MITRE ATT&CK

Last Updated: Aug 16, 2019 11:56AM EDT
User
MITRE ATT&CK Source deployed onto the user’s ThreatConnect instance by a System Administrator; see the
“The ATT&CK Framework” section of the ThreatConnect System Administration Guide for instructions

Overview

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a knowledge base that uses metadata codes to standardize and classify adversary offensive actions, or techniques, and adversary goals, or tactics. Users can enrich objects in ThreatConnect with PRE-ATT&CK and Enterprise ATT&CK metadata via the Tags and Threats provided in the MITRE ATT&CK Source.

For more information about MITRE ATT&CK, see the following resources:

Viewing ATT&CK Information in ThreatConnect

All MITRE PRE-ATT&CK and Enterprise ATT&CK data are contained in the MITRE ATT&CK Source in ThreatConnect. Each ATT&CK technique is represented by a Threat object. Each ATT&CK tactic is represented by a Tag. The Source also contains Tags that represent ATT&CK data models and all technique–tactic combinations.

Viewing ATT&CK Techniques

  1. From the top navigation bar (Figure 1), place the cursor over Browse and then over the Group option. Click on the Threat object to display a results table (Figure 2).
  2. Click on the MY THREATCONNECT selector at the top left of the screen and deselect all options except the MITRE ATT&CK Intelligence Source (Figure 3).
  3. The Browse screen will now show all Threat objects in the MITRE ATT&CK Source, comprising all PRE-ATT&CK and Enterprise ATT&CK techniques (Figure 4).
  4. To view a technique, click on a Threat, and the Details drawer for that Threat will be displayed (Figure 5).
  5. Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 6). Alternatively, hover over the Threat’s entry in the table in Figure 4 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.

The information provided in the Attributes on the Overview tab of the Details screen for a MITRE ATT&CK Threat in ThreatConnect corresponds to the information provided for the corresponding technique in the MITRE ATT&CK database. For example, the Threat shown in Figure 6 corresponds to the Enterprise ATT&CK technique T1220 XSL Script Processing. Table 1 lists the ThreatConnect Attributes and their corresponding section(s) on the ATT&CK technique’s web page.

Table 1

 
ThreatConnect Attribute ATT&CK Section Pivotable?
Description General description of the technique No
Additional Analysis and Context Detection, Data Sources, Difficulty for Adversary (PRE-ATT&CK only) No
Tactics, Techniques, and Procedures Tactic
NOTE: If more than one tactic is associated with the technique, the tactics will be separated by a pipe (“|”) character.
Yes
Source URL for the technique’s web page (“Entry URL”), References (“Citation”), Contributors No
Capabilities Platform (“Platforms”), Permissions Required, System Requirements, Defense Bypassed Yes
Course of Action Recommendation Mitigation No
External ID Technique ID number Yes

The Tags section on the Overview tab of the Details screen (Figure 7) displays the following Tag types for the Threat (technique):

  • Tactic: Each Threat has one Tag for each tactic with which the technique is associated. In Figure 7, the Threat is associated with two tactics, each of which is a Tag: Defense-Evasion and Execution. If there are multiple words in a tactic, the words are separated by hyphens (e.g., Defense-Evasion, Priority-Definition-Planning).
  • ATT&CK Model: Each Threat has one Tag for the ATT&CK model to which the technique belongs: PRE-ATT&CK or Enterprise ATT&CK.
  • Full Technique Data: Each Threat has one or more Tags with the following sequence of information, each part of which is separated by a space-hyphen-space character sequence:
    • Technique ID number
    • Technique name
    • Three-character abbreviation for a single tactic (see Table 2 for a full list of the tactic abbreviations)
    • Three-character abbreviation for the technique’s data model: PRE (PRE-ATT&CK) or ENT (Enterprise ATT&CK)
    • ATT&CK (to indicate that it is part of the MITRE ATT&CK data set in ThreatConnect)

Table 2

Tactic ID Number Tactic Name Abbreviation
PRE-ATT&CK
TA0012 Priority Definition Planning PDP
TA0013 Priority Definition Direction PDD
TA0014 Target Selection TAR
TA0015 Technical Information Gathering TIG
TA0016 People Information Gathering PIG
TA0017 Organization Information Gathering OIG
TA0018 Technical Weakness Identification TWI
TA0019 People Weakness Identification PWI
TA0020 Organizational Weakness Identification OWI
TA0021 Adversary OPSEC AOP
TA0022 Establish & Maintain Infrastructure EMI
TA0023 Persona Development PDV
TA0024 Build Capabilities BDC
TA0025 Test Capabilities TST
TA0026 Stage Capabilities STG
Enterprise ATT&CK
TA0001 Initial Access INI
TA0002 Execution EXE
TA0003 Persistence PER
TA0004 Privilege Escalation PRI
TA0005 Defense Evasion DEF
TA0006 Credential Access CRA
TA0007 Discovery DIS
TA0008 Lateral Movement LAT
TA0009 Collection COL
TA0010 Exfiltration EXF
TA0011 Command and Control C&C
TA0040 Impact IMP
  Not Determined NDT

