot. +D3-SCP,Harden,,System Configuration Permissions,,Restricting system configuration modifications to a specific user or group of users. +D3-FE,Harden,,File Encryption,,Encrypting a file using a cryptographic key. +D3-SU,Harden,,Software Update,,Replacing old software on a computer system component. +D3-DLIC,Harden,,Driver Load Integrity Checking,,Ensuring the integrity of drivers loaded during initialization of the operating system. +D3-AH,Harden,Application Hardening,,, +D3-SFCV,Harden,,Stack Frame Canary Validation,,Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite. +D3-SAOR,Harden,,Segment Address Offset Randomization,,Randomizing the base (start) address of one or more segments of memory during the initialization of a process. +D3-PSEP,Harden,,Process Segment Execution Prevention,,Preventing execution of any address in a memory region other than the code segment. +D3-PAN,Harden,,Pointer Authentication,,Comparing the cryptographic hash or derivative of a pointer's value to an expected value. +D3-EHPV,Harden,,Exception Handler Pointer Validation,,Validates that a referenced exception handler pointer is a valid exception handler. +D3-DCE,Harden,,Dead Code Elimination,,"Removing unreachable or ""dead code"" from compiled source code." +D3-ACH,Harden,,Application Configuration Hardening,,Modifying an application's configuration to reduce its attack surface. +D3-NTA,Detect,Network Traffic Analysis,,, +D3-RTA,Detect,,RPC Traffic Analysis,,Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities. +D3-IPCTA,Detect,,IPC Traffic Analysis,,Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity. +D3-RTSD,Detect,,Remote Terminal Session Detection,,Detection of an unauthorized remote live terminal console session by examining network traffic to a network host. +D3-RPA,Detect,,Relay Pattern Analysis,,The detection of an internal host relaying traffic between the internal network and the external network. +D3-PMAD,Detect,,Protocol Metadata Anomaly Detection,,Collecting network communication protocol metadata and identifying statistical outliers. +D3-PHDURA,Detect,,Per Host Download-Upload Ratio Analysis,,Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host. +D3-DNSTA,Detect,,DNS Traffic Analysis,,"Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host." +D3-FC,Detect,,File Carving,,Identifying and extracting files from network application protocols through the use of network stream reassembly software. +D3-ISVA,Detect,,Inbound Session Volume Analysis,,Analyzing inbound network session or connection attempt volume. +D3-NTCD,Detect,,Network Traffic Community Deviation,,Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication. +D3-CSPP,Detect,,Client-server Payload Profiling,,Comparing client-server request and response payloads to a baseline profile to identify outliers. +D3-ANAA,Detect,,Administrative Network Activity Analysis,,Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline. +D3-CAA,Detect,,Connection Attempt Analysis,,Analyzing failed connections in a network to detect unauthorized activity. +D3-NTSA,Detect,,Network Traffic Signature Analysis,,Analyzing network traffic and compares it to known signatures +D3-BSE,Detect,,Byte Sequence Emulation,,Analyzing sequences of bytes and determining if they likely represent malicious shellcode. +D3-CA,Detect,,Certificate Analysis,,"Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs." +D3-PCA,Detect,,,Passive Certificate Analysis,Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity. +D3-ACA,Detect,,,Active Certificate Analysis,Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis. +D3-MA,Detect,Message Analysis,,, +D3-SRA,Detect,,Sender Reputation Analysis,,Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging). +D3-SMRA,Detect,,Sender MTA Reputation Analysis,,Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails. +D3-PA,Detect,Process Analysis,,, +D3-FAPA,Detect,,File Access Pattern Analysis,,Analyzing the files accessed by a process to identify unauthorized activity. +D3-DQSA,Detect,,Database Query String Analysis,,Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html). +D3-SSC,Detect,,Shadow Stack Comparisons,,Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity. +D3-SEA,Detect,,Script Execution Analysis,,Analyzing the execution of a script to detect unauthorized user activity. +D3-PSA,Detect,,Process Spawn Analysis,,Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized. +D3-PLA,Detect,,,Process Lineage Analysis,"Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors." +D3-IBCA,Detect,,Indirect Branch Call Analysis,,Analyzing vendor specific branch call recording in order to detect ROP style attacks. +D3-SCA,Detect,,System Call Analysis,,Analyzing system calls to determine whether a process is exhibiting unauthorized behavior. +D3-FCA,Detect,,,File Creation Analysis,Analyzing the properties of file create system call invocations. +D3-PSMD,Detect,,Process Self-Modification Detection,,"Detects processes that modify, change, or replace their own code at runtime." +D3-PCSV,Detect,,Process Code Segment Verification,,"Comparing the ""text"" or ""code"" memory segments to a source of truth." +D3-FA,Detect,File Analysis,,, +D3-FH,Detect,,File Hashing,,Employing file hash comparisons to detect known malware. +D3-FCOA,Detect,,File Content Analysis,,Employing a pattern matching algorithm to statically analyze the content of files. +D3-FCR,Detect,,,File Content Rules,Employing a pattern matching rule language to analyze the content of files. +D3-EFA,Detect,,Emulated File Analysis,,Emulating instructions in a file looking for specific patterns. +D3-DA,Detect,,Dynamic Analysis,,"Executing or opening a file in a synthetic ""sandbox"" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader." +D3-UBA,Detect,User Behavior Analysis,,, +D3-DAM,Detect,,Domain Account Monitoring,,Monitoring the existence of or changes to Domain User Accounts. +D3-SDA,Detect,,Session Duration Analysis,,Analyzing the duration of user sessions in order to detect unauthorized activity. +D3-UGLPA,Detect,,User Geolocation Logon Pattern Analysis,,Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location. +D3-WSAA,Detect,,Web Session Activity Analysis,,Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior. +D3-JFAPA,Detect,,Job Function Access Pattern Analysis,,"Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department." +D3-CCSA,Detect,,Credential Compromise Scope Analysis,,Determining which credentials may have been compromised by analyzing the user logon history of a particular system. +D3-AZET,Detect,,Authorization Event Thresholding,,"Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile." +D3-ANET,Detect,,Authentication Event Thresholding,,"Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile." +D3-RAPA,Detect,,Resource Access Pattern Analysis,,Analyzing the resources accessed by a user to identify unauthorized activity. +D3-LAM,Detect,,Local Account Monitoring,,Analyzing local user accounts to