[Crowdstrike] Correct crowdstrike taxonomy

[initstring]

Proposed changes

• Update CrowdStrike connector to use correct vocabulary mapping

Related issues

• CrowdStrike taxonomy mapping incorrect #3531

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality using different use cases
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

CrowdStrike uses these three "motivations" today:

• State-Sponsored
• Criminal
• Hacktivism

Those are the only categories available for sorting in their web UI.

To confirm, I did a bulk scan of actors on the CrowdStrike API, looking for all iterations of motivation that may be returned. Almost all actors use State-Sponsored, Criminal, or Hacktivism (this also matches their web UI query fields). There seems to be some legacy entries using defacement, so I included it as well.

[initstring]

An alternative solution to this might be to completely remove this manual mapping, and allow OpenCTI admins to simply alias the vocabulary themselves in the platform. That would probably be more resilient to future changes on CrowdStrike's side.

[Jipegien]

Thank you @initstring for your contribution! :)

Before merging:

• no reduction of mapping scope to be 100% sure we don't generate "breaking" change here, as we have no control or assurance that Crowdstrike won't use _CS_MOTIVATION_DESTRUCTION and _CS_MOTIVATION_ESPIONAGE again.
• _CS_MOTIVATION_STATE_SPONSORED: "organizational-gain" seems really odd to me. Are you implying that Crowdstrike only uses "State Sponsored" for espionage-focus Threat Actors?

[initstring]

Hi @Jipegien - thanks for the reply!

I only observe CrowdStrike using the categories I mention. I will open a support case to confirm.

However, I think it's worth considering completely removing this mapping. As we can see, it creates warnings when not working as expected and simply adds no motivation at all.

Perhaps it is better to consume whatever motivation CrowdStrike provides, and then allow individual OpenCTI admins to use those as-is or to configure aliases that make sense to them?

There's no guarantee CrowdStrike won't simply change this tomorrow, and this function will break again.

Let me know what you think and I can re-do the PR. Either way, I'll see what support comes back with in terms of their taxonomy.

[Jipegien]

The objective of the mapping is to transform the data to stick the closest possible to STIX 2.1 standard. The standard defines a list of attack_motivation we must use when possible.

Aliases on openvocab is not a priority for us right now unfortunately, so it is a no go for that.

You are right saying we have no control on what Crowdstrike will do in the future, so:

• let's keep destruction and espionage
• when a Crowdstrike's motivation is not mapped (so a new one), we add it nonetheless AND we raise an info-level log entry to stipulate that an attack motivation is not mapped to STIX standard value.

[initstring]

That makes sense, thank you @Jipegien. If you give me a few days, I will get a definitive answer from CrowdStrike on all currently used values, and then I will come back and fix up the PR with your recommendations.

Edit to add: I did not realize that STIX clearly defines what list of motivations it uses, that is helpful info, and good to know the reason for the translation is because CrowdStrike is not using these same standards.