feat(graph): document mitre attck in schema.

docs/reference/graph/graph.schema.json

@@ -102,11 +102,18 @@
                 },
                 "description": {
                     "type": "string"
+                },
+                "references": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/StandardRef"
+                    }
                 }
             },
             "required": [
                 "description",
-                "label"
+                "label",
+                "references"
             ],
             "title": "Edge"
         },
@@ -218,6 +225,30 @@
             ],
             "title": "From"
         },
+        "StandardRef": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "type": {
+                    "type": "string",
+                    "enum": [
+                        "ATTCK",
+                        "URL"
+                    ]
+                },
+                "id": {
+                    "type": "string"
+                },
+                "label": {
+                    "type": "string"
+                }
+            },
+            "required": [
+                "type",
+                "id"
+            ],
+            "title": "StandardRef"
+        },
         "Type": {
             "type": "string",
             "enum": [

docs/reference/graph/graph.yaml

@@ -412,76 +412,180 @@ spec:
   edges:
     - label: CE_MODULE_LOAD
       description: A container can load a kernel module on the node.
+      references: 
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: CE_NSENTER
       description: >-
         Container escape via the nsenter built-in linux program that allows
         executing a binary into another namespace.
+      references:
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: CE_PRIV_MOUNT
       description: >-
         Mount the host disk and gain access to the host via arbitrary filesystem
         write
+      references:
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: CE_SYS_TRACE
       description: >-
         Given the requisite capabilities, abuse the legitimate OS debugging
         mechanisms to escape the container via attaching to a node process.
+      references:
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: CE_UMH_CORE_PATTERN
       description: >-
         Abuse the User Mode Helper (UMH) mechanism to execute arbitrary code in
         the host.
+      references:
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: CE_VAR_LOG_SYMLINK
       description: Abuse the /var/log symlink to gain access to the host filesystem.
+      references:
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: EXPLOIT_HOST_READ
       description: Read sensitive files on the host.
+      references:
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: EXPLOIT_HOST_WRITE
       description: Write sensitive files on the host.
+      references:
+        - type: ATTCK
+          id: T1611
+          label: Escape to Host
     - label: EXPLOIT_CONTAINERD_SOCK
       description: Exploit the containerd socket to gain access to the host.
+      references:
+        - type: ATTCK
+          id: TA0008
+          label: Lateral Movement
     - label: IDENTITY_ASSUME
       description: >-
         Represents the capacity to act as an Identity via ownership of a service
         account token, user PKI certificate, etc.
+      references:
+        - type: ATTCK
+          id: T1078
+          label: Valid Accounts
     - label: CONTAINER_ATTACH
       description: >-
         Attach to a running container to execute commands or inspect the
         container.
+      references:
+        - type: ATTCK
+          id: TA0008
+          label: Lateral Movement
     - label: ENDPOINT_EXPLOIT
       description: >-
         Represents a network endpoint exposed by a container that could be
         exploited by an attacker (via means known or unknown). This can correspond
         to a Kubernetes service, node service, node port, or container port.
+      references:
+        - type: ATTCK
+          id: T1210
+          label: Exploitation of Remote Services
     - label: PERMISSION_DISCOVER
       description: Discover permissions granted to an identity.
+      references:
+        - type: ATTCK
+          id: T1069
+          label: Permission Groups Discovery
     - label: EXPLOIT_HOST_TRAVERSE
       description: >-
         This attack represents the ability to steal a K8s API token from a
         container via access to a mounted parent volume of the
         /var/lib/kubelet/pods directory.
+      references:
+        - type: ATTCK
+          id: T1552
+          label: Unsecured Credentials
     - label: TOKEN_STEAL
       description: >-
         This attack represents the ability to steal a K8s API token from an
         accessible volume.
+      references:
+        - type: ATTCK
+          id: T1552
+          label: Unsecured Credentials
     - label: ROLE_BIND
       description: Bind a role to an identity.
+      references:
+        - type: ATTCK
+          id: T1078
+          label: Valid Accounts
     - label: IDENTITY_IMPERSONATE
       description: Impersonate an identity.
+      references:
+        - type: ATTCK
+          id: T1078
+          label: Valid Accounts
     - label: POD_ATTACH
       description: Attach to a running pod to execute commands or inspect the pod.
+      references:
+        - type: ATTCK
+          id: TA0008
+          label: Lateral Movement
     - label: POD_CREATE
       description: Create a pod on a node.
+      references:
+        - type: ATTCK
+          id: TA0008
+          label: Lateral Movement
     - label: POD_EXEC
       description: Execute a command in a pod.
+      references:
+        - type: ATTCK
+          id: TA0008
+          label: Lateral Movement
     - label: POD_PATCH
       description: Patch a pod on a node.
+      references:
+        - type: ATTCK
+          id: TA0008
+          label: Lateral Movement
     - label: SHARE_PS_NAMESPACE
       description: All containers in a pod share the same process namespace.
+      references:
+        - type: ATTCK
+          id: TA0008
+          label: Lateral Movement
     - label: TOKEN_BRUTEFORCE
       description: Bruteforce a token.
+      references:
+        - type: ATTCK
+          id: T1528
+          label: Steal Application Access Token
     - label: TOKEN_LIST
       description: List tokens.
+      references:
+        - type: ATTCK
+          id: T1528
+          label: Steal Application Access Token
     - label: VOLUME_ACCESS
       description: Access a volume mounted in a container.
+      references:
+        - type: ATTCK
+          id: T1613
+          label: Container and Resource Discovery
     - label: VOLUME_DISCOVER
       description: Discover volumes mounted in a container.
+      references:
+        - type: ATTCK
+          id: T1613
+          label: Container and Resource Discovery
 
   # Define the properties for each edge in the graph.
   edgeProperties: []