detect unauthorized activity. +D3-UDTA,Detect,,User Data Transfer Analysis,,Analyzing the amount of data transferred by a user. +D3-ID,Detect,Identifier Analysis,,, +D3-UA,Detect,,URL Analysis,,Determining if a URL is benign or malicious by analyzing the URL or its components. +D3-IRA,Detect,,Identifier Reputation Analysis,,Analyzing the reputation of an identifier. +D3-URA,Detect,,,URL Reputation Analysis,Analyzing the reputation of a URL. +D3-IPRA,Detect,,,IP Reputation Analysis,Analyzing the reputation of an IP address. +D3-FHRA,Detect,,,File Hash Reputation Analysis,Analyzing the reputation of a file hash. +D3-DNRA,Detect,,,Domain Name Reputation Analysis,Analyzing the reputation of a domain name. +D3-IAA,Detect,,Identifier Activity Analysis,,Taking known malicious identifiers and determining if they are present in a system. +D3-HD,Detect,,Homoglyph Detection,,Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user. +D3-PM,Detect,Platform Monitoring,,, +D3-OSM,Detect,,Operating System Monitoring,,"The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**." +D3-USICA,Detect,,,User Session Init Config Analysis,Analyzing modifications to user session config files such as .bashrc or .bash_profile. +D3-SICA,Detect,,,System Init Config Analysis,Analysis of any system process startup configuration. +D3-SFA,Detect,,,System File Analysis,"Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering." +D3-SBV,Detect,,,Service Binary Verification,Analyzing changes in service binary files by comparing to a source of truth. +D3-SDM,Detect,,,System Daemon Monitoring,Tracking changes to the state or configuration of critical system level processes. +D3-SJA,Detect,,,Scheduled Job Analysis,"Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling." +D3-MBT,Detect,,,Memory Boundary Tracking,Analyzing a call stack for return addresses which point to unexpected memory locations. +D3-IDA,Detect,,,Input Device Analysis,Operating system level mechanisms to prevent abusive input device exploitation. +D3-EHB,Detect,,,Endpoint Health Beacon,"Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised." +D3-FV,Detect,,Firmware Verification,,Cryptographically verifying firmware integrity. +D3-SFV,Detect,,,System Firmware Verification,Cryptographically verifying installed system firmware integrity. +D3-PFV,Detect,,,Peripheral Firmware Verification,Cryptographically verifying peripheral firmware integrity. +D3-FEMC,Detect,,Firmware Embedded Monitoring Code,,Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data. +D3-FBA,Detect,,Firmware Behavior Analysis,,Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity. +D3-FIM,Detect,,File Integrity Monitoring,,Detecting any suspicious changes to files in a computer system. +D3-AMED,Isolate,Access Mediation,,, +D3-SCF,Isolate,,System Call Filtering,,Controlling access to local computer system resources with kernel-level capabilities. +D3-LFAM,Isolate,,,Local File Access Mediation,Restricting access to a local file by configuring operating system functionality. +D3-PAM,Isolate,,Physical Access Mediation,,"Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances.)" +D3-NRAM,Isolate,,Network Resource Access Mediation,,Control of access to organizational systems and services by users or processes over a network. +D3-WSAM,Isolate,,,Web Session Access Mediation,"Web session access mediation secures user sessions in web applications by employing robust authentication and integrity validation, along with adaptive threat mitigation techniques, to ensure that access to web resources is authorized and protected from session-related attacks." +D3-PBWSAM,Isolate,,,Proxy-based Web Server Access Mediation,Proxy-based web server access mediation focuses on the regulation of web server access through intermediary proxy servers. +D3-EBWSAM,Isolate,,,Endpoint-based Web Server Access Mediation,Endpoint-based web server access mediation regulates web server access directly from user endpoints by implementing mechanisms such as client-side certificates and endpoint security software to authenticate devices and ensure compliant access. +D3-RFAM,Isolate,,,Remote File Access Mediation,Remote file access mediation is the process of managing and securing access to file systems over a network to ensure that only authorized users or processes can interact with remote files. +D3-NAM,Isolate,,Network Access Mediation,,"Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet." +D3-RAM,Isolate,,,Routing Access Mediation,"Routing access mediation is a network security approach that manages and controls access at the network layer using VPNs, tunneling protocols, firewall rules, and traffic inspection to ensure secure and efficient data routing." +D3-LAMED,Isolate,,,LAN Access Mediation,"LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern connectivity to a Local Area Network." +D3-IOPR,Isolate,,IO Port Restriction,,Limiting access to computer input/output (IO) ports to restrict unauthorized devices. +D3-CTS,Isolate,,Credential Transmission Scoping,,Limiting the transmission of a credential to a scoped set of relying parties. +D3-EI,Isolate,Execution Isolation,,, +D3-KBPI,Isolate,,Kernel-based Process Isolation,,Using kernel-level capabilities to isolate processes. +D3-HBPI,Isolate,,Hardware-based Process Isolation,,Preventing one process from writing to the memory space of another process through hardware based address manager implementations. +D3-EDL,Isolate,,Executable Denylisting,,Blocking the execution of files on a host in accordance with defined application policy rules. +D3-EAL,Isolate,,Executable Allowlisting,,Using a digital signature to authenticate a file before opening. +D3-ABPI,Isolate,,Application-based Process Isolation,,Application code which prevents its own subroutines from accessing intra-process / internal memory space. +D3-APA,Isolate,Access Policy Administration,,, +D3-UAP,Isolate,,User Account Permissions,,Restricting a user account's access to resources. +D3-LFP,Isolate,,Local File Permissions,,Restricting access to a local file by configuring operating system functionality. +D3-DTP,Isolate,,Domain Trust Policy,,Restricting inter-domain trust by modifying domain configuration. +D3-NI,Isolate,Network Isolation,,, +D3-NTF,Isolate,,Network Traffic Filtering,,Restricting network traffic originating from any location. +D3-OTF,Isolate,,,Outbound Traffic Filtering,Restricting network traffic originating from a private host or enclave destined towards untrusted networks. +D3-ITF,Isolate,,,Inbound Traffic Filtering,Restricting network traffic originating from untrusted networks destined towards a private host or enclave. +D3-EF,Isolate,,,Email Filtering,Filtering incoming email traffic based on specific criteria. +D3-ET,Isolate,,Encrypted Tunnels,,Encrypted encapsulation of routable network traffic. +D3-DNSDL,Isolate,,DNS Denylisting,,"Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type." +D3-RRID,Isolate,,,Reverse Resolution IP Denylisting,Blocking a reverse