If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.
In this post I take a look at how the framework is structured on STIX 2.1 Objects.
Note: this tutorial is written for MITRE ATT&CK version 11.0 (published on 2022-04-24). Some of the concepts discussed are not correct for other versions of ATT&CK.
When speaking to those working in the world of cyber threat intelligence about MITRE ATT&CK they almost always have the ATT&CK Matrices, and more specifically the Enterprise ATT&CK Matrix, in their mind.
Though there is so much more to ATT&CK below the surface of the Tactics and Techniques shown on the Matrices that are often overlooked.
Tactics and Techniques are linked to other knowledgebase items that can be really useful in modelling an adversary. For example, how techniques are linked to certain tools and what data sources in your network can be used to detect the use of such tools, etc.
This version of ATT&CK for Enterprise contains 14 Tactics, 191 Techniques, 386 Sub-techniques, 134 Groups, and 680 Pieces of Software.
This tutorial over the coming months will show you many things about MITRE ATT&CK that you might have missed.
ATT&CK Domains
In version 11 there are three types of the ATT&CK Domains.
ATT&CK Domains cover specific network types:
- The Enterprise ATT&CK Domain is a superset of the Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, Containers matrices. The Enterprise ATT&CK Domain Objects can be filtered by these products/services.
- The Mobile ATT&CK Domain covers techniques involving device access and network-based effects that can be used by adversaries without physical device access. The Mobile ATT&CK Domain is a superset of the Android and iOS platforms.
- The ICS ATT&CK Domain is a collection of behaviors that adversaries have exhibited while carrying out attacks against industrial control system networks.
Be careful not to confuse Domains and Matrices.
Matrices capture information specific to the Domain. For example, the title and description.
Each Domain has its own unique Objects, and also some shared Objects, hence the distinction between Matrices and Domains. For example, Enterprise, Mobile and ICS ATT&CK Domains are referenced inside the Tactic: Initial Access (TA0001).
However, only the ICS ATT&CK Domain has a reference to the Tactic: Impair Process Control, because it is unique to industrial control systems.
Whatever the Domain, the underlying data is represented in the same way using STIX 2.1 Objects.
ATT&CK versioning
MITRE releases major updates to the ATT&CK framework about 2 times a year.
Version 1 was officially released in January 2018, but early versioned existed for a year previously.
As mentioned earlier, ATT&CK is currently on version 11 (released in April 2022).
Each new framework brings new content, updated content, and also revokes some content. You can see some of the changes from v10 to v11 in the screenshot above.
The point being, it is important to be aware of what version of ATT&CK you are currently using.
ATT&CK and STIX 2.1
Natively, ATT&CK Objects are modelled on STIX 2.1 Objects.
You can download the STIX 2.1 Objects (and entire STIX Bundles) on MITRE’s CTI GitHub repo;
The STIX 2.1 Objects used by ATT&CK are:
- Technique (
attack-patternwith Custom Property"x_mitre_is_subtechnique": false)): Techniques represent ‘how’ an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.- Tracked using ID in format: TNNNN (e.g. T110 - Brute Force)
- Sub-Technique (
attack-patternwith Custom Property"x_mitre_is_subtechnique": true): Sub-Techniques are a more detailed definition of the Technique.- Tracked using ID in format: TNNNN.NNN (e.g. T110.001 - Brute Force: Password Guessing)
- Tactic (
x-mitre-tactic--): Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.- Tracked using ID in format: TANNNN (e.g. TA0002 - Execution)
- Course of Action (
course-of-action): represent ATT&CK Mitigations. Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.- Tracked using ID in format: MNNNN (e.g. M1049 - Antivirus/Antimalware)
- Intrusion Set (
intrusion-set): represent ATT&CK Groups. Groups are sets of related intrusion activity that are tracked by a common name in the security community.- Tracked using ID in format: GNNNN (e.g. G0016 - APT29)
- Malware (
malware): represents ATT&CK Software (that is malicious). Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behaviour modelled in ATT&CK- Tracked using ID in format: SNNNN (e.g. S0331 - Agent Tesla)
- Tool (
tool): represents ATT&CK Software (that is benign).- Tracked using ID in format: SNNNN (e.g. S0104 - netstat)
- Data Sources (
x-mitre-data-source): Data sources represent the various subjects/topics of information that can be collected by sensors/logs.- Tracked using ID in format: DSNNNN (e.g. DS0029 - Network Traffic)
- Data Component (
x-mitre-data-component): Data components are children of Data Sources. Data Components identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique. For example, Network Traffic is the Data Source and Remote Services is one of the Data Components linked to it.
- Relationships (
relationship): used to describe the relationship between STIX objects.
There is also one other type of Object that is used to describe and encapsulate the STIX 2.1 Objects in the STIX Bundle.
- Matrix (
x-mitre-matrix): Captures specific information about the Matrix for the Domain being covered.
ATT&CK STIX 2.1 Objects
Here is a STIX 2.1 attack-pattern Object used to model the ATT&CK Technique; T1556: Modify Authentication Process;
These fields are used to render the STIX 2.1 Objects in tools that support STIX 2.1 (including all of MITRE’s tools).
Many of the Core Properties for the STIX 2.1 Attack Pattern Object are used, like name and description.
You will have also noticed that many Custom STIX Properties are also being used in addition the default STIX 2.1 Properties for each Object.
Custom Properties are easily identifiable in STIX 2.1 as the Property names should always start with x_. In the case of ATT&CK, MITRE always use the prefix x_mitre_, for example, x_mitre_version.
For those who don not understand Custom STIX 2.1 Objects, Properties, or Extensions, please read our STIX 2.1 tutorial content.
We’ll do a deeper dive into the detail of all the STIX 2.1 Custom Properties next week…
ATT&CK is available in Excel too
Knowing that many workflows are still built around spreadsheets, MITRE have also built .xls files representing the ATT&CK Objest too.
These spreadsheets are built from the STIX 2.1 datasets with the aim of providing a more human-accessible view into the knowledge base whilst also supporting rudimentary querying/filtering capabilities.
The source code for the STIX to Excel converter can be found in the mitreattack-python pip module.
A deeper look at ATT&CK’s STIX 2.1 Customisation
As you have seen MITRE have created their own STIX 2.1 Object to represent parts of ATT&CK.
The eagle-eyed amongst you will also have seen these STIX Objects also contain custom STIX 2.1 Properties.
I will dive into these customisations in more detail in the next post.
ATT&CK Certification (Virtual and In Person)
The content used in this post is a small subset of our full training material used in our ATT&CK training.
If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.
Discuss this post
Never miss an update
Sign up to receive new articles in your inbox as they published.