MITRE ATTACK

Add MITRE ATT&CK classifications to entities to provide additional context for your intelligence.

MITRE ATT&CK on the Intelligence Center

The Intelligence Center provides MITRE ATT&CK classifications that you can apply to entities. These ATT&CK classifications are based on ATT&CK v8.2.

Currently, only Enterprise ATT&CK classifications are available.

Permissions

To be able to assign ATT&CK classifications to an entity, your user must have a role with these permissions:

  • read attack

  • modify entities

All users can still search for and see ATT&CK classifications assigned to entities without the read attack permission.

MITRE ATT&CK classifications are stored on the platform as a built-in taxonomy that is only accessible through the Create ATT&CK classification modal.

The read attack permission allows access to this built-in taxonomy. With this and modify entities permissions, users can add ATT&CK classifications to entities.

Entities and observables

You can see MITRE ATT&CK classifications assigned to an entity when you open these in the entity builder:

  • An entity with an ATT&CK classification

  • An entity or observable related to an entity with an ATT&CK classification

Only entities can be assigned ATT&CK classifications.

ATT&CK classifications appear in the following tabs of the entity builder:

Overview tab

Entities have a MITRE ATT&CK field in the entity builder OVERVIEW tab. This field allows you to add and remove ATT&CK classifications assigned to it.

images/download/attachments/82475152/mitre-attack-example-1.jpg

MITRE ATT&CK classifications are not displayed when you Edit an entity. They are only visible in the entity OVERVIEW tab.

Neighborhood tab

You can also see the ATT&CK classifications assigned to a related entity in the NEIGHBORHOOD tab when viewing entities and observables.

ATT&CK classifications appear in two sections under the NEIGHBORHOOD tab:

  • Directly related entities

  • MITRE ATT&CK classifications of entities on the graph

The Directly related entities section displays ATT&CK IDs for related entities that have ATT&CK classifications in the ATT&CK IDs column.

images/download/attachments/82475152/mitre-attack-entity-neighborhood.jpg

Here, you can:

  • Select the add icon (images/download/attachments/82475152/plus-circle.jpg ) to add and remove ATT&CK classifications for that related entity.

  • Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classification.

The MITRE ATT&CK classifications of entities on the graph section displays a table of entities in the current entity or observable’s neighborhood graph that have ATT&CK classifications:

images/download/attachments/82475152/mitre-attack-neighborhood-graph-clean.jpg

Here, you can:

  • Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classification.

  • Select entities in the Classified entities column to open that entity in a new modal.

Add ATT&CK classifications to entities

  1. Select an entity to open the entity builder Overview tab.

  2. In the Overview tab, scroll down to the MITRE ATT&CK classifications section.images/download/attachments/82475152/mitre-attack-example-12.jpg

  3. Select + ATT&CK CLASSIFICATION.

  4. In the Create ATT&CK classification modal that appears, select the drop-down menu.

    Start typing to filter the entries in the drop-down menu, and select one or more classifications.images/download/attachments/82475152/mitre-attack-example-2.jpg

  5. Select CLASSIFY to save your changes.

When selecting ATT&CK classifications in Create ATT&CK classification, you can hover over the information icon (images/download/attachments/82475152/info-circle.svg ) to display information about that ATT&CK classification.

Select READ MORE to go to the page for that classification on https://attack.mitre.org/.images/download/attachments/82475152/mitre-attack-help.jpg

Browse by ATT&CK classification

When viewing entities in Search (images/download/attachments/82475152/search.svg-x24.png ) > GO TO SEARCH AND BROWSE > Entities, you can:

  • Display ATT&CK classifications for results

  • Filter results by ATT&CK classification

images/download/attachments/82475152/mitre-attack-browse-column.jpg

If the MITRE ATT&CK column is not visible, you can set the Intelligence Center to display it:

  1. On the right of the table of search results, select the Settings icon (images/download/attachments/82475152/cog.svg-x24.png ).images/download/attachments/82475152/browse-set-column-view.jpg

  2. In the Customize list columns modal that appears, select MITRE ATT&CK.

  3. Select SAVE.

You can filter results by ATT&CK classification in BROWSE > Entities by:


  1. Selecting Filter (images/download/attachments/82475152/filter.png ) in the top left.

  2. Select the MITRE ATT&CK section to expand it.

  3. Start typing to search for an ATT&CK classification.

    Select one or more ATT&CK classifications from the list to filter results by.images/download/attachments/82475152/mitre-attack-browse-filter.jpg


Search by ATT&CK classification

You can search for entities that have ATT&CK classifications by searching the Intelligence Center with these queries:

Query

Description

meta.attack.id: <ATT&CK_ID>

Retrieves entities classified with that ATT&CK ID.

For the possible ways to write <ATT&CK_ID>, see the table below.

For example:

meta.attack.id: T1001

Retrieves all entities that are classified with technique T1001.

meta.attack.name: <string>

Retrieves entities whose assigned ATT&CK classifications contains <string> in their names.