lookup based on the query's IP address value. +D3-FRIDL,Isolate,,,Forward Resolution IP Denylisting,Blocking a DNS lookup's answer's IP address value. +D3-FRDDL,Isolate,,,Forward Resolution Domain Denylisting,Blocking a lookup based on the query's domain name value. +D3-HDL,Isolate,,,Homoglyph Denylisting,Blocking DNS queries that are deceptively similar to legitimate domain names. +D3-HDDL,Isolate,,,Hierarchical Domain Denylisting,Blocking the resolution of any subdomain of a specified domain name. +D3-DNSAL,Isolate,,DNS Allowlisting,,Permitting only approved domains and their subdomains to be resolved. +D3-BDI,Isolate,,Broadcast Domain Isolation,,Broadcast isolation restricts the number of computers a host can contact on their LAN. +D3-DO,Deceive,Decoy Object,,, +D3-DUC,Deceive,,Decoy User Credential,,A Credential created for the purpose of deceiving an adversary. +D3-DST,Deceive,,Decoy Session Token,,An authentication token created for the purposes of deceiving an adversary. +D3-DPR,Deceive,,Decoy Public Release,,Issuing publicly released media to deceive adversaries. +D3-DP,Deceive,,Decoy Persona,,"Establishing a fake online identity to misdirect, deceive, and or interact with adversaries." +D3-DNR,Deceive,,Decoy Network Resource,,Deploying a network resource for the purposes of deceiving an adversary. +D3-DF,Deceive,,Decoy File,,A file created for the purposes of deceiving an adversary. +D3-DE,Deceive,Decoy Environment,,, +D3-SHN,Deceive,,Standalone Honeynet,,An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems. +D3-IHN,Deceive,,Integrated Honeynet,,The practice of setting decoys in a production environment to entice interaction from attackers. +D3-CHN,Deceive,,Connected Honeynet,,"A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system." +D3-PE,Evict,Process Eviction,,, +D3-ST,Evict,,Session Termination,,Forcefully end all active sessions associated with compromised accounts or devices. +D3-PT,Evict,,Process Termination,,Terminating a running application process on a computer system. +D3-PS,Evict,,Process Suspension,,Suspending a running process on a computer system. +D3-HS,Evict,,Host Shutdown,,Initiating a host's shutdown sequence to terminate all running processes. +D3-HR,Evict,,,Host Reboot,Initiating a host's reboot sequence to terminate all running processes. +D3-OE,Evict,Object Eviction,,, +D3-RKD,Evict,,Registry Key Deletion,,Delete a registry key. +D3-FEV,Evict,,File Eviction,,File eviction techniques delete files from system storage. +D3-ER,Evict,,,Email Removal,The email removal technique deletes email files from system storage. +D3-DRT,Evict,,Domain Registration Takedown,,The process of performing a takedown of the attacker's domain registration infrastructure. +D3-DKF,Evict,,Disk Formatting,,"Disk Formatting is the process of preparing a data storage device, such as a hard drive, solid-state drive, or USB flash drive, for initial use." +D3-DKP,Evict,,,Disk Partitioning,"Disk Partitioning is the process of dividing a disk into multiple distinct sections, known as partitions." +D3-DKE,Evict,,,Disk Erasure,Disk Erasure is the process of securely deleting all data on a disk to ensure that it cannot be recovered by any means. +D3-DNSCE,Evict,,DNS Cache Eviction,,Flushing DNS to clear any IP addresses or other DNS records from the cache. +D3-CE,Evict,Credential Eviction,,, +D3-CR,Evict,,Credential Revocation,,Deleting a set of credentials permanently to prevent them from being used to authenticate. +D3-ANCI,Evict,,Authentication Cache Invalidation,,Removing tokens or credentials from an authentication cache to prevent further user associated account accesses. +D3-AL,Evict,,Account Locking,,The process of temporarily disabling user accounts on a system or domain. diff --git a/tools/mitre/d3fend.py b/tools/mitre/d3fend.py new file mode 100644 index 000000000..a2b735197 --- /dev/null +++ b/tools/mitre/d3fend.py @@ -0,0 +1,79 @@ +# d3fend library generator for CISO Assistant + +import csv +from openpyxl import Workbook + +tactic_to_csf_funtion = { + "Model": "identify", + "Harden": "protect", + "Detect": "detect", + "Isolate": "protect", + "Deceive": "protect", + "Evict": "respond", +} + +output_file_name = "d3fend.xlsx" +library_description = "A cybersecurity ontology designed to standardize vocabulary for employing techniques to counter malicious cyber threats." +library_copyright = """Terms of Use +LICENSE +The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use D3FEND for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE’s copyright designation and this license in any such copy. +DISCLAIMERS +ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +""" +packager = "intuitem" + + +with open("d3fend.csv", newline="") as csvfile: + reader = csv.reader(csvfile, delimiter=",") + + n = 0 + current_technique = "" + current_technique_l1 = "" + + wb_output = Workbook() + ws = wb_output.active + print("generating", output_file_name) + ws.title = "library_content" + ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:mitre-d3fend"]) + ws.append(["library_version", 1]) + ws.append(["library_locale", "en"]) + ws.append(["library_publication_date", "2025-01-22"]) + ws.append(["library_ref_id", "d3fend"]) + ws.append(["library_name", "Mitre D3FEND"]) + ws.append(["library_description", library_description]) + ws.append(["library_copyright", library_copyright]) + ws.append(["library_provider", "Mitre D3FEND"]) + ws.append(["library_packager", packager]) + ws.append(["tab", "controls", "reference_controls"]) + ws.append( + [ + "reference_control_base_urn", + "urn:intuitem:risk:reference-controls:mitre-d3fend", + ] + ) + ws1 = wb_output.create_sheet("controls") + ws1.append(("ref_id", "name", "description", "category", "csf_function")) + + for row in reader: + n += 1 + if n == 1: + header = row + else: + id, tactic, technique, technique_l1, technique_l2, definition = row + if technique: + current_technique = technique + continue + if technique_l1: + current_technique_l1 = technique_l1 + ref_id = id + name = current_technique_l1 + description = f"tactic: {tactic}\ntechnique level 1: {current_technique_l1}\ndefinition: {definition}" + if technique_l2: + ref_id = id + name = technique_l2 + description = f"tactic: {tactic}\ntechnique level 1: {current_technique_l1}\ntechnique level 2: {technique_l2}\ndefinition: {definition}" + ws1.append( + (ref_id, name, description, "technical", tactic_to_csf_funtion[tactic]) + ) + + wb_output.save(output_file_name) diff --git a/tools/mitre/d3fend.xlsx b/tools/mitre/d3fend.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..49a7c5ce864a132e3e1ffb344981c3e5ff259583 GIT binary patch literal 21210 zcmZ^JQ@sQ z1_nU^004jhV25YZ64M%h3Hp6%_#Ftp!^GZL!O7mincmRBfzHF$MmA0sdXND@Q@fRSLicz?oMf}JhFMA$9#(?@wAev4<9A*K^`Qe&9doi%K@+z)X=9H13iY)E*i z5>uQM%TfbRVAeAldBc2|q#k<=*Z@_Ac{ckK_g@RwDNZ-*U&{09w$O|mmvk#eiq~}O zhq%zSZv0mJH$%|AS1 zH}1FwCzCZLCXWlFw!S{IZe@)%Ho7YD{_NbyW@-apUtGGE&lhNgTk?#kUj&aaVbqDO zvqf4tl!Y4^1S0VsAy>*o-nqT~afWhi&Lg1kUIGUZ^nl7iVv0hE5h$7wSyLIC##Kaw zPw!D|?