If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.
In this bonus tutorial post I delve into MITRE’s ATT&CK Sightings initiative.
ATT&CK Sightings provides cybersecurity defenders and researchers with critical insight into real-world, in the wild adversary behaviors mapped to ATT&CK.
The ATT&CK Team believes that we can best equip teams to defend against adversaries by collecting and reporting sightings of techniques to the entire community, so we’re conducting a pilot to solicit that data. You can share to help make the whole community better!
Here is a great introduction to ATT&CK Sightings from John Wunder at MITRE ATT&CKcon 2.0 in 2019;
In their opening Sightings Ecosystem report, MITRE collected over 1 million observed techniques across 800,000 Sightings encompassing 184 unique techniques and sub-techniques (version 9 of ATT&CK) observed from 1 April 2019 to 31 July 2021.
15 techniques accounted for 90 percent of the technique observations in the dataset (I will come onto biases in the data a little later in this post).
How to report Sightings
ATT&CK sightings data collection will take three forms, each of which provides a different insight into the usage of techniques.
- Direct sighting of a technique (
direct-technique-sighting) - Direct sighting of malicious software (
direct-software-sighting) - Indirect sightings of malicious software (
indirect-software-sighting)
1. Direct sighting of a technique (direct-technique-sighting)
The ATT&CK team is most interested in data from actual sightings of techniques being executed in the course of an attack. In other words, during an event investigation data is collected which shows that one or more ATT&CK techniques were actually used by the adversary on (or targeted at) the victim infrastructure.
Direct sightings of techniques are the most valuable type of sighting because they tell you, at a ground-truth level, that the adversary relied on a specific technique to carry out an attack.
Direct technique sightings are reported using the direct-technique-sighting format;
{
"id": "DTS-1e73e118-bbec-4801-933f-8a6ee1ae62ab",
"sightingType": "direct-technique-sighting",
"startTime": "2019-01-01T08:12:00Z",
"endTime": "2019-01-01T08:12:00Z",
"detectionType": "human-validated",
"sectors": ["finance"],
"attributionType": "group",
"attribution": "G0046",
"techniques": [
{
"techniqueID": "T1003.008",
"startTime": "2019-01-01T08:12:00Z",
"endTime": "2019-01-01T08:12:00Z",
"platform": "Windows 10",
"rawData": [
"process.create": {"command_line": "/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db"}
]
}
]
}
Here a command line event that indicated OS Credential Dumping (T1003), specifically /etc/passwd and /etc/shadow (T1003.008)
The rawData should consist of an object from the MITRE CAR data model in the form "object.action": {"field": "value"}.
This campaign is attributed to FIN7 (G0046).
2. Direct sighting of malicious software (direct-software-sighting)
In some cases, a technique might not be directly observed (or even be observable given sensing capability) but the presence of a piece of malicious software on the machine can give a strong hint that it was used. In other cases, software to carry out a technique might be blocked at the perimeter – in those cases, it indicates that the adversary might have wanted to use a certain technique but wasn’t able to.
Direct software sightings are most useful for software already contained in ATT&CK that directly enables one or more ATT&CK techniques.
Direct software sightings are reported using the direct-software-sighting format;
{
"id": "DSS-56be682e-dbbd-4c3c-8bcf-09a088eb286a",
"sightingType": "direct-software-sighting",
"startTime": "2019-01-01T08:12:00Z",
"endTime": "2019-01-01T08:12:00Z",
"detectionType": "raw",
"sectors": ["healthcare"],
"software": "S0282",
"techniques": [
{
"techniqueID": "T1123",
},
{
"techniqueID": "T1115",
},
]
}
This indicates a direct sighting of malicious software S0282: MacSpy attempting to execute T1123: Audio Capture and T1115: Clipboard Data – perhaps by an anti-malware tool that blocks execution of MacSpy malware.
3. Indirect sightings of malicious software (indirect-software-sighting)
In other cases, threat intelligence platforms or ISACs might have data feeds that indirectly demonstrate the fact that a piece of software is being used, without directly observing it.
Indirect software sightings are most useful for software already contained in ATT&CK that directly enables one or more ATT&CK techniques. Additionally, indirect sightings should only be reported when there is a reasonable presumption that they haven’t been reported by another party. In other words, don’t write a scraper for some TIP and send sightings for all IOCs in that TIP unless you own or operate the TIP.
Indirect software sightings are reported using the indirect-software-sighting format.
{
"id": "ISS-e3a76b87-c5c7-4242-a7bd-c7e5293c7905",
"sightingType": "indirect-software-sighting",
"startTime": "2019-01-01T08:12:00Z",
"endTime": "2019-01-01T08:12:00Z",
"sectors": ["healthcare"],
"software": "S0652",
"ioc": "0cc175b9c0f1b6a831c399e269772661",
"techniques": [
{
"techniqueID": "T1197",
}
]
}
Here, a TIP vendor has submitted an IOC (0cc175b9c0f1b6a831c399e269772661) associated with S0652: MarkiRAT that have been identified as using ATT&CK technique T1197: BITS Jobs.
Contribute
In 2020, MITRE put out a call for EDR vendors, intel reporters, TIP vendors, ISACs, and end user organisations to help the community by provide this data.
It should be pointed out, the ATT&CK Sightings initiative is not an operational threat sharing mechanism and the team at MITRE do not intend to ever directly share even anonymised raw sightings data.
ATT&CK Certification (Virtual and In Person)
The content used in this post is a small subset of our full training material used in our ATT&CK training.
If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.
Discuss this post
Never miss an update
Sign up to receive new articles in your inbox as they published.