If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.
In this post I will show you how to track ATT&CK Tactics and Techniques against intelligence reports using the ATT&CK Navigator.
Note: this tutorial is written for MITRE ATT&CK version 11.0 (published on 2022-04-24) and Navigator v3.6.3 (released on 2022-05-13). Some of the concepts discussed are not correct for different versions.
The MITRE ATT&CK Navigator is a web-based tool for annotating and exploring the MITRE ATT&CK framework. It is very useful for both offensive and defensive activities.
Here is a nice overview of the ATT&CK Navigator presented by MITRE:
In this post I will show you how to model an intelligence report using the ATT&CK Navigator.
Install and run
To make it easy to get started, there is a public instance running here that you can use.
If you are ready to start saving content (which avoids having to export it each time), it is worthwhile taking the time to install the ATT&CK Navigator on your own machine.
1. Download the required repositories
The ATT&CK Navigator code is open source and available on GitHub.
The documentation that ships with Navigator is very good, detailing its many features.
git clone https://github.com/mitre-attack/attack-navigator
cd attack-navigator/nav-app
npm install
2. Build and run
ng serve
Now open up a browser and navigate to localhost:4200.
Modelling an intelligence report
For this first walkthrough I will use this post from the brilliant UNIT-42; Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor to model the information against ATT&CK Tactics and Techniques.
The Unit 42 team have made it easy for us by detailing the ATT&CK Techniques and Sub-Techniques at the bottom of the post.
For reference, they are:
- T1568: Dynamic Resolution
- T1071 Application Layer Protocol
- T1218: System Binary Proxy Execution
- T1090: Proxy
- T1046: Network Service Discovery
- T1021: Remote Services
- T1016: System Network Configuration Discovery
- T1087: Account Discovery
- T1003: OS Credential Dumping
I will use a layer in ATT&CK Navigator to represent this report.
To do this I first, create a new layer choosing the appropriate ATT&CK Matrix. In this case that is Enterprise version 11 (because the report does not mention mobile or ICS infrastructure).
When on the Matrix view, shown above, click the layer controls > layer information button and give the layer some contextual information including a title, description, and link back to the blog post (this very is useful to others viewing your layer in the future).
Now I can start adding the Techniques to the layer. This can be done in two ways; 1) by finding the Technique in the matrix, right clicking it, and select Add to Selection.
However, there is a much easier way…
Select; selection controls > search & multiselect.
Now it is possible to search and select from the results (under Techniques) to find the Techniques needed.
Once all the Techniques have been selected, you can make them more visible on the Matrix by selecting; technique controls > fill bucket. In the screenshot above, I have coloured the selected Techniques green.
It is now possible to export your layer as a .json doc by selecting; layer controls > download layer as .json.
Here is the layer .json I exported for the Popping Eagle post.
The exported .json can then be shared and imported to other instances of the ATT&CK Navigator (or other products that support the structure of the exported .json).
Comparing intelligence reports
In many cases, you will want to compare Techniques between reports. For example to identify similarities between new campaigns and those that are more widely known.
For this I will compare the Popping Eagle layer, with APT 39.
As you know from the previous posts, ATT&CK contains information about widely known Groups as Software (STIX 2.1 malware Domain Objects).
Therefore all that is needed is to create a new layer, click selection controls > search & multiselect, and search for APT 39 under “Threat Groups”. Clicking select will select all Techniques related to APT 39 which can then be coloured in the same way as before.
Here is the layer .json I created for APT 39.
Now I have two layers. Before being able to compare the layers, I first need to assign each layer a score.
A score is a numeric value assigned to a Technique. The meaning or interpretation of scores is completely up to the user user - the Navigator simply visualizes the matrix based on any scores you have assigned.
As you can see there are a few ways scoring can be used. For this use-case I will assign a score of 1 to the Popping Eagle layer and a score of 2 for the APT 39 layer. The actual value of the score is irrelevant as long as they are different and within the supported range of 0 - 100.
Now I have assigned a score to each layer, I can create a new layer from the two layers.
Looking at the top tabs in the screenshot above you can see Popping Eagle has been assigned ID a and APT 39 b. Therefore the score expression needed is a + b. Now click create.
I have added a legend in the bottom right of my newly created layer; Popping Eagle vs APT 39.
- Yellow shows Techniques unique to APT 39,
- Red shows Techniques unique to Popping Eagle,
- and Green shows Techniques used by both.
Here is the layer .json I exported for the layer Popping Eagle vs APT 39.
There are many other uses for comparing layers, including;
- tracking the evolution of an actor over time as new Techniques are discovered or the actor changes their approach
- comparing known intelligence collected on the same campaign from different sources so that you can have the most comprehensive information available in one place
- identifying gaps between Techniques that you have intelligence about and Techniques you are detecting for in your SIEM (or whatever) to identify blindspots in your defenses, which brings me on to next weeks post…
Getting defensive with ATT&CK Navigator
This post has covered the basics of the ATT&CK Navigator. However as you now know, ATT&CK has a wealth of information beyond Techniques that can be used for putting intelligence to work in detection activities.
More on how to use the ATT&CK Navigator for that in the next post.
ATT&CK Certification (Virtual and In Person)
The content used in this post is a small subset of our full training material used in our ATT&CK training.
If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.
Discuss this post
Never miss an update
Sign up to receive new articles in your inbox as they published.