(-UR1;UI~FB*6+c@q6dUVjXY>j5|JF{XP7W~w7yv*HIRF6iuXa3a=v^#KZB760mGM9Q zTxn@LZ*rjc-TayNFn_j%9%Tz`ZANysblYmq47rlS4@K07wed7b4Ds(1XG54ugS|?U z?abx@p*jDU6%{`{g-;A?<-OwW_nPjYUtqdeOYKqZVRmQ-~pMV&JPsV<9lFqNruBPtbgf z&-{uyr4nme42Y~QNY)Y2eE()M^0~RoXF7Mzh07FZ$AGOt;6H0$ek7+AaiB6d+;3&h zuVy{AuqY7_G~t^9+9~;5yo3tD1k25pt1;{5^E`Z&A2Ye>!eWcHe|YD?(K@vl?SKQa zuh^A0nEPncS0V`6Tx>aSvi`hTmsnO6t1Q3t;=6a5ZIJ^Nt1Z7|?Y^@V7dcux?*ZF; zCm%jk7dcuz?{aBLM*dZ2U2=|QAtZKq>4k*aaxAb!0HEREwmQ8CoTf+l?wW$Nf!nns zsB^1v%^8XKJvsuiYPpD+#vY{W~oeHO2J zp@!sU$SZ;v*54fG6Xyk+5Aag4g=f|7?c#I|RKRqMJ(em~nvqqH)c(8L93EU`q?r_G zFu|~N5;CMpPCr=*%l6R@Zc*`c@au>3hGiIy-u|L?Z;TDTLUf-Z^ zIjm4PiP*S6=GaYQgdvt)w|IX@;<9Q75vhgvj4;`-oLbNVTOBJy4789&7d+$^n-M=X zYgm){495S>B)ZP7Cc+^m>9PO5I~$#V*oPO!A(eGim0uOk!dHRE1OHrlOF7vv52 zv#`lNSp6E*&*@L+J6C$s@yJ`a*v3xmYd)|Pt-UK|r#<{p$GEx1LPue&?ldz#rt&A5 za-B23|KFDdU*6r-`vytKpDayUVzdP5z$QVG_Rr|aTdHBmGZSr6$SIX2Q}!sNJRxkm zbLA(g)V1S39Te?6+DGSq3SIbU=H7VpPn&0;nT6Y&q%T@idRxdiq#hfl9pvz)V7SeB zl5kty3vgLKo^{=hh)Wri(}mlygnEH(J9D?WIPx+QJD`@766}ZG&PP13{&H@Bboged z+n%m3EPR{}DApI>@TB36Mcfw=UKfUC%nb>LdwT0**NIKjqGi|Z^L+OrbOQgg(Xqka* zUOl;M+AyGsJEy9BU*BuR+l(qV_pMnwo)3d4hX#!#VVr_qCROx+soZ-?Ejg^p(I?8> zijC55I&|x=%1jqlFPVY#ke6L9E&0!u-ZF19IcF>BrxL`?MD{`f>;v+dIp6%}&*!scYxPzvUavGHFa^O|DW6cM3GoEefz&02>v(a7>;sjAdpgn*H3y>$rwhgkxi|_=^u~ma0yqtNlx;^asK{hJeX#;R7cTL7)!Uj($21X zQq6SlX{ALWrYgFTLC3FVv?gM#bjPDgp(ZSK0-9D&T)FaUVxGHLa8*5_IB+7B%6Uzp zAgX4Vsa=TDBbUC_TU>UpKFJnMhOpqEJM{tQrVR=0jaF$H<}~U$M+6)1y{7IThjw!S zRml1r-m3O_10jt_e@AE}eD*Fd#A!?u*-%jYTWzKnml+D#%e2tz;cpNYWN+?=SaIP<+(9jZaN&rY3|Jg;=4FF`YW?LC zC*+lRlQJ^Olg@;viRGJaMa4BJCd0tHdC*DMX{w>`@H)qjc*k5z(j8s1P8;KA*0QK_ zTdmH0n&sGHva~x)>Ec~p?sr?q)!0JjT5Fko!pv0>VKFT?$x5K{C-0AMxgBF36z!1m z6p`)W8B@t`o*!Pge6*wE-kH+7!KG$zNzGJQ&%3x?K#$OYrFp(6PQscaWBNKqK&*AX3;iCWU5Hnu^TwvA~9kXzE}A-J7=T- zltT6)V>07s$RIkkl}b4U>Ywh(^)MV{dtS}ifs9~(MDBbDtbw}V+ zA{mTn$un*Sv_^!+DyLTk+b=-KWSf@Y*pd#ldSp_CaZ$gCUUAFHddF75C|ud6YbRPv z;A!AiGqWV+s>2m^P8Pa~m?Snb-)P;we!RM^0M0QMGt6Yfa!M3ZF9jLhz}%bu5WPsV z$52(8s+gpA1P9RO<;VmNb4C;;8&4ZL=EBY($uMt6OkASRueL6|muGoUS1EYV`uGiv z1xP2n;C(auwl$W7>S##FQReJvT>kcYbLI?>!{cqoApjc~W*?V;cICPJEy6n;3~xIN zdY(QaOJKq6@g`pvrqFqPu);$S zTOFAO79XERd>HpGrsHXJ=9@|`2N|FY7@rp3JvU(^Jq~|Nes5-v91dg@$FZj4kaqZh zfq=_U2I8}kqhaRfI1u@>ML6o}ss2iwFY@d$96wSD>xkRZ_+dHG!{qQWU%crHf}hb` z!(nS|{=bWOiI{?-JUpa@)->|42xzVNNq0_WAN3kWWk9DFe{=0$oxfoH`Ch;q>191H zknIM)=T0`RJ~IfoPHpDTK+UU?*{}x22>*7?&(y4OM6)h@a>c9+r;C@HpE6y}JX(kya;9SE8Fv|3 zqg?6i`~@L+Svv766jh8}r7mn4uNng(|4l6befrRZ@X^iIYt6q8`u;c9MR}h3J#hm7 zOxObc|G19nzl?dr*Vg%vBkAPj3pHjl;_@1@tLoEk?#U%&&uVI`b;`P<>V}k#jRG=_ zLo`vVcfIuODO?5sgn}@cVcGe`uuK;Pnc$5iU>ZC#QeS`S!kZVpNYanyzUX_a%X5k5 z=lwvKH#1sPtB*dtD4~xheTB&Oh`)Lx+)FdkB}ypzbLe|4eheSYQmy;rO1=A8;p^FY zgUwSdBAlvnYlNs)4V{Qy|L586Cb#1@W99@_=k<2$&y)+9SkYUjPsLFmpG&PwQz*qn z4Na01&(GD)+phkfmsvOgAp5tp$hFNk?m&0U^ketev6)Bv8@@r}NF5n03*yutPsDVh zxkAb}f}c`t-!)gLpzFP|C;8Xsd)rY}XpXcjGT_)5y%WU@e<4g0xy|W7M z{_18)|Bn_b{bZ=!$2NWPTkuEPn<=PQq2jWnHRcV)hispmpXstbKZ_&c{#1BmT1P=i zlyf1E>%Nlf{3tIaQ|VV6yasA1nZ(t~<_iIOWIZ>bbSd5wI8~!as6C=^% z$vu5!y>Q>6R6=Sd4whG8p`C;iWknW^r!vcuS~AI?&3fcBIwaDHbj}UQDyDQ7xSy_S zsaK71dQE0@Ke;J(!MEHIszhVZu1sh%)d-+Ey4^2;(!Er@+axo-<4QvBqG~Wz;J8)b zFjeuVd>WLI^wNq4A7!5R87q6q51nYPwB`|`;dCq044p3gz6rS>RPFRv*T(gJmJdRc zu}wN`#Qt>osQdFl-NoCQ;UDE%vN{*fH5rrq<+fR;)G5-(a}$?3R&nSa_tXyk%0hts z_-_69O#S+vW6Y!nerME#>BMgs$*Am&m1(;nUuNngpUU2sw-z^cYPW~1SPq=KqFkBe zrQNlIWs`&CMEPK87K$qqb7p*%>aN6SUSgG^Pf4;OU*G8@o>}HCK8vX;<&wK{pC)&7_JdP|E^GLu$S z%PgvGQaxHGuCY_oHB!-H<0IuVikGKD>#}DETI>7C-Q$z`u5wtS} zH6@^hu;!c`{*nZSfyd04SbEL7dmNDLB?Kq`PWVs~{16iM5Y?ZIGEwr*{vCfEoN7gm zwEBeo@{{EtzpM=Gd$?E)i+oIkQ2#KE;-^X*|d(7UKb6VLv!T9_7n&#o2yzPD3YW%gul zZbM`v1v(MUAfYJl5d}cqh5q)4eLtW)1So+2GJwB0u zYuK-%39shlBz<=#ZY>awFy@hm+y^$Y8caJ&Guf$u2AVR$3i4pI7~OP}kweSVlB=25KyELo%vS z@_Tm`c2~0v+JoTo&E;Kdd=84N?9H9l>=k!)cdNRJ#3ZLmNeHm2^JQU?A0N}y*Xwpx zsU$`*ik#OCf0E}gm$rPSe+iZ9ip6%3#8#(g zBQP!6RFl=h#xFsOAUn;MLUu&_8CbrLFPw)G6{u(EQ_&_f+1S<=r(){T9BjqWb_7~3JwK1rlM zLA}VR(khy94EQsYDp(2F8e!EyOdl=fQYTBBE>Nk@N&{5pkK&n@9QDa4id338wNlk& zhBNa(t%~9eySwaOdk2O79`mzHIKAYx0Liv>Zz=Nnbo!I0-+Uz( zpk8V8udX>>^@PqhpXKJ{T=~+?&|n+rN4xp?7;l(=ci+p9cq9h!6`qk6bk+T!{4H59~hvjJ^}^Q*%LAgR^9C_|tZT9eYhNhKv#wh|ZMZ zwIfLxzP1w3DjD94#b)E4TfToteh|44szzh-Swd3oQR(zn=*HXZROIdoTb@2Gb}Am> z=lW{UCII#*M^xJHvJ9=mM|eXrNQdc3?f)E^c-9w6NERgFpT2obabbP*cxeq%lv_>u-h z|0r<(TmnTjx#XwS4}o-zLh=OTJWGHp^)KFxi&5JS%wK7T+2tFaiTyYq?MV}ainW7( zm-T=&)*8k~-qhUiReHB=NhxrDYG08&7McHbNA4u|{4fh*>XB zdPb8B7W#%rM(xxswqRSL0uh#Gw`G3TT5ZiAR0824w8l^N(3}8G4X(#>cyeX5G>3c= zcYxS=QZx`le~_1@sl^rGkxis5>p}3iP?I+Jgixq^Md~&%%hfw=1M}SaGY$dzep&xs z59;4$|JLOj*7x!JI8zOuGTzoax#&ojME+KpWN(=#D`_8KGh6|3OK-FUlENkEx}+R^ zS!73T+AYnncr*erqkQt^IWscEM zu1!ypGOSE0%g=edZFWfY)I?J9j{(KH_64`NWTEfmVvPj2+C}Mvj1Us1Q0iZA1eDoa zCEQY8vqVT$#XqzH>NO7p3=^o1O33AAo~T?fL}y&|ya4#L0lN%F&x@CdB!&I4R7NJvbeMx^n zsM*Z8$NkeUo!j)$iz~R5s07eyo!jOZ+~Z&LbW2F^Mw&kBLw$Ze*yaFXy}U4tt}Sv& zyw1;0WbcZ~oo=^E z{IO!jc(|9Izy#Ly!Pr0gi!joYs5JD7qj7N+0G;pM{s<@%)emvb_xD&wrWaX_bwdb6 z46knHgT%K}S6`;l99*iSY}>!5=ZV~36w&h69#U!I+y)-aUD1i|IEhT|Ru>)pm}bi* zs>}=}<7wYC?d#-FSiw$SAZ#*6)Z9B&0~}~gH54vqzE!!UD62Z|P|w78qVkDKfDzhm z7XgOlc6eU_%0%q<$TLUcULxYo0GEVTQKMNGVZikQ>~3XYdg)}rQ4iyj;(9t1khm5ScaEuZxWW97=9z3o-e}<*p$j3rH-x<^l zejLzgPANeOFVw6?kk(AKWt(+j%^XP$q@lzJ-)|cM?~FB9Yj=HZqML0`OjEyrW6+vS zKHEo0*Oin2+qJyT0}9jg=sr7EQpT0vbWyq#b_}v|rr5*n#kI>#m;v#SHx%(rPFtJZ zvAq;W-bG&>N?mGQKJm(k$<8!tSyrkmvcR15XhT8Szc&=wf91wbg2ndXBoDYK+?f)WMC2fGiK)O7D?^{(QLZJTCQWK;?pEE@4u@Rv?vbz=v*fn_) zdfP?fs5Vj?a99C@1#z8UQ#xm+Pm2xHzD(Q@ysVt@D6Mr&j>|=zYF)s#6S5LZUY0Gb z1%Bg5_3?-CRNjWW_Mv^+`d7gUtyfexB^f3LVmB!?^d+AlRKYsh)qPg;$WZV(6ygI55+EJTvUxNB&Uvy&|}0|PlcT~r`HH%fP-3=+>#h@?&=y=Yrp1d<;xHHHB>Mjljc^m*%hHT{s*7}hUQ zdGT=6heLJ5m196BqE4w&sg0u%3&u^k$+|(%m_!|HQ;3}xPb^DAA;W2-4v0#_4tSek z)(D3jc69gj`QC3yL$8;$rTE>HYAY7?(@Q-1liC&rvVLml4nHgSJ(=jrsdLZL$zHuV zs~3-T;`VO_?W5=A$5(wL&70t8vt7p-GCq>oSPdfrWMBUg zfbKeoKW9fv1gfO0NbvtgL>_2Y3(X4Quu!kgTOd)%0(h$QG$X0h%qa6bFI#)BUZ>PS zeXuWh#c^ol)cUf%bz~;P%?X_DAW2QXxn;Az=mEW5f?POd>=pRshb%L7@iS%* z!nh;WzgAJu*1JrAPW1A)HIfCBU{$5$7dQp0T6Uv9yIW4{OU8S5uU8BUoY!T^#%A9z zkTD^>LR;YU+=q)YTAls^5Jmh?@d9#?9AO2WKA(R|2F4l-%cnieCYOZ$e@4Fb z&iB^B%0D@f8EqLU6~(J-7a-vpjK#|UmGrp$+XJ8eh>=a)5fXq@1=)6DV$i)&DSob~ zFoI9<33H5vZxnf)whIeO+m&Mw+L>(N?>RH%R$;nemfZ-^4PeC7T7{}*<`9!<0VC{b*^;N$vQ%=LDqYN*Fy9)3EfZ$8 zjzZV55Tr;2f*+v$H{ra74!}2_#Fs!fV{oH5Dc)HL(whbYd1dkQcJOn6}^w=?t zXi}<~o1JEQRIw{Az=fDl)FWOkOs}Rm{9X#Ph!m)RIVRz79A+0;8W_N71pdEm2El^_ zkGzupppJI+hrJ$@&J@}OCyp_JyCjKLU?f?<~I)_yAH#ng%sqFap2 zK#xQtxqyF!8@*QfNE}T>p+~ej>zhZ4Xk~md^&5&ZsDFb}1C6umxT)rQIVjWA;=qNV z?U;89RbJEm%&5%iS6XFZ>nk4t=VMp6$l+28oZ<~QdY016;oc*kgqU!Pd1N7xI)40B z3?|HicQ9~#XwdB9RIcGJ!~E&__~`Kx-6!IJvhyDs=9YfMVRYWyC9|7^p?H3##GGV~ zQzAv8z(hQ{W?fTnqMYZ{kt}f3R>2f|ORKNsL>AH#Ov4oSE?KHo9m(LPo`jP}9TJxU z?Kj};Ar9TW9qLIyV$^zO0$p-Wk0sTD*eED|)hNQm0hUXB+9x#|Z>g}CxYC8=wK;_2 zH&e96r9c79G`fo8XrHprN+9OaZqf_f8BnKs4{QasVV~LAvSSP~lfh0LRBCvTiw+rT z%SwQ)Dzf+TDhlyNt^clD-#omFDE!a&9<7allrQjVU`zHl*>bY3U2;Rt60qNjFT#%o zCCH=Wc7h`^IBQ%`rw2$8QJ1*7MA9Im2e>oY(7LoH9^vRVz0M$4zys((qd0C!T)qk? zy53=lF6qWgXo!1n3yAIzpGeix1L29MvI;5cYpI!GB5t2mc4=cY@(l=Q@A`)?36hU zngAxlh5_I$nEDQ>_CKeQTo?Pq>a@8gDz$v;(ABV5_JIJF<2}^W>jX@t7(Mp&T}2W^r5$`XH@Y>JmEK6fC|gcTRlytL zx#R@Vn;k?k9e0BQ4NWHnR#TpAbuvaC75Xd9Z3E3Tqq@TPeG@ua( zIGX%0$fJaavfyY2>S&UywWI1HSlA?rCNOH~JWLwhoU_z?