Going below the surface of the ATT&CK matrix.

When speaking to customers about adding ATT&CK, they almost always have the Matrix in their mind.

MITRE ATT&CK Matrix

But there is so much more to ATT&CK below the surface Matrix.

Tactics and Techniques are linked to many other knowledge-base items that can be really useful in understanding an adversary; how techniques are linked to certain tools and what data sources can be used to detect the use of such tools, etc.

This post aims to show you some things about the ATT&CK framework you might have missed.

ATT&CK Matrices

In version 10 there are three types of the ATT&CK matrix for different domains (or put another way; specific to each type of network in question):

  • The Enterprise ATT&CK matrix is a superset of the Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, Containers matrices. The Enterprise ATT&CK matrix can be filtered by these products/services.
  • The Mobile ATT&CK matrix cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Mobile ATT&CK matrix is a superset of the Android and iOS platforms.
  • The ICS ATT&CK matrix is a collection of behaviors that adversaries have exhibited while carrying out attacks against industrial control system networks.

Each type of the matrix has some shared objects. For example, Enterprise, Mobile and ICS ATT&CK matrices share the Tactic = Initial Access (TA0001).

However, only the ICS ATT&CK Matrix has the Tactic = Impair Process Control, because they are unique to industrial control systems.

Whatever the framework, the underlying data is represented in the same way.

ATT&CK Matrices Data

Natively, the ATT&CK datasets are natively available in STIX 2.1. Many of the MITRE tools, including the ATT&CK Navigator, are built on top of STIX data.

You can download the STIX Objects (and entire STIX bundles) on GitHub;

MITRE ATT&CK STIX Object Structure

The STIX 2.1 Objects (in parenthesis) used by ATT&CK are (Enterprise ATT&CK examples linked):

  • Technique (attack-pattern): Techniques represent ‘how’ an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
  • Tactic (x-mitre-tactic--): Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
  • Course of Action (course-of-action): represent ATT&CK Mitigations. Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
  • Intrusion Set (intrusion-set): represent ATT&CK Groups. Groups are sets of related intrusion activity that are tracked by a common name in the security community.
  • Malware (malware): represents ATT&CK Software (that is malicious). Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behaviour modelled in ATT&CK
  • Tool (tool): represents ATT&CK Software (that is benign).
  • Data Sources (x-mitre-data-source): Data sources represent the various subjects/topics of information that can be collected by sensors/logs.
  • Data Component (x-mitre-data-component): Data components are the parts of Data Sources. Data Components identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique. For example, Network Traffic is the Data Source and Remote Services is one of the Data Components linked to it.
  • Relationships (relationship): used to describe the relationship between STIX objects.

Don’t use STIX?

MITRE ATT&CK Excel

MITRE have also built Excel spreadsheets representing the ATT&CK datasets. These spreadsheets are built from the STIX datasets to provide a more human-accessible view into the knowledge base whilst also supporting rudimentary querying/filtering capabilities.

The source code for the STIX to Excel converter can be found in the mitreattack-python pip module.

ATT&CK versioning

MITRE releases updates to the ATT&CK framework about 3 times a year.

Version 1 was officially released in January 2018, but early versioned existed for a year previously.

As mentioned earlier, ATT&CK is currently on version 10 of the framework (released in October 2021).

Each new framework brings new content, but also revokes some content. As a result, it is useful to be aware of what version you’re currently using.

Putting the framework to action

The MITRE ATT&CK framework can be used to enhance both defensive and offensive activities.

A popular tool for both red and blue teams is the ATT&CK Navigator.

The principal feature of the Navigator is the ability for users to define layers - custom views of the ATT&CK knowledge base.

MITRE ATT&CK Navigator

The feature can be used to visualise defensive coverage (what techniques are we already defending against?), red/blue team planning (what techniques can we attempt exploit and how?), the frequency of detected techniques (based on our intelligence/triggered rules/etc, what techniques are we seeing the most?), attack modelling (how was this campaign executed from start to finish?) and much more.

Here’s a nice overview of the ATT&CK Navigator presented by MITRE:

The code for the ATT&CK Navigator can be found on GitHub.

Another tool worth pointing out is the ATT&CK Workbench.

MITRE ATT&CK Workbench

The ATT&CK framework is a remote source of knowledge managed and updated by MITRE periodically (through new versions).

However, in many cases, teams will want to integrate their organisation’s local knowledge of adversaries and their TTPs with the public ATT&CK knowledge base. For example, to include tools that are not already captured in ATT&CK.

The ATT&CK Workbench is an easy way for teams to manage and extend their own local version of ATT&CK and keep it in sync with MITRE’s own knowledge base.

The code for the ATT&CK Workbench can be found on GitHub.




Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.