A Threat representing a PRE-ATT&CK technique will have only one Tag of the “Full Technique Data” type, because each PRE-ATT&CK technique is assigned a unique ID number for each tactic with which it is associated. In other words, if a PRE-ATT&CK technique is associated with more than one tactic, each combination is represented as a separate technique. For example, as shown in Figure 8, there are three PRE-ATT&CK techniques with the name Analyze organizational skillsets and deficiencies, each of which is represented as a separate Threat (technique) with a unique ID number (T1297, T1300, and T1289) and has a single tactic associated with it (People Weakness Identification, Organizational Weakness Identification, and Technical Weakness Identification, respectively).

A Threat representing an Enterprise ATT&CK technique will have multiple Tags of the “Full Technique Data” type associated with it if the technique is associated with multiple tactics, because Enterprise ATT&CK techniques are not assigned unique ID numbers for each tactic with which they are associated. These Threats will have one “Full Technique Data” Tag per each associated tactic, and one additional “Full Technique Data” Tag with the tactic abbreviation “NDT” (Not Determined), to cover the case in which the technique is known, but the tactic is not. For example, there are three Tags of this type in Figure 7, representing both tactics and the NDT case.

Viewing ATT&CK Tactics

The Tags in the MITRE ATT&CK Source comprise PRE-ATT&CK and Enterprise ATT&CK tactics, ATT&CK data models, and technique–tactic combinations.

  1. From the top navigation bar (Figure 1), place the cursor over Browse and then over the Tag option to display a results table (Figure 9).
  2. Click on the MY THREATCONNECT selector at the top left of the screen and deselect all options except the MITRE ATT&CK Intelligence Source (Figure 3).
  3. The Browse screen will now show all Tags in the MITRE ATT&CK Source (Figure 10).

There are three types of Tag in the MITRE ATT&CK Source:

  • Tactic: Each tactic is represented by a Tag. For example, in Figure 10, the Tags Test-Capabilities and Technical-Weakness-Identification are tactics. Note that if there are multiple words in a tactic, the words are separated by hyphens.
  • ATT&CK Data Model: There is one Tag each for the two ATT&CK data models in ThreatConnect: PRE-ATT&CK and Enterprise ATT&CK.
  • Full Technique Data: There is one Tag for each technique–tactic combination within the ATT&CK data set, comprising the majority of the Tags in the Source. Each Tag of this type has the following sequence of information, each part of which is separated by a space-hyphen-space character sequence:
    • Technique ID number
    • Technique name
    • Three-character abbreviation for a single tactic (see Table 2 for a full list of the tactic abbreviations)
    • Three-character abbreviation for the technique’s data model: PRE (PRE-ATT&CK) or ENT (Enterprise ATT&CK)
    • ATT&CK (to indicate that it is part of the MITRE ATT&CK data set in ThreatConnect)
    NOTE: See the last part of the previous section (“Viewing ATT&CK Techniques”) for more details about how this type of Tag differs for PRE-ATT&CK and Enterprise ATT&CK data and about how the “NDT” tactic abbreviation is used for Tags in the Enterprise ATT&CK data model.

To view a Tag, click on its entry in the results table in Figure 10, and the Details drawer for that Tag will be displayed (Figure 11).

Click the Details icon at the top right corner of the drawer, and the Overview screen will be displayed (Figure 12). Alternatively, hover over the Tag’s entry in the table in Figure 10 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen. In this case, the Tag represents a specific technique–tactic combination, so its only association is to the Threat representing the technique, as shown in the Associations card.

Figure 13 shows the Overview tab of the Details screen for a Tag representing a tactic. As shown in the Associations card, it is associated to nine Threat Groups, one for each of the techniques associated with the tactic.

These associations may also be displayed in graph view, as shown in Figure 14. See Associations for more information on the features of the Associations card.

The Associations card shown in Figure 15 displays a graph view of all of the Threat Groups associated with the Enterprise ATT&CK Tag (i.e., all of the techniques in the Enterprise ATT&CK data model).

Using ATT&CK to Enrich ThreatConnect Data

To enrich ThreatConnect objects in an Organization with ATT&CK metadata, Threat and Tag objects in the MITRE ATT&CK Source need to be copied into the user’s Organization. The MITRE ATT&CK Source contains a Document Group called MITRE ATT&CK to facilitate this operation. The Document is associated to all Threat Groups in the Source. Copying this Document into the user’s Organization will bring in all Threats (techniques) and Tags (including tactics and technique–tactic combinations) from the MITRE ATT&CK Source.