{-bm~#%L4$Seh@V*?RgI zIsK1h6c3+{+gOK#EBOQ%jD@eaN^RP%oQwJe zJ`qtVFZV2ShukE86y?8g*NMPV&L(AB7kbkzD{XzkI760y3(1e>28QJ&DRaYxc9i+X zVfP)L?IaH6A$CHJ_(gse+rGL8slwbP%Teaf?e7>rG}xb|Lr9s*SI&clp;&4;kd;_KP@!$5U}u0Iy0DKFX5pO1tD`;?Oc11&g7#2;anXET({rIu}SaK0Prt6o~kG* z4Jl}woo5)P;o*N8rz3fycy>zR5tKGly)JMMQ#jtfb8Scr=hq!e{weV-8NJ8Dv<-ZRdWt{N_m`^E>#k%fbDdXP7B*D$n(r2DmR94aF-R zSY;$26_V}+R?3ksi2}Wfv}neV^&6#6hZv$fzYyop+C2}U<`Y%9A~&^*YRH)`%a#0q zrG|e1_J{~F`XuRPA2gk8PT~DflQgbXKz6a7j62($@S87Mr%W)DlP^O=BvjYL}Cl!BpbJ*`Zro z&E%q$mYeHJz6SIH%ff%A0E$k*3fs9?C)d#;NNks!)G@MoucL#%O{kmSPGqag`KgHH z$eY4Ci(Mbfd@L#GjIY4IA!#nJ+7j;eyisKh4*_m{kXG zkSOf4;Ma{M1tTJYEk655qcG00KUXpB8RDx{w#78bV0u`YB{uww`?^LE85Uudw2ruUYZK_2@AnUrps1c(v=9&9ys3#89^CgO;if@aOEp_ybV_ zQ4$;Mh**VSBAf`-;Fn()Ai#?>!f@CsD6i=S6PDRXc!;Z6QF<*rqCU*0c>(4D``m6KQ2A>tmA@y8jD&fci)eo@P$kRVUtYMx- z-!Z{2f|w}PobY{nkEr03R;Cq|Rn;dvjO!=iDV|dYJ_`66{DJzYMHKW( zRvM@@$F7sPU}t-^1fpV9w`;{3t(`Q0)sS~4=sOEqWiRi%3Bq}4SsR1=XS$jgX^ zbMs~_OEB}xp)G6w?w&y-(LG<6F#>y@S>avdTa+&~)d`~077 z?((Mt`=iK4KIYcpnrDL}Y*;%3=teWj<5FzLL`#^X1wS;|-=%%Hgg(xdf(}Vr&hO-f6Egy3bKV@Q) z?7`xJnu+f|@gGO(+K)bJprfBp9{ViQuQhmlvU4SwUHZl{q?;+LXTYpi1MNTjIQV_} z?9n+H_Qm7WznIsO*2`r&TCq6V0VWX@dr-+j<-(Ol?q^L*kYPh&SU}oI$keOXFG%iU za&{_{{Fsk6t=)9FW^oN&-d{l_Gki@`^@qET-JiY0!!9hg{!t)H z{v=avb#ZoFSHzKbOZ;L$cHloJuT(__5wDCMcZ?9d(=AzMFiN}OIwq=%m`I0gSF%)@ zdUOS-t2L_O$yKmH-%U|#QZwIFt+&@UJ#1wpujRfh1C!TBy!K3h%ku*%{?7+61f@N5 zofcHv{6NB;ZtRX-YaFKy+eK+o@rCgh1bGtZRfdN3`#q0sdzMv7MU~;TB%spi^61xs~IgEnjRO^n@AHf63gfhvpf)~LcXc!TAS2}I1Z>6>QU7Vo4H?B zp4?3ZH$$j7AkdUaz8aS7g#{=6a_K^nkvR+{8<9eZh)iv|;O*ZH27UD9#e!;mgVktu zn7KMwOqh93wppyy+7p^QsOPjt3NoH4(MqMw__ZOkds^n@GUBnPp@p(RYOG4%h^Oa-#ISZxCOL5A+9+RL; z^Xy={o2uF!7)HX0Q!Nr=L9>(#BVL*tD?*r|%+-`Tk2y%;)AhUiW0Ml2B{NwxU_`$? zh&D&z`9Y8n$ee-#-7S$lp@U1vpIj!!JeHM&QBpO9{+Ec{g%EM2Q*SQ_OjM!e(Jn{wLw7C@|t&Kv&)7XWkj__A;3T^P}VQf1vA z*|csV@~AaOP_r|j9;9=@Pyo2A6zp(1kwt{VD94zY%e79ATSRyyoSTx1!U%%RelSk9 zI!&q=iyaqv5>fPU-Ux8gai0Qw=;)L2-rRX!$Unl7{XVGC{jBWwO!rmHA}}+cv;)GF z`i6wM%kci@lzV=&Drj}3w|RQ)(pntsNWe^wNKn2IN!4;YX%1}(`cGxkdQ%GRL#zjE z6i?d?vUMDuwQWT08zF6;?s1GN52>J^m8^Dc|u2@|I7++HAdxu{@sJWcSbJb>)x2=|{c zfUYl7`z}yvL-II5@`RmQC-)7&aW)hPAop*gFs-duCS~#@kK;J`Wgd$g84`^E891l6 z@P@j5Nd<~Tdii$Y3XtYnI&72G9KqCRwlf2}v`v_6^p4v5FVh&dp^w~^w;lo@f>Qk4 z@X9>=Z08Qvp4+WdzG3LJMnU4jPEQwXK}FCSdm5(FvwJ~H1-jB8BK~U7DbWBBg&%Jk zYtR*~64L@lVaCYv^solRn!lub)H`4lf&%q&Kt-WI2h0@~JYzszoCFTWBXxR0gwy9a zdvW`GpL$IZq|lxf>p`F#S`hxuCK`^mX&jtNfdYP*IykUh)cKY@V1j=GOWX(@Lxd1} z=q=FzAcEU#9?uPXlP8pdqJ&-aqL9jhvEZ-e(Iz+d%xl|D{i_33sZc09t5#p%lN0`de*@=F+G$^q{O;y7osKc zP;Ng_ioWQ^yW%9pJV@M<+N0Dz;=?<}A7iXN!3gk{D`pCBsNDzi4HI4IMA}`aT+SPV zKzBSW%+aiKlf%j2FvCkZ*#mrNw+@c)w~+p&LO#{1mDW-r>ubHOk38Y7h}x)JQ)31E zO8O|ur5wJPEz3&DDPK*ACsiHKxwFA>S3kJaYUodv-7RmIMKW`__#Cm}IKJ$cjvVT@ zZ%KuA0)v%`HqRY<#@l-`c&)%KYVoL8)#AWo(CLMk)Gxc*94qmCkA6b@b4(w?HkPPV zvR==2^Shhp6PJp$`-Bu~Mo|(a)J8c2qo`Emh?jS#u9Czkwn7|U| zBiO~(es0+$@N01Qz?GuKcr!pK+^SDOUqN%r0Vr6Da{C;JEPzaR96ecHkU|niRy+!n zB2swi%6X)ouDipcd0IjxL&!g|61fq4asDjq+ef!BKPKZbx1vQ0IzF{tspuP!wlLCq zn)<TrJP&%?M5vxug;J6{Klhu3{vajwCEWA}w|J3k`B3xc$GT0^5d;`M+xSxHTKM};~ zlZ*hlj2@uBVEWx%58|_nOm0_x?m}}&fSSoMUwmpI&r$a(T33t_sRik|{xP5Cu-~j= z=5~Q_68}tpRwr<~h0BKI|Rhy>{LvPP7x6+(wyd9RSuM6HYVY zIe!)F@0nW`{+QxAEi^#~S`Dw!+XwnBB7Ra!j?u1)%+_n_vPqanI_?VKFiJ*&2K+-v z{?O?>IfdpQH|aHFRNeg6Ea}Jrr5E8UwCVP6x{sy!z>ktfy}Za8Y}~U7ho=&%bQ`6n ziH&|NVZkWXH_{@fWu8*k-i1&l zTc(HuARPf(9w!ud!326lKA=+|%5Ss^Jld--Mws*Q;y!oYUa{H`5Ic3MYr4?iSJNdC zlpX?9Xo`ZNE5=U%C(RqQ@#_H8E{yC5t&FYpAn5CMlAY`@N95N^zEz|ks??)QI^kmyYtxv^4$!rL zjO?~>Y%H`QU5o&AUId@5EhSv~*uFAcCF}wGw$*Kf) z{x4hZ2Hb+RF|!|vy*F;Wc{&w3LO6#~2nCqA-^&(zznKY#wvnp!+sS&MQkwrE06k>Teg-NXg**b&6li_Tr;_F>^ zWrIYw?2u+`NeS}y?-`{M44fs7(A+`!uNE(!krN+;pel7xUOq#)8B6CHOR=NC7K|Yo z;a7$}5v!2Qy&T*!%CTHyj8w!Q2@+$ePr0THi5M4i^0W>sD3xeH?8CFU4B9Kfq3oni z4C&PAbA3?&o)P#*0%V_;h3mVdhuRq212vCwzyYEwS=^wNK`g1DT(uf11xn+)ML`27 zsM_FE=FlA}O;b4%voECcVft`)T_lp`6q1g-jLVR2kDGRaY?p$o{Bl zxV?YT`?W+8cS$rLv^cKU0f$|6`jgi(7+Mo5&pG*Of#0y-1Z;%}|fHMSCzoW#gXAB?i(Sq?2b-x?{0+6qnRsPc^EB(6~s$z?+_> z)X41+@_Ybl+3xi{Vha7rb!$@K+ZdjfF%djb%Z7neUgrs~;5vpV=_N?XM)0cc$E?(I zx6776T$lGd)A-Yq(aIZy$bqIG4ci&`?VzM)Xtp+R zTssEUj_%t+dZ)|&==+}8k5<7`q80JMQG1Nn2d%}tD;Sx*kf;TRQ4I2H2M^}A{T{@i zA3aZ0!?{gnyH+X}KB8v5+V`<)b#l0$K01mVn8o0?az~Us+aQ@citln|)8+0&Cu^}& z9>119hp=I}y<(wxJSj#T!bI8b;Rz=v{c%kcB=bJX^fYq)WUg^iVCI38tTDg+P>s1HBX5NIJVHQ~ zD6W9yOyukZU(7PGX8Lt#ZUE(-v;F zkFk3zqy1a>uAJ68Q6BErdcMkZZmvR_6J84U*xyW`41$8%dR_Hai2=DJlvh_`R`uCr z5C5{y)+|csl**^Zb}TY^-A@+mF~Xd#1#={zc6YJ~k=YBQEN>XY!cLS_y4~_RhTXpJPkheJii%mri1v9w{ zJ_@l`IRcxRx&u?!c=*KFU8;9Ff}iOs!%NF zU+c_^2o3Krv3TE0qyg0*u2#M5@YG}Fb_%ceFHhL@pm|;=h#lgv`JUd+Cn^9+=N(d1 zGW8;jW6YAG*HfLwSb+7foyY#(1i3AD@Afd~qn6)Ra&3T#-f9)g7|1MVXsqA}yn%2) zxp8=5M~l))2foC6tOkK(0|EiA)l)>V+8iW-q~40(!2=Jyz9vZ8t~Rgl(y}xgMu3h$ z{#O9EIgO!7t{i`ri=$CRCm^fag?dTt$L`{66k zFXP*V&vE~qgv#T8T_Br+;sOU01ZZp}{7OtQp$0@y#$CAM>4|FNUx_RL1RHdh- z97+fr&tc*PxD7P_=sZ{iw!B?e7qm_=@=hwB9H#G5AE?S}UVgf`8I;%gXr5UdhS&M$ zC|;k`6o&Yv1X77FEY;=&c6(1up2TQ}FEx#V+OieJN~ZFuMgtb-QG}lXeg(~CI#GBG zhtXvk9g0foM0zWR(3lgYnl=LiiyB^0ntu&#T*{iv8&DVpHyX)pjhqwbw8-hcK_3T^wWjKFTgt3;pmFM~OxR6^HLM;=tLCLbbreE{ff9FdrctqXhEEc!YY8tTP)+ zfC{=0!jT8@mvABA71>cH$v`;?g?tVVUep93rkZ z?f2w624pXT>#?cKLR;?{Nh%aD)u{|jIummt6Ng*VYuNE%=92y}m<>@{V zVt14X#_rgE9bz2L-+B6YP%0r(QOay64HW~>UeptsiX7m0AiPK+tQB>z{}tt_x?<2V z_R#k?% zq$pjQ^eP506bVuk6bQYBE=@EPi5CeFKmqBY_YykN2@nLN2!cqjQbG|FqzEESF1@!e z>b%!izWXLKnaPi}_TForXYF(5oV|LT=<)gzRzfbbgXsq!ky)#E2;I2@SeCdtC|Wp0 znr&?D3j$-hVP6RJ=VUDTTwiz1bU{@c8NdSXnxvkD3xCNRD(kvXPmFc>UasCrf!$7F zdzXM)&@_PGY@TInzVMXXS%ApuGjpQe`mFZ?3~#d;78i?~Y%(Mgm{m)W{* zCl#k_@4D_L9j#efRl@OdfM;r+3s=ck+iQ9|kyHv@uI5V`!Tx3^4Hrs`NFmoXEepxa zwt2VspU5+?-!>S$0b#H(KadnxO9?O5#Kc!QMD%YRC0pMnup6}4AvJz#X6wDivuc2| z9Te^$ydILw-!P71k|QBRJy9U^H*T5ClbFr=^=R=5zXu5(UM1+SCecub84j}2!<`>m*E7aEiyc zQhid~@YQN@iKxW%Lx^(e5Oq&(C2=Hj7AFOyh(yj$D;6k?JdIy7V=UrCe`&FS6c&yi zr56@?XCJ>_*scfg@&-U69skznJ_#=|3eCDr!j9(1x}Nk&{LRDO*?Y`*=K=?#r61l) z!Fs|JW5xDO#)hw+EK(W+S>+H7Y1Ola1t`Bhh}akKgpR)xiX1Or3Zyn&6!jkM!x_rh ztaFJ#)H@+4Jc2TdNUO}`G81?UBc$q7a#4WMKd?0{-I1^T&h$|;mqyr4XEHxp7M=sp z8G?^tEV{=L?M2I=!?{9&;=f-}3|emz?&#G>D;QeJF8&xK-Kis|jaD0sQLYpCj)BLQ zXopqYP}4j7SVKrIqB#-TKOd*RSkbdA9FPLI8zs%%uF&)}Ii60~B8)JzH?hTEaQ~J2 zdT{uB{EX+}N2v=Ap;^T-C#L)&o@5Y{v4fRnYX&8BCZTlY=|g!ciY3u;d0(c^2)q?= z-RkYSlq99(r+Q7>RlUzj%KYp_n`32o^%6s~Sl|my*jyA@)Z+U1QU?sdR^0M+a%P3k zX6%!~m3H5P-f3tHq0H(1h+KGaJgI)6Ju5%j62`QNOj~GhR9AUfOBlDEG>5h!_y5+$ zZKuuTALM*RAhtiW6%2;Mg6y04-&Yfjn=K3vL+(oCCXCW>z4CA2RSS!G&{t5ZFmjj; z)Q%fmb0gcM1iWRqlwWW+})S|6~I@Uo$*@&Hh5mgf={V;fwg)^kN##LwE$;C^lBDq zbe+sys$J*&l2^69vx_MDTF>J*>w{~q`?o=eQ>#XQ&^{~Ld1IJty_ zPmb%%09gG_R~u2m&}9(dsvZrDE$q20+g8XNiEkASbr2Cpu${C`NaBEZW(Iw;&OZN4 zp~YP(h`0uq)KuSC>5BY!!MCeAa>7v#_(5Zki}*nu+>a+Y7ZrPC!c2@LKL{RJl;m|M zlRHcEq%jcruA4<7f)cUa|Z}m04jgNf zQ4THSvgXg(Rrnqin}cWzi0~cFK-7*1&b-lUG{uSAR-c}{#I-wd;%(c7YR{?1k<&QZ z8=IP_Ti@YPs%!LJ|Ih-**h+IrL804q{)c%)`ydJWqcfPACMDkg=Z=TI)6_V5u}KKmw+ zR$GF)^G4DT{cf9UnB#ktEDsC0{?