Harmonization and Consistency Issues with created_by_ref Across MITRE Datasets

[SYNchroACK]

First of all, Thank you for your attention to this issue and to provide this awesome piece of work to all community. 🚀

---

Upon reviewing the latest STIX 2.1 documentation, I believe there are several inconsistencies across various MITRE datasets.

Identified Issues

1. ATT&CK (Enterprise) and Atlas ATT&CK: These datasets contain an Identity object with identical id and modified values but differing x_mitre_domains. This discrepancy violates the STIX specification as outlined below.

2. ATT&CK Mobile and ATT&CK ICS: Similar to the issue above, these datasets have an Identity object with the same id, created, and modified values but different x_mitre_domains, which is also non-compliant with the STIX specification.

3. CAPEC: The created_by_ref value differs from other datasets. It is recommended to harmonize this value across all datasets for consistency.

Based on STIX 2.1 Specification

The STIX 2.1 documentation specifies:

1. Ensuring Object Version Recency with Modified Property

More recent values of the modified property indicate later versions of the object. Implementations MUST consider the version of the STIX Object with the most recent modified value to be the most recent state of the object.

2. Mandatory Modified Property Update for New Versions

For every new version of an object, the modified property MUST be updated to represent the time that the new version was created.

3. Consistency in Object Representation Across Versions

Every representation (each time the object version is serialized and shared) of a version of an object (identified by the object's id and modified properties) MUST always have the same set of properties and the same values for each property.

4. Updating Modified Property for Property Changes

In order to change the value of any property, or to add or remove properties, the modified property MUST be updated with the time of the change to indicate a new version.

Recommendations

To ensure compliance with the STIX 2.1 specification and maintain consistency across datasets, I believe would be awesome if you guys could:

• Harmonize the created_by_ref values across all datasets.
• Ensure that any changes to properties such as x_mitre_domains are accompanied by an update to the modified property to reflect a new version of the object.

Dataset Analysis

ATT&CK ICS

• Source: STIX ATT&CK ICS JSON
• Example:

  {
      "spec_version": "2.1",
      "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "type": "identity",
      "created": "2017-06-01T00:00:00.000Z",
      "modified": "2017-06-01T00:00:00.000Z",
      "name": "The MITRE Corporation",
      "identity_class": "organization",
      "object_marking_refs": [
          "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "x_mitre_attack_spec_version": "2.1.0",
      "x_mitre_domains": [
          "ics-attack"
      ],
      "x_mitre_version": "1.0"
  }

ATT&CK Mobile

• Source: STIX ATT&CK Mobile JSON
• Example:

  {
      "spec_version": "2.1",
      "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "type": "identity",
      "created": "2017-06-01T00:00:00.000Z",
      "modified": "2017-06-01T00:00:00.000Z",
      "name": "The MITRE Corporation",
      "identity_class": "organization",
      "object_marking_refs": [
          "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "x_mitre_attack_spec_version": "2.1.0",
      "x_mitre_domains": [
          "mobile-attack"
      ],
      "x_mitre_version": "1.0"
  }

ATT&CK Enterprise

• Source: STIX ATT&CK Enterprise JSON
• Example:

  {
      "spec_version": "2.1",
      "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "type": "identity",
      "created": "2017-06-01T00:00:00.000Z",
      "modified": "2022-04-25T14:00:00.188Z",
      "name": "The MITRE Corporation",
      "identity_class": "organization",
      "object_marking_refs": [
          "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "x_mitre_attack_spec_version": "2.1.0",
      "x_mitre_domains": [
          "enterprise-attack"
      ],
      "x_mitre_version": "1.0"
  }

Atlas ATT&CK

• Source: STIX Atlas ATT&CK Enterprise JSON
• Example:

  {
      "spec_version" : "2.1",
      "id" : "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
      "type" : "identity",
      "created" : "2017-06-01T00:00:00.000Z",
      "modified" : "2022-04-25T14:00:00.188Z",
      "name" : "The MITRE Corporation",
      "identity_class" : "organization",
      "object_marking_refs" : [
         "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
      ],
      "x_mitre_attack_spec_version" : "2.1.0",
      "x_mitre_domains" : [
         "enterprise-attack",
         "atlas-atlas"
      ],
      "x_mitre_version" : "1.0"
  }

CAPEC

• Source: STIX CAPEC JSON
• Example:

  {
      "spec_version": "2.1",
      "id": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
      "type": "identity",
      "created": "2023-01-30T20:40:28.791901Z",
      "modified": "2023-01-30T20:40:28.791901Z",
      "name": "The MITRE Corporation",
      "identity_class": "organization",
      "object_marking_refs": [
          "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
      ]
  }