Threats from the MITRE ATT&CK Source may also be copied individually into the user’s Organization if desired.

Copying All ATT&CK Data into the User's Organization

Copying the MITRE ATT&CK Document from the MITRE ATT&CK Source into the user’s Organization will copy all associated Threats and Tags from the Source into the user’s Organization, as long as the COPY TO MY ORG process is configured to create Tags that do not exist and to copy associated Threat Groups. It is the easiest way to move all ATT&CK data in ThreatConnect into the user’s Organization for immediate use in data enrichment.

  1. From the top navigation bar (Figure 1), place the cursor over Browse and then over the Group option. Click on the Document object to display a results table. Click on the MY THREATCONNECT selector at the top left of the screen and deselect all options except the MITRE ATT&CK Intelligence Source (Figure 3). The Browse screen will now show the one Document in the MITRE ATT&CK Source (Figure 16).
  2. Click on the MITRE ATT&CK Document, and its Details drawer will be displayed (Figure 17).
  3. Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 18). Alternatively, hover over the Document’s entry in the table in Figure 16 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
  4. The Document itself is a .zip file containing two JSON-formatted STIX files, one containing all PRE-ATT&CK data mapped to STIX and the other containing all Enterprise ATT&CK data mapped to STIX. If desired, this file can be downloaded by clicking the DOWNLOAD button on the Document File card.
  5. To begin the process of copying the Document and its associations into the user’s Organization, click the COPY TO MY ORG button at the top left of the screen. The Copy Data window will be displayed with the Initial tab selected (Figure 19).
  6. Select the NEW GROUP radio button to copy the Document into the Organization as its own, new Group. The name of the Document will appear in the Group Name textbox (Figure 20).
  7. Click the Next button, and the Data tab will be displayed (Figure 21).
    • Copy Attributes?: Leave the Yes radio button selected so that all information in the Document’s Attributes is included.
    • Include Tags?: Leave the Yes radio button selected so that all Tags of the Threat Groups associated with the Document are included.
    • Create Tags that Don’t Exist?: Select the Yes radio button so that all of the associated Threat Groups’ Tags that do not already exist in the Organization are created.
    • Copy Associated Groups?: Select the Yes radio button and then select the Threat checkbox underneath so that all of the Threats (and their associated Tags) from the MITRE ATT&CK Source are copied into the user’s Organization.
  8. The final selection of radio buttons should look like Figure 22.
  9. Click the Next button, and the Security Labels tab will be displayed (Figure 23).
  10. There are no Security Labels associated with data in the MITRE ATT&CK Source, so all of the default selections may be left as is. Click the Next button, and the Save tab will be displayed (Figure 24).
  11. The Save tab lists all objects to be copied—that is, the MITRE ATT&CK Document and all of its associated Threat Groups. If desired, scroll down the list to view all of its entries. Click the SAVE button to save the data to the Organization.
  12. To view the Document or any of the Threats or Tags in the Organization, return to the Browse screen, ensure that the Organization is selected in the MY THREATCONNECT selector at the top left (and deselect the MITRE ATT&CK Source to isolate the results to the Organization), and display all Documents, Threats, or Tags. If desired, use the Browse screen filters to further isolate the results (e.g., to view only ATT&CK Tags of certain types; see the “Using ThreatConnect Query Language (TQL) to Filter for ATT&CK Data” section later in this article for more information).
  13. All Tags from the MITRE ATT&CK Source will be available for use with objects in the Organization. When entering them for a Group or Indicator, use the autofill feature to ensure that the proper syntax is used and the correct Tag selected (Figure 25).

Copying a Single Threat (Technique) into the User’s Organization

Individual Threats (techniques) may be copied from the MITRE ATT&CK Source into the user’s Organization. This operation will also bring all Tags associated with the Threat, including tactics and technique–tactic combinations, into the Organization.