%c!J-21Cfr9$whv2{ICb9JWr;K$zdQ3KEm_}r@GWk$ zwH)Dst8v{jdeYkJ1+5jj0uQA5So^G98QY@Z$eKl*;%BG)P{6=$I-2oh24sp~w<%Sp zbB7}+$$Kt|-iff1qg|t$ZBa$yMo3~!w3ZIEFSl+g^<{@q0CBY{`9az9d5)s%@}~T? z9fZ~srie?ol;9VSXH}W-mU%ZAB|X^t++J!meY@Sa9}o1;n9I7fxL!>Qm@R&J%I9vi@GC}ClxYNW>CpTRIbPl zsHEbtxB!f-<#Xb8(PG}Z=wL+~gHWwK@R)2t2YIPWPS_=ewLJ5IP)AIHS zmZj|0j?Tw*=CamcZW*qw<~rrt`dhj18r_^7Imb8n|qbJrz_e6RG!1IdviJsnQ$hA>(!L;3$8{#koTVfAcH_?n}`*B?HW17PWFV~-RO{_&d; z_r?LAbtUK1j(Z_WisKFe+iWlr9S|7hP=BN)4pYi#EE~^viXmrqmzAOY%mJ5MmCAb^ zUc_`lqX#$rP)nftnlBpOAFEJ00^+zCJS3+$VFf8S1>KPoX11+qux7*{^Nd5x$1?I| zCq#7Q5x!-&G@TUSsv2Ob^}Zn=vAr#dn@aQQyl69)XT$TSZZm3w**y0cQR(Ov zBYOmfK>YQi&8p)j)m!Cg0xkKzUq}|WYaV)LrAwaEu8y#&Oc96d0ec-xCooSXxS43$ zSj!}kw#g^`pFlcMRQbr@ufujLt(tX^{(BsHOUN9+fHPstEr&=Qta*dtc|Ab7R#I1T&PKUt0~jgqX9+4^qn)lD zj^}+V#hN!I=xllgCL!)7NAQ8#ot1mqX33MUYg0>1mHQjBNJ;GTMd0B{9CLJ2E93+5 zp6@NdOKV>hXNzz*&av`v7g+AVLz!TjE89s-78bewX#ETV)*!Y^E<{!Dnn%Oi)Gq|$ z?#1P81;gfKm@_sER~|buGa=%bg<@E%Nd)C*tum0tl?I&CpTiPPYz2+$z%2~)z zW1Ce_eYN90{?J~~rzt?8UAeJ~7-R53fmo@rjEZr9p%UgXivMEi%q~Srhi5?-FuajQ z%dnbwN^9f0(~QW2XUt=|0bP1udp>l9qI3~f{__`gz$RfOntAVgpe>DoJUaZhpdrtO zRMYxW8xFVpc4QjcUwVbE;HJCh=Kxa!8q__pe>%AL0M`@r z%eW<0fQ36#db^)DBvNO{W1DiiI6B*27+z%0y_tV43L8-N4u5+n?>rw95E)uKLzG=g zd)PJLt3SCypeM#)ZI-d9bh}?K!%$U)oFBtiy3Mpao&XJWUaM7vX=Yuw2XvW8hY1&S zx6uV{cuJ<-?b0NWMy4q!x`CQkYb*J@TscfG(xxo&-VXuE9zDm^TgdNdNJQ`P=DDq3 z_)y-PxnUeFawxg`>ag?96vXcAuy_yaGQJPCq+IL%MhDd(Af&(WzY_%Un*RLw;zj=d zd4lKB=kxr2VF3VNg7W`H|0mt=Jp6p%-EVk5e)xZhzdKKGKJe%t0zc}DKMDRd{^&f* z`6!X!EJqao%JMT<HCe99pJK!*RK@TMgP{qgVr01%s@ AZvX%Q literal 0 HcmV?d00001 From 0d79c22925af3d4f03191a1176ad37c525469923 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Wed, 22 Jan 2025 02:06:53 +0100 Subject: [PATCH 2/7] ruff --- tools/mitre/mitre.py | 30 ++++++++---- tools/nzism/prep_nzism.py | 19 +++++--- tools/prepare_mapping.py | 82 +++++++++++++++++++++++--------- tools/tisax/convert_tisax_5.1.py | 20 ++++++-- 4 files changed, 107 insertions(+), 44 deletions(-) diff --git a/tools/mitre/mitre.py b/tools/mitre/mitre.py index b6af0a1d6..4533b924d 100644 --- a/tools/mitre/mitre.py +++ b/tools/mitre/mitre.py @@ -2,7 +2,7 @@ import json from openpyxl import Workbook -MITRE_COPYRIGHT=""" +MITRE_COPYRIGHT = """ Terms of Use LICENSE The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. @@ -12,6 +12,7 @@ ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. """ + def main(): mitre_attack_data = MitreAttackData("enterprise-attack.json") @@ -21,11 +22,15 @@ def main(): ws = wb.active ws.append(["ref_id", "name", "category", "description"]) for m in mitigations: - ws.append([m.external_references[0].external_id, - m.name, - "technical", - m.description.strip(" \n") + "\n" + m.external_references[0].url]) - wb.save('measures.xlsx') + ws.append( + [ + m.external_references[0].external_id, + m.name, + "technical", + m.description.strip(" \n") + "\n" + m.external_references[0].url, + ] + ) + wb.save("measures.xlsx") techniques = mitre_attack_data.get_techniques(remove_revoked_deprecated=True) print(f"Retrieved {len(techniques)} ATT&CK techniques.") @@ -34,10 +39,15 @@ def main(): ws = wb.active ws.append(["ref_id", "name", "description"]) for t in techniques: - ws.append([t.external_references[0].external_id, - t.name, - t.description.strip(" \n") + "\n" + t.external_references[0].url]) - wb.save('techniques.xlsx') + ws.append( + [ + t.external_references[0].external_id, + t.name, + t.description.strip(" \n") + "\n" + t.external_references[0].url, + ] + ) + wb.save("techniques.xlsx") + if __name__ == "__main__": main() diff --git a/tools/nzism/prep_nzism.py b/tools/nzism/prep_nzism.py index 668cd38c8..3472ba0f2 100644 --- a/tools/nzism/prep_nzism.py +++ b/tools/nzism/prep_nzism.py @@ -47,7 +47,7 @@ def process_paragraph(level, paragraph): implementation_group = ",".join(groups) if paragraph.has_attr("cid"): - paragraph_cid = f"CID: {paragraph["cid"]}" + paragraph_cid = f"CID: {paragraph['cid']}" paragraph_name = f"Control - {paragraph_classification} - {paragraph_compliance} [{paragraph_cid}]" output_table.append( @@ -78,8 +78,8 @@ def process_paragraph(level, paragraph): input_file_name = f"{folder_path}/{args.filename}" if "." in args.version: - major_version = args.version.split('.')[0] - minor_version = args.version.split('.')[1] + major_version = args.version.split(".")[0] + minor_version = args.version.split(".")[1] else: major_version = args.version @@ -125,7 +125,9 @@ def process_paragraph(level, paragraph): wb_output = openpyxl.Workbook() ws = wb_output.active ws.title = "library_content" -ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:nzism-v{major_version}"]) +ws.append( + ["library_urn", f"urn:{packager.lower()}:risk:library:nzism-v{major_version}"] +) ws.append(["library_version", 1]) ws.append(["library_locale", "en"]) ws.append(["library_ref_id", f"NSIZM-v{major_version}"]) @@ -149,11 +151,16 @@ def process_paragraph(level, paragraph): ) ws.append(["library_provider", "New Zealand Government Communications Security Bureau"]) ws.append(["library_packager", packager]) -ws.append(["framework_urn", f"urn:{packager.lower()}:risk:framework:nzism-v{major_version}"]) +ws.append( + ["framework_urn", f"urn:{packager.lower()}:risk:framework:nzism-v{major_version}"] +) ws.append(["framework_ref_id", f"NSIZM-v{major_version}"]) ws.append(["framework_name", f"NZISM v{major_version}"]) ws.append( - ["framework_description", f"New Zealand Information Security Manual v{major_version}"] + [ + "framework_description", + f"New Zealand Information Security Manual v{major_version}", + ] ) ws.append(["tab", "requirements", "requirements"]) ws.append(["tab", "scores", "scores"]) diff --git a/tools/prepare_mapping.py b/tools/prepare_mapping.py index c9e684665..b8a145eae 100644 --- a/tools/prepare_mapping.py +++ b/tools/prepare_mapping.py @@ -16,22 +16,22 @@ packager = "intuitem" print("parsing", args.source_yaml, args.target_yaml) -with open(args.source_yaml, 'r') as file: +with open(args.source_yaml, "r") as file: source = yaml.safe_load(file) -with open(args.target_yaml, 'r') as file: +with open(args.target_yaml, "r") as file: target = yaml.safe_load(file) -source_library_urn = source['urn'] -target_library_urn = target['urn'] -source_framework_urn = source['objects']['framework']['urn'] -target_framework_urn = target['objects']['framework']['urn'] -source_framework_ref_id = source['objects']['framework']['ref_id'] -target_framework_ref_id = target['objects']['framework']['ref_id'] -source_framework_name = source['objects']['framework']['name'] -target_framework_name = target['objects']['framework']['name'] +source_library_urn = source["urn"] +target_library_urn = target["urn"] +source_framework_urn = source["objects"]["framework"]["urn"] +target_framework_urn = target["objects"]["framework"]["urn"] +source_framework_ref_id = source["objects"]["framework"]["ref_id"] +target_framework_ref_id = target["objects"]["framework"]["ref_id"] +source_framework_name = source["objects"]["framework"]["name"] +target_framework_name = target["objects"]["framework"]["name"] -source_ref_id=source_framework_urn.split(':')[-1] -target_ref_id=target_framework_urn.split(':')[-1] +source_ref_id = source_framework_urn.split(":")[-1] +target_ref_id = target_framework_urn.split(":")[-1] ref_id = "mapping-" + source_ref_id + "-to-" + target_ref_id name = f"{source_framework_ref_id} -> {target_framework_ref_id}" description = f"Mapping from {source_framework_name} to {target_framework_name}" @@ -50,21 +50,39 @@ ws.append(["library_provider", packager]) ws.append(["library_packager", packager]) ws.append(["library_dependencies", f"{source_library_urn}, {target_library_urn}"]) -ws.append(["mapping_urn", f"urn:{packager.lower()}:risk:req_mapping_set:{source_ref_id}"]) +ws.append( + ["mapping_urn", f"urn:{packager.lower()}:risk:req_mapping_set:{source_ref_id}"] +) ws.append(["mapping_ref_id", ref_id]) ws.append(["mapping_name", name]) -ws.append(["mapping_description",description]) +ws.append(["mapping_description", description]) ws.append(["mapping_source_framework_urn", source_framework_urn]) ws.append(["mapping_target_framework_urn", target_framework_urn]) -ws.append(["mapping_source_node_base_urn", f"urn:{packager.lower()}:risk:req_node:{source_ref_id}"]) -ws.append(["mapping_target_node_base_urn", f"urn:{packager.lower()}:risk:req_node:{target_ref_id}"]) +ws.append( + [ + "mapping_source_node_base_urn", + f"urn:{packager.lower()}:risk:req_node:{source_ref_id}", + ] +) +ws.append( + [ + "mapping_target_node_base_urn", + f"urn:{packager.lower()}:risk:req_node:{target_ref_id}", + ] +) ws.append(["tab", "mappings", "mappings"]) ws1 = wb_output.create_sheet("mappings") ws1.append( - ["source_node_id", "target_node_id", "relationship", "rationale", "strength_of_relationship"] + [ + "source_node_id", + "target_node_id", + "relationship", + "rationale", + "strength_of_relationship", + ] ) -for node in source['objects']['framework']['requirement_nodes']: +for node in source["objects"]["framework"]["requirement_nodes"]: if node["assessable"]: node_id = node["urn"].split(":")[-1] ws1.append([node_id]) @@ -86,15 +104,33 @@ ws3 = wb_output.create_sheet("source") ws3.append(["node_id", "assessable", "urn", "ref_id", "name", "description"]) -for node in source['objects']['framework']['requirement_nodes']: +for node in source["objects"]["framework"]["requirement_nodes"]: node_id = node["urn"].split(":")[-1] if node["assessable"] else "" - ws3.append([node_id, node["assessable"], node["urn"], node.get("ref_id"), node.get("name"), node.get("description")]) + ws3.append( + [ + node_id, + node["assessable"], + node["urn"], + node.get("ref_id"), + node.get("name"), + node.get("description"), + ] + ) ws4 = wb_output.create_sheet("target") ws4.append(["node_id", "assessable", "urn", "ref_id", "name", "description"]) -for node in target['objects']['framework']['requirement_nodes']: +for node in target["objects"]["framework"]["requirement_nodes"]: node_id = node["urn"].split(":")[-1] if node["assessable"] else "" - ws4.append([node_id, node["assessable"], node["urn"], node.get("ref_id"), node.get("name"), node.get("description")]) + ws4.append( + [ + node_id, + node["assessable"], + node["urn"], + node.get("ref_id"), + node.get("name"), + node.get("description"), + ] + ) print("generate ", output_file_name) -wb_output.save(output_file_name) \ No newline at end of file +wb_output.save(output_file_name) diff --git a/tools/tisax/convert_tisax_5.1.py b/tools/tisax/convert_tisax_5.1.py index 4e52cd31c..6ae70c649 100644 --- a/tools/tisax/convert_tisax_5.1.py +++ b/tools/tisax/convert_tisax_5.1.py @@ -114,18 +114,28 @@ if control_number and re.fullmatch(r"\d", control_number): level = 2 print(control_number, control_question) - output_table.append(("", 1, control_number, control_question.strip(), "", "")) + output_table.append( + ("", 1, control_number, control_question.strip(), "", "") + ) if control_number and re.fullmatch(r"\d\.\d+", control_number): level = 3 print(control_number, control_question) - output_table.append(("", 2, control_number, "", control_question.strip(), "")) + output_table.append( + ("", 2, control_number, "", control_question.strip(), "") + ) if req_must: - output_table.append(("x", 3, "", "(must)", req_must.strip(), "must")) + output_table.append( + ("x", 3, "", "(must)", req_must.strip(), "must") + ) if control_number and re.fullmatch(r"\d\.\d+\.\d+", control_number): if control_question and re.match(r"Superseded by", control_question): print("skipping", control_number) - output_table.append(("", level, control_number, "", control_question.strip(), "")) - output_table.append(("x", level + 1, "", "(must)", req_must.strip(), "must")) + output_table.append( + ("", level, control_number, "", control_question.strip(), "") + ) + output_table.append( + ("x", level + 1, "", "(must)", req_must.strip(), "must") + ) if req_should and req_should != "None": output_table.append( ("x", level + 1, "", "(should)", req_should.strip(), "should") From a45ee5a78fe47a28692b4797ee99555b96871e0a Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Wed, 22 Jan 2025 02:12:27 +0100 Subject: [PATCH 3/7] improve description --- backend/library/libraries/d3fend.yaml | 6 +++++- tools/mitre/d3fend.py | 7 ++++++- tools/mitre/d3fend.xlsx | Bin 21210 -> 21254 bytes 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/backend/library/libraries/d3fend.yaml b/backend/library/libraries/d3fend.yaml index ced32e1db..4c6b581a5 100644 --- a/backend/library/libraries/d3fend.yaml +++ b/backend/library/libraries/d3fend.yaml @@ -2,8 +2,12 @@ urn: urn:intuitem:risk:library:mitre-d3fend locale: en ref_id: d3fend name: Mitre D3FEND -description: A cybersecurity ontology designed to standardize vocabulary for employing +description: 'A cybersecurity ontology designed to standardize vocabulary for employing techniques to counter malicious cyber threats. + + Version - 1.0.0 - 2024-12-20 + + https://d3fend.mitre.org/resources/' copyright: "Terms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you\ \ a non-exclusive, royalty-free license to use D3FEND for research, development,\ \ and commercial purposes. Any copy you make for such purposes is authorized provided\ diff --git a/tools/mitre/d3fend.py b/tools/mitre/d3fend.py index a2b735197..5ecab9202 100644 --- a/tools/mitre/d3fend.py +++ b/tools/mitre/d3fend.py @@ -13,13 +13,18 @@ } output_file_name = "d3fend.xlsx" -library_description = "A cybersecurity ontology designed to standardize vocabulary for employing techniques to counter malicious cyber threats." + +library_description = """A cybersecurity ontology designed to standardize vocabulary for employing techniques to counter malicious cyber threats. +Version - 1.0.0 - 2024-12-20 +https://d3fend.mitre.org/resources/""" + library_copyright = """Terms of Use LICENSE The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use D3FEND for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE’s copyright designation and this license in any such copy. DISCLAIMERS ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. """ + packager = "intuitem" diff --git a/tools/mitre/d3fend.xlsx b/tools/mitre/d3fend.xlsx index 49a7c5ce864a132e3e1ffb344981c3e5ff259583..c114ebdaffe58e5b30b7f50ef8c17a1de15a41cc 100644 GIT binary patch delta 1923 zcmZWqdpr|*8{ga~!