In my first post of this series, I will cover how to model an intelligence report in the ATT&CK Navigator.

The basics

The MITRE ATT&CK Navigator is a web-based tool for annotating and exploring the MITRE ATT&CK framework.

The MITRE ATT&CK Navigator is a very useful tool for both offensive and defensive activities, as I’ll show over the coming weeks.

The ATT&CK Navigator code is open source and available on GitHub.

To make it easy to get started, there is a public instance running here that you can use.

The documentation that ships with Navigator is very good, detailing its many features.

In this post I will show you how to model an intelligence report using the ATT&CK Navigator.

Modelling an intelligence report

For this walk-through I will use this post from the brilliant UNIT-42; Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor.

The Unit 42 team have made it easy for us by detailing the ATT&CK Techniques and Sub-Techniques at the bottom of the post. For reference, they are:

Now it is easy for us to represent this as a layer in the ATT&CK Navigator.

First, create a new layer choosing the appropriate ATT&CK Matrix. In this case that’s Enterprise version 11 (because the report does not mention attacks on mobile or ICS infrastructure).

MITRE ATT&CK Navigator Layer Information

When on the matrix view, click the layer controls > layer information button and give the layer some contextual information including a title, description, and link back to the blog post (this is useful to others viewing your layer in the future, providing more background about it).

Now we can start adding the Techniques to the layer. You can do this by finding the Technique in the matrix, right click, and select Add to Selection. However, there’s a much easier way…

MITRE ATT&CK Navigator search and multiselect

Select; selection controls > search & multiselect.

Now you can search and select from the results (under Techniques) to find the appropriate Techniques.

MITRE ATT&CK Navigator technique controls fill

Once you’ve selected all the Techniques, you can make them more visible on the Matrix by selecting; technique controls > fill bucket. In the screenshot above, I have coloured the selected Techniques green.

MITRE ATT&CK Navigator export layer

It is now possible to export your layer as a .json doc by selecting; layer controls > download layer as .json.

Here is the layer .json I exported for the Popping Eagle post.

MITRE ATT&CK Navigator import layer

You can import it to your ATT&CK Navigator by reloading the web app or selecting a new tab in the top bar, selecting Open Existing Layer, and uploading the .json layer file.

Comparing intelligence reports

In many cases, you might want to compare Techniques between reports. For example to identify similarities between new Groups and those that are already widely known.

For this I will compare the Popping Eagle layer, with a new layer covering APT 39 Techniques.

Luckily for use, ATT&CK contains information about widely known Groups as Software (STIX 2.1 malware Domain Objects).

MITRE ATT&CK Navigator APT 39 Layer

As such, all that’s needed is to create a layer, search (selection controls > search & multiselect) for the APT 39 Threat Group, select APT 39, and colour fill the selections in the same way as before.

Here is the layer .json I created for APT 39.

Before combining the layers, we need to first assign each layer a score.

A score is a numeric value assigned to a Technique. The meaning or interpretation of scores is completely up to the user user - the Navigator simply visualizes the matrix based on any scores you have assigned.

Our use-case for scoring is simple. We will assign a score of 1 to the Popping Eagle layer and a score of 2 for the APT 39 layer. The actual value of the score is irrelevant as long as they are different and within the supported range of 0 - 100.

MITRE ATT&CK Navigator Create Layers from Layers

Once you’ve assigned a score to each layer, you can create layer from other layers. Looking at the top tabs in the screenshot above you can see Popping Eagle has been assigned a and APT 39 b. Therefore the score expression needed is a + b. Now click create.

MITRE ATT&CK Navigator Popping Eagle vs APT 39

I’ve added a legend in the bottom right of my newly created layer; Popping Eagle vs APT 39.

Yellow shows Techniques unique to APT 39, red shows Techniques unique to Popping Eagle, and green shows Techniques used by both.

Here is the layer .json I exported for the layer Popping Eagle vs APT 39.

There are many other uses for comparing layers, including;

  • tracking the evolution of an actor over time as new Techniques are discovered or the actor changes their approach
  • comparing known intelligence collected on the same campaign from different sources so that you can have the most comprehensive information available in one place
  • identifying gaps between Techniques that you have intelligence about and Techniques you are detecting for in your SIEM (or whatever) to identify blindspots in your defenses, which brings me on to next weeks post…

Getting defensive with ATT&CK Navigator

This post has covered the basics of the ATT&CK Navigator. However, ATT&CK has a wealth of information beyond Techniques that can be used for putting intelligence to work in detection activities.

More on how to use the ATT&CK Navigator for that in part 2…




Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.