For example:

meta.attack.name: "encrypted"

Retrieves all entities that have ATT&CK classifications with names that contain “encryption”, such as techniques “T1573 Encrypted Channel” and “T1486 Data Encrypted for Impact”.

<ATT&CK_ID> can be written in these ways:

Syntax

Example

<TACTIC_ID>

TA0042

<TECHNIQUE_ID>

T1583

<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>

T1583.005

<TACTIC_ID>:<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>

TA0042:T1583.005

Analyze ATT&CK data in a graph

MITRE ATT&CK data can be visualized in the Intelligence Center's graph. See the Graph section for information about adding entities to a graph and analyzing them.

Enable MITRE ATT&CK data in a graph

To enable MITRE ATT&CK data in a graph, select ATT&CK on the top navigation bar. This displays the technique and the number of MITRE ATT&CK objects associated with the entity.

To remove the ATT&CK objects from the graph, select and toggle ATT&CK.

images/download/attachments/82475152/image2021-10-31_14-48-22.png

Display MITRE ATT&CK techniques as nodes

To display all the associated MITRE ATT&CK techniques and sub-techniques as nodes with IDs, select ATT&CK > Show as Objects on the top navigation bar.

images/download/attachments/82475152/image2021-10-31_14-41-25.png

Display MITRE ATT&CK names

To display all the associated MITRE ATT&CK techniques and sub-techniques as nodes with IDs and their names that provide basic information about the technique, select ATT&CK > Show Name on the top navigation bar. Show as Objects must also be enabled to see individual ATTA&CK objects.

images/download/attachments/82475152/image2021-10-31_14-38-54.png

Display information about a MITRE ATT&CK classification

To see more information about an ATT&CK object in the graph, click and select the object to display a popup.

images/download/attachments/82475152/image2021-10-31_14-33-48.png

Filter and group MITRE ATT&CK objects

To filter and view specific ATT&CK objects based on their IDs, go to Filter (images/download/attachments/82475152/filter.png ) on the top navigation bar and then select or unselect the required ATT&CK IDs under ATT&CK.

To group ATT&CK objects, select GROUP against the ATT&CK objects. See the Groups page for more information on grouping entities in a graph.

images/download/attachments/82475152/image2021-10-31_14-28-57.png

Export entities

Only the EclecticIQ JSON export format supports ATT&CK classifications.

When exporting to JSON, the ATT&CK classifications appear in the meta.attack field of the resulting JSON object:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "enrichments": [],
  "entities": [
    // Other entities
    {
      "attachments": [],
      "data": {
        // Data for this entity
      },
      "enrichment_extracts": [],
      "external_url": "https://platform.example.com/entity/8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "extracts": [
        // Observables
      ],
      "id": "8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "meta": {
        "attack": [
          {
            "id": "TA0040:T1486",
            "name": "Data Encrypted for Impact"
          },
          {
            "id": "TA0011:T1001",
            "name": "Data Obfuscation"
          },
          {
            "id": "TA0040:T1485",
            "name": "Data Destruction"
          },
          {
            "id": "TA0001:T1190",
            "name": "Exploit Public-Facing Application"
          },
          {
            "id": "TA0003:T1505",
            "name": "Server Software Component"
          },
          {
            "id": "TA0002:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0008:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0002:T1059",
            "name": "Command and Scripting Interpreter"
          },
          {
            "id": "TA0011:T1090",
            "name": "Proxy"
          },
          {
            "id": "TA0042:T1583.005",
            "name": "Botnet"
          }
        ],
        // Other metadata for this entity
        "title": "TITLE OF REPORT",
        "tlp_color": "WHITE"
      },
      "relevancy": 0.9516951530106196,
      "sources": [
        {
          "name": "Feed name",
          "source_id": "4e72f561-1c28-457a-a625-2ec9f40c87d1",
          "source_type": "incoming_feed"
        }
      ]
    },
    // Other entities
  ],
  "entity_counts": {
    "relation": 78,
    "report": 1
  },
  "outgoing_feed_name": "Exported Entities",
  "platform-version": "2.10.0",
  "timestamp": "2021-06-07T12:28:39.993744+00:00"
}

Known limitations

Enterprise ATT&CK

The Intelligence Center only has Enterprise ATT&CK classifications built into the Intelligence Center.

You cannot add to these built-in ATT&CK classifications on the Intelligence Center, or change them.

Assign techniques with ambiguous tactics

ATT&CK techniques and sub-techniques may belong to more than one tactic.

For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in both “TA0002 Execution” and “TA0008 Lateral Movement” tactics. The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK where techniques or sub-techniques can be identified, but tactics are ambiguous or unavailable.

The Intelligence Center does not support this ambiguity. All ATT&CK classifications on the Intelligence Center must have a specific parent tactic.

To work around this, you can assign all possible instances of an ATT&CK classification where the parent classification is ambiguous.

For example, if an entity should be assigned T1072, but has an ambiguous parent tactic, then assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.