@?OFx#phh*-DdZHJWW!a=(Q{F6Az4u90xCHXX4r){w1!nPfHolutNLjzss!p z?DVnD>s+Ziu;z5>h5F+lj{;6kVd?K^!E~Yxk-=-xzAtw|#aB|}UV^=AdgZk&ig8J4 zPJc8F8uu0bO~g=^c`l7=knRjvq2Jyz+SPFdN@VKQe|0lsi7$S9Fj~*MS_osg;oJ3w z+XMQ^a(s;@Ce6Jomqz^X?%w<4CuJ8pzzt}EThK<7Smm{7R#hFN;7Vtzq{VdAJ4Lm( zM+pvI(9Ed`VqhF()p;)hItBgbkyztEQ-Q_Wy-;)F$q%oEGQHVKI;w%rgF-eXVs;5D|f_4!wyLK`#IBBI`w?YwKl=Ffpw_cFUv<|4WM_eRMl-W z2`@NZC{RxU&CA~<<8=;H(@VxpIEQ$q;PBIGF@ShMUyB{ zDF8*poyvo2J&@ho-S0T9mE7q$Vl@Q9HrJqj`P|oV%qrY6!z$+Mr(AhnHt`W3=C%^8 zWTsjnyqM<2IQlGPveTeQ!2|TnFud$6$mI~aH%zgnqy(1+KQaq}S0&Hx0(&mDN!kh~ zb>+9^Ud=I3y?Tm0KB)bL{MyWpTtg_YB$|(93&+bY4$Bp@1tMwFgQG=TVfOp=>>0IL zMeC)LhzL|clf+EK!rqr8;(Vi{nzjntovK{gZ^M{hisB&Ff~%)CT9g;)d7)wE!apn; z-suN1EZvbySn@U&TIi=@awJwRxI_y~cQEYvxmkIp_VD#sb2BSnb;qiJiYKDM7Ihxp zxkF5G^je}{hFV-hXRPKJoCZ-B#ph}(DP1;IUu6!BoJl$kJOv{T8e#XSzAiYUOvBwL z#du2#cb^Pl6o?`?pNiZAN_newRE_S1*2xUsa(_6nJf}-(k7#%s^0@&#Wv5y@+zyQB zzUBnSo2%+tp~|-~L+ce~Q*J2dSKCd4ZcDD+0j=y6F&~V@&37HO#~+Qp{-9p0L~cbe z^PcIyP@~MdWDynUOeXI@5(s({y6|J7SoyMY$Hl=<^0i4mHZQ4AGlhAl`vftP#pT7I z#F^MUMtrQYIzL)vH?o4|^6J9c-LztRamcSa$mendc<5Il#t$7SZ3QQnYJ?<^v@3KxH_6X!H`~ebRMlD0=C&>5xPPdjQ zPJW7Jd8e>(M`bxf`Xts|FKFUuTmb5!{_}5Llh2@(MMUpDjK1#koLSf^DA6t=ufr_* zc}1tUHB#tQ=!SkyYATiNoQnk+pT z>~bM|4*lWrqctQzfH(U{>*QG-W3?(ulv1<>k$eSbIR%SYH`U}Tk+wbc$f{X2Z;zxpr zQ{TlK8fR`Jc?*V^mh}oznw#+i(rJsrRh-g@ZQ42Oq>ISE5XU@~F zQO5LBV3We-9)m!K@MKIwkqb<*!^_n~TXLXhEUu3{=f5vKpN>tPPS`*cK7M0??fLD& zt=BF8)J3>+M$97N(S6#idl5B%uQNJtbF`crlJwQ=WxJd(VBIoV&I0RXy!fCu9I zcO)dLfe(g`ao60lgCX(O06=u0ZdiCspl=x0+y0j*KcfNGdN40>V1|eO<^d!C`$?O2 tvRob!JPi1Pq=A>`0&6^sM;}8{#K1)Vn~IcsP?5uus`07;`5+&e`u00?vS2K72Afa({ha-AALRu1v;?oVs?>^ujHb0P2M z_4e}|J-x)(J){TPf#oFq#-pz_Ej>uEkuvt2n#eAD7pESbNN%sZ5RX|1*puX3mX;`5 zhPP(3HhR`p3AmQyIQ7G(#7`&wKBbxo5P=tdG^aX|%Het_0DLdNyy*0DF#9_#(bb4x4N z(#|OKy_jIdvskpCLAgy{O)T^hog$jvENs@j99}u8<-1E`xYt}0IL7mi75OLmNor%Y zX9m+v>9XTT$%*|I@~wk8-vOWk;erplM9piDss7h&w~`5MdI@E$M81bZBI)(seM2MX z3R0-YhU^}BL{jrpR)!TqU=%}<(}|mkDZv5LOsAGxwZys zDgF27Ct|e z_CgQw*NP#%qMMK_Jm7Itbz637%2tf{xa_WWD7($a=fieV6tmpquL~NsR}fQi?hPH% zWGnfn@1uI_Ou8v|rpsrubGje$oHgHIzF>aqyqcI^uV8Z@y5iSHua*|k&ZFwpoPEC6 zkR}gFFv#+fl`66qcf9ZU2SlsgBHn2|m&sXTa$a?z6I|uY5t<_Yka4xu76tdNwJYQ4 zB8)4eVsS*u@h-89-<#YOFNC#!|3D*|>&K3_om4DY&MlZ&6)u@Ew( zUc-pzEyf<@EdP4C{%;ubt+jxkL?L~UdI}}Yref~RWlc5Z-;>gCvf+tNt!?6uCnGi4 zY7|k1aG5+(<~E7w6qUq{L;|uyt8e|6Ko3SVWmvi5Ap|y|N4PKZ5UHatxTlz^Y>u0`!Iw?mK&BCGB-cv z-wAlbu(Y7aMw@~BNvU;5RG6r3jJbWe>5mW{2(A;LU^<_AFCgAptK*)gc+8}}^X;U1we?5iZ_+&vv zr&Zd64$+_LtqBiOjeYIHTQCRpaU?!bqtU7*V7Ho8=lf1!Iptb@L@*OZs|%mL`HQPF zo-RrV!-nMG5lDY_&3sHFJhDA)VR*=%%#%vrDa z&m}2c7KU?-JM3`rz9q?TJ-OGqyiOBlhs5dkMD-1IbYu#=lq>~=PS#7Ltp`vJSoW@^ z;Dx2xTXpC(ohnUY!y-me#V+$tD2v39o9tS+2d$}9~v z7=CkcqI5$T=OJ$$3|8}n&a|GvRq416l+6&Dzy3TElx>vb!k6D)HHJ@AA3W4bdSlv^ zX25TqnSMI&db6t+a@FzOEL3u5_)|oIp;hvzVnJPR1sf_CB-;<7wVu2n zaf&kj$nEP)>p%7!RzO|{tO2iazIYqVRmNMhg(K`FhJcPx*J9}i Date: Wed, 22 Jan 2025 02:29:11 +0100 Subject: [PATCH 4/7] Update functional-tests.yml try fix startup test --- .github/workflows/functional-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index 90373a007..b8eea8ea7 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -117,7 +117,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/" "_")" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr '/()'' '_')" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: From 77f48bd7bd680931fb7440d14168ca659cff6e6d Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Wed, 22 Jan 2025 03:04:15 +0100 Subject: [PATCH 5/7] sanitize branch name --- .github/workflows/functional-tests.yml | 2 +- .github/workflows/startup-tests.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index b8eea8ea7..e37019996 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -223,7 +223,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/" "_")" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/()" "_")" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: diff --git a/.github/workflows/startup-tests.yml b/.github/workflows/startup-tests.yml index a06c8b081..0757175c2 100644 --- a/.github/workflows/startup-tests.yml +++ b/.github/workflows/startup-tests.yml @@ -102,7 +102,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/" "_")" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/()" "_")" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: @@ -242,7 +242,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/" "_")" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/()" "_")" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: From f711740c515354d465b36874be379a1fb83bf576 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Wed, 22 Jan 2025 03:21:21 +0100 Subject: [PATCH 6/7] try fix startup tests --- .github/workflows/functional-tests.yml | 4 ++-- .github/workflows/startup-tests.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index e37019996..332e5e30f 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -117,7 +117,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr '/()'' '_')" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo "${{ env.BRANCH_NAME }}" | tr '/()'' '_')" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: @@ -223,7 +223,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/()" "_")" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo "${{ env.BRANCH_NAME }}" | tr "/()" "_")" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: diff --git a/.github/workflows/startup-tests.yml b/.github/workflows/startup-tests.yml index 0757175c2..9c587827b 100644 --- a/.github/workflows/startup-tests.yml +++ b/.github/workflows/startup-tests.yml @@ -102,7 +102,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/()" "_")" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo "${{ env.BRANCH_NAME }}" | tr "/()" "_")" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: @@ -242,7 +242,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo ${{ env.BRANCH_NAME }} | tr "/()" "_")" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo "${{ env.BRANCH_NAME }}" | tr "/()" "_")" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: From a207e6c8b55cd957b1941829f23164feaf9ab443 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:30:18 +0100 Subject: [PATCH 7/7] Update functional-tests.yml should be ok now --- .github/workflows/functional-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index 332e5e30f..d1f876b04 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -117,7 +117,7 @@ jobs: - name: Set current date as env variable run: echo "NOW=$(date +'%Y-%m-%dT%H-%M-%S')" >> $GITHUB_ENV - name: Sanitize branch name - run: echo "BRANCH_SANITIZED=$(echo "${{ env.BRANCH_NAME }}" | tr '/()'' '_')" >> $GITHUB_ENV + run: echo "BRANCH_SANITIZED=$(echo "${{ env.BRANCH_NAME }}" | tr "/()" "_")" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 if: always() with: