In my first post of this series, I will cover how to model an intelligence report in the ATT&CK Navigator.
The MITRE ATT&CK Navigator is a web-based tool for annotating and exploring the MITRE ATT&CK framework.
The MITRE ATT&CK Navigator is a very useful tool for both offensive and defensive activities, as I’ll show over the coming weeks.
The ATT&CK Navigator code is open source and available on GitHub.
To make it easy to get started, there is a public instance running here that you can use.
In this post I will show you how to model an intelligence report using the ATT&CK Navigator.
Modelling an intelligence report
For this walk-through I will use this post from the brilliant UNIT-42; Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor.
The Unit 42 team have made it easy for us by detailing the ATT&CK Techniques and Sub-Techniques at the bottom of the post. For reference, they are:
- T1568: Dynamic Resolution
- T1071 Application Layer Protocol
- T1218: System Binary Proxy Execution
- T1090: Proxy
- T1046: Network Service Discovery
- T1021: Remote Services
- T1016: System Network Configuration Discovery
- T1087: Account Discovery
- T1003: OS Credential Dumping
Now it is easy for us to represent this as a layer in the ATT&CK Navigator.
First, create a new layer choosing the appropriate ATT&CK Matrix. In this case that’s Enterprise version 11 (because the report does not mention attacks on mobile or ICS infrastructure).
When on the matrix view, click the layer controls > layer information button and give the layer some contextual information including a title, description, and link back to the blog post (this is useful to others viewing your layer in the future, providing more background about it).
Now we can start adding the Techniques to the layer. You can do this by finding the Technique in the matrix, right click, and select Add to Selection. However, there’s a much easier way…
Select; selection controls > search & multiselect.
Now you can search and select from the results (under Techniques) to find the appropriate Techniques.
Once you’ve selected all the Techniques, you can make them more visible on the Matrix by selecting; technique controls > fill bucket. In the screenshot above, I have coloured the selected Techniques green.
It is now possible to export your layer as a
.json doc by selecting; layer controls > download layer as .json.
You can import it to your ATT&CK Navigator by reloading the web app or selecting a new tab in the top bar, selecting Open Existing Layer, and uploading the
.json layer file.
Comparing intelligence reports
In many cases, you might want to compare Techniques between reports. For example to identify similarities between new Groups and those that are already widely known.
For this I will compare the Popping Eagle layer, with a new layer covering APT 39 Techniques.
Luckily for use, ATT&CK contains information about widely known Groups as Software (STIX 2.1
malware Domain Objects).
As such, all that’s needed is to create a layer, search (selection controls > search & multiselect) for the APT 39 Threat Group, select APT 39, and colour fill the selections in the same way as before.
Before combining the layers, we need to first assign each layer a score.
A score is a numeric value assigned to a Technique. The meaning or interpretation of scores is completely up to the user user - the Navigator simply visualizes the matrix based on any scores you have assigned.
Our use-case for scoring is simple. We will assign a score of 1 to the Popping Eagle layer and a score of 2 for the APT 39 layer. The actual value of the score is irrelevant as long as they are different and within the supported range of
Once you’ve assigned a score to each layer, you can create layer from other layers. Looking at the top tabs in the screenshot above you can see Popping Eagle has been assigned
a and APT 39
b. Therefore the score expression needed is
a + b. Now click create.
I’ve added a legend in the bottom right of my newly created layer; Popping Eagle vs APT 39.
Yellow shows Techniques unique to APT 39, red shows Techniques unique to Popping Eagle, and green shows Techniques used by both.
There are many other uses for comparing layers, including;
- tracking the evolution of an actor over time as new Techniques are discovered or the actor changes their approach
- comparing known intelligence collected on the same campaign from different sources so that you can have the most comprehensive information available in one place
- identifying gaps between Techniques that you have intelligence about and Techniques you are detecting for in your SIEM (or whatever) to identify blindspots in your defenses, which brings me on to next weeks post…
Getting defensive with ATT&CK Navigator
This post has covered the basics of the ATT&CK Navigator. However, ATT&CK has a wealth of information beyond Techniques that can be used for putting intelligence to work in detection activities.
More on how to use the ATT&CK Navigator for that in part 2…
Join the Signals Corps on Discord
Join our public community of intelligence analysts and researchers sharing new content hourly.
Turn any blog into structured threat intelligence.
Extract machine readable intelligence from unstructured data.
Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.
View, modify, and deploy SIEM rules for threat hunting.