Making the Case for Cybersecurity
We define attack knowledge item as the structured, machine-consumable representation of how and where an attack can occur in a given system. Consider the two linked objects— Attacker and Threat Scenario— illustrated in Figure 4-1. Together these two objects characterize a single attack path, merging the knowledge that comes from separate sources – threat intelligence, offensive techniques repository and system facts. An attacker is represented as a tuple: < attacker, attacker category >.
A Threat Scenario is represented as a tuple < impactful element, target, attack path, artifact category, artifact, technical impact category, attack type, attacker category >. The first six components are system facts and describe the specific operational, architectural and supply chain features involved. The last three are attack characteristics that describe the nature of the attack. These tuples capture the full characterization of a tailored attack path and establish links to generic knowledge items.
These objects are linked directly to the rest of the risk claim structure, allowing them to serve as structured, inferable elements in risk reasoning. The completeness claim of attack enumeration depends on the selection of the attack characteristics and their alignment with the community’ s shared understanding of cyberattacks.
This is where knowledge repositories like CAPEC, STIX, MITRE ATT & CK and ontologies like MITRE D3FEND come into play.
Knowledge repositories provide critical building knowledge items related to offensive techniques. CAPEC provides a taxonomy of attack patterns based on intent and behavior. STIX defines a schema for sharing cyber threat intelligence across organizations. ATT & CK catalogs observed adversary tactics and techniques, providing a bridge from abstract models to operational realities.
However, these sources are often descriptive and not directly usable for inference. Tailoring is required: mapping abstract techniques to concrete system facts and the attack characteristics that drive attack enumeration.
This gap is partially addressed by MITRE D3FEND, which introduces a formal ontology of defense techniques and the digital artifacts they operate on— such as files, memory blocks, log entries, or network packets. Crucially, it also enables alignment with MITRE ATT & CK, forming a bidirectional mapping between offense and defense.
However, tailoring of digital artifacts remains a challenge without a strong foundation of system facts. This is where standards like OMG SPECTRA become crucial.
Journal of Innovation 47