  1. Navigate to the Overview tab of the Details screen for the desired Threat (technique). For example, Figure 26 displays the T1028 Windows Remote Management Threat Group in the MITRE ATT&CK Source.
  2. Click the COPY TO MY ORG button at the top left of the screen. The Copy Data window will be displayed with the Initial tab selected (Figure 27).
  3. Select the NEW GROUP radio button to copy the Threat into the Organization as its own, new Group. The name of the Threat Group will appear in the Group Name textbox (Figure 28).
  4. Click the Next button, and the Data tab will be displayed (Figure 29).
    • Copy Attributes?: Leave the Yes radio button selected so that all ATT&CK information encapsulated in the Threat’s Attributes is included.
    • Include Tags?: Leave the Yes radio button selected so that all of the Threat’s Tags with ATT&CK information are included.
    • Create Tags that Don’t Exist?: Select the Yes radio button so that all of the Threat’s Tags that do not already exist in the Organization are created.
    • Copy Associated Groups?: The No radio button can be left selected, as there are no Groups associated with the Threats in the MITRE ATT&CK Source.
  5. The final selection of radio buttons should look like Figure 30.
  6. Click the Next button, and the Security Labels tab will be displayed (Figure 31).
  7. There are no Security Labels associated with data in the MITRE ATT&CK Source, so all of the default selections may be left as is. Click the Next button, and the Save tab will be displayed (Figure 32).
  8. Click the SAVE button to save the Threat (technique) to the Organization.
  9. To view the Threat in the Organization, return to the Browse screen, ensure that the Organization is selected in the MY THREATCONNECT selector at the top left (and deselect the MITRE ATT&CK Source to isolate the results to the Organization), and display all Threats. The copied Threat will be displayed with all other Threats in the Organization.
  10. All Tags associated with the Threat will be available for use with objects in the Organization. When entering them for a Group or Indicator, use the autofill feature to ensure that the proper syntax is used and the correct Tag selected (Figure 33).

Using Associations to Enrich Data

Once a Threat and its related Tags have been copied from the MITRE ATT&CK Source into the user’s Organization, Groups and Indicators in the Organization can be enriched by associating the objects with the Threat.

  1. Navigate to the Overview tab of the Details screen for the object to be enriched. This example uses a Host Indicator (Figure 34).
  2. If the Associations card is in table view, click on the Plus icon in the Associated Groups section. If it is in graph view, click on the node representing the object (i.e., the central node), click the Add Association option that appears, and then select Group. The Group Association window will be displayed (Figure 35). See Associations for more details about the Associations card.
  3. Select a Threat copied to the user’s Organization from the MITRE ATT&CK Source (Figure 36).
  4. Click the SAVE button. The Threat will now appear as an associated Group in the Associated Groups section of the Associations table (Figure 37).
  5. If desired, switch to graph view (Figure 38).
  6. From graph view, selecting the node representing the Threat and choosing Pivot and then Tags from the menu that appears will display all of the Tags associated with the Threat (Figure 39).
  7. The Tags associated with the Threat will not be automatically added to the original object (i.e., the workstation.in Host in this example). To add the Tags to the original object, enter them on the Tags card on the Overview tab of the Details screen. Use the autofill option on the Tags card to ensure that the proper syntax is used and the correct Tag selected (Figure 33).

Best Practices

In general, the best way for users to label their data is to apply ATT&CK Tags—particularly Tags of the “Full Technique Data” type—to the Groups and Indicators in their Organization. The Tags are brought into the Organization by copying Threats containing those Tags from the MITRE ATT&CK Source into the Organization. If direct associations to ATT&CK techniques are important, objects in the Organization may be associated to the corresponding Threat Group(s) copied from the MITRE ATT&CK Source.

Using ThreatConnect Query Language (TQL) to Filter for ATT&CK Data

TQL queries can be used to find information related to specific ATT&CK models, tactics, or techniques. The queries must have the following two components: the type of object and a Tag string with wildcards.

NOTE: For these TQL queries to be effective, objects in the user’s Organization must be tagged with Tags brought into the Organization from the MITRE ATT&CK Source.

Examples

  1. The following query searches for Campaigns related to PRE-ATT&CK:
    typeName = "Campaign" and tag like "%PRE - ATT&CK"
  2. The following query searches for Adversaries associated with Indicators that are related to the Organizational Information Gathering tactic:
    typeName = "Adversary" and hasIndicator(tag like "%- OIG -%")
  3. The following query searches for Campaigns that are associated with Techniques targeting the Windows platform:
    typeName = "Campaign" and hasgroup(typeName in ("Threat") and attributeCapabilities like "%Windows%")
    NOTE: For users running ThreatConnect version 5.8.3 or newer, when querying for Attributes with spaces in their name, an underscore ( _ ) must be substituted for each space (e.g., attributeExternal_ID for the External ID Attribute). For users running versions of ThreatConnect prior to version 5.8.3, Attributes with spaces in their name must be searched for by Attribute number instead. This condition applies to two of the pivotable Attributes: “External ID” (attribute1078348862 on Cloud) and “Tactics, Techniques, and Procedures” (attribute9 on Cloud). Users on Dedicated Cloud or On Premises instances running versions of ThreatConnect prior to version 5.8.3 can find the numbers for these Attributes by creating a filter for the Attribute on the Browse screen in Basic mode and then toggling to Advanced mode (see the “Advanced Query” section of Browse for more information) to reveal the TQL for the query, which will contain the Attribute number.

See Using ThreatConnect Query Language (TQL) for more information on TQL.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation.

20087-02 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete