In Part I, I described some structural problems in MITRE’s ATT&CK adversarial behavior framework.

We looked at a couple of examples of techniques that vary greatly in terms of abstraction as well as techniques that ought to be classified as parent and sub-technique. Both examples are borne out of the lack of hierarchical structure among techniques in ATT&CK. As a focused and relatively small catalogue of behavior, this doesn’t necessarily present a pressing problem—it’s small enough for cybersecurity professionals to comprehend the entire framework and understand by inference how the structure should look.

However, the problem becomes more pressing as the framework grows and becomes harder for individuals to comprehend.

In this part, I want to look at the background of formal ontology, some basic concepts, its uses, its failures and successes and how to think about ATT&CK as an adversarial behavior ontology.

ATT&CK is tremendously valuable because it gives us a classification of our knowledge of adversarial behavior to better communicate, collaborate, account for and reason about the domain in a scientific manner. A formal ontology is valuable for much the same reasons, but ontology goes beyond classification. It enables us to build large repositories of knowledge in a machine-readable language. As with any scientific endeavor, ATT&CK’s content will grow. And as it grows, the lack of structure makes working with it tougher, and it risks losing value.

My goal here is to introduce successful principles and examples of applied formal ontology and discuss how ontology can be used to protect and expand the value of ATT&CK.

Ontology: A Short Overview

In a previous career, I was a philosopher specializing in the area of metaphysics called ontology. I worked on the ontology of, as natural language philosopher J. L. Austin put it, “moderate-sized specimens of dry goods”—familiar (Read more...)