The growing complexity of industrial systems significantly increases the surface of possible cyber attacks, and therefore requires reliable methods for assessing the security of infrastructure. Modern methods of security assessment rely on working with a large amount of data, the presentation of which is often not standardized. One of these sources is the MITRE ATT&CK knowledge base, which contains information about attacking techniques in a format that allows you to interact with it programmatically. This work is aimed at solving the problem of normalizing the fields of external sources describing the attacking technique in order to increase the efficiency of working with the repository described above. The method proposed in this paper is based on the possibility of the specification of the STIX language used to describe the data presented in MITRE ATT&CK to expand and use open dictionaries. The development of the proposed method was based on data on the attacking techniques of the Enterprise matrix, as the most complete among all domains of the ATT&CK knowledge base, however, the proposed method is independent and does not depend on a specific domain.

Keywords: threat analysis, knowledge base, information security, MITRE ATT&CK, standardization