MITRE ATTACK#
Add MITRE ATT&CK classifications to entities to provide additional context for your intelligence.
MITRE ATT&CK versions#
Supported versions of MITRE ATT&CK:
Supports MITRE ATT&CK v12.1 for Enterprise
Legacy support for MITRE ATT&CK v9.0 for Enterprise:
Entities exported from earlier versions of EclecticIQ Intelligence Center and imported here will retain their original classifications.
You can still apply classifications revoked since ATT&CK v9.0 to entities.
Revoked or renamed classifications:
Entities imported from earlier versions of EclecticIQ Intelligence Center can carry classifications from ATT&CK <v12.1 that have since been renamed, or revoked and replaced with a different classification, will carry only the new classification.
E.g. In ATT&CK v11: T1547.011 Plist modification was revoked and replaced with T1647 Plist File Modification.
Caution: If a query (e.g. in a dynamic dataset or in rules) uses a revoked or renamed ATT&CK classification, those queries must be updated to use the updated ATT&CK classification to continue to work.
Permissions#
To be able to assign ATT&CK classifications to an entity, your user must have a role with these permissions:
read attack
modify entities
All users can still search for and see
ATT&CK classifications assigned to entities
without the read attack
permission.
Tip
MITRE ATT&CK classifications are stored on EclecticIQ Intelligence Center as a built-in taxonomy that is only accessible through the Create ATT&CK classification modal.
The read attack
permission allows
access to this built-in taxonomy.
With this and
modify entities
permissions,
users can add
ATT&CK classifications to entities.
Entities and observables#
You can see MITRE ATT&CK classifications assigned to an entity when you open these in the entity builder:
An entity with an ATT&CK classification
An entity or observable related to an entity with an ATT&CK classification
Note
Only entities can be assigned ATT&CK classifications.
ATT&CK classifications appear in the following tabs of the entity builder:
Overview tab#
Entities have a MITRE ATT&CK field in the entity builder OVERVIEW tab. This field allows you to add and remove ATT&CK classifications assigned to it.
Note
MITRE ATT&CK classifications are not displayed when you Edit an entity. They are only visible in the entity OVERVIEW tab.
Neighborhood tab#
You can also see the ATT&CK classifications assigned to a related entity in the NEIGHBORHOOD tab when viewing entities and observables.
ATT&CK classifications appear in two sections under the NEIGHBORHOOD tab:
Directly related entities
MITRE ATT&CK classifications of entities on the graph
The Directly related entities section displays ATT&CK IDs for related entities that have ATT&CK classifications in the ATT&CK IDs column.
Here, you can:
Select the add icon () to add and remove ATT&CK classifications for that related entity.
Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classfication.
The MITRE ATT&CK classifications of entities on the graph section displays a table of entities in the current entity or observable’s neighborhood neighborhood graph that have ATT&CK classifications:
Here, you can:
Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classfication.
Select entities in the Classified entities column to open that entity in a new modal.
Add ATT&CK classifications to entities#
Select an entity to open the entity builder Overview tab.
In the Overview tab, scroll down to the MITRE ATT&CK classifications section.
Select + ATT&CK CLASSIFICATION.
In the Create ATT&CK classification modal that appears, select the drop-down menu.
Start typing to filter the entries in the drop-down menu, and select one or more classifications.
Select CLASSIFY to save your changes.
Tip
When selecting ATT&CK classifications in Create ATT&CK classification, you can hover over the information icon () to display information about that ATT&CK classification.
Select READ MORE to go to the page for that classification on https://attack.mitre.org/.
Browse by ATT&CK classification#
When viewing entities in Search () > GO TO SEARCH AND BROWSE > Entities, you can:
Display ATT&CK classifications for results
Filter results by ATT&CK classification
If the MITRE ATT&CK column is not visible, you can set EclecticIQ Intelligence Center to display it:
On the right of the table of search results, select the Settings icon ().
In the Customize list columns modal that appears, select MITRE ATT&CK.
Select SAVE.
You can filter results by ATT&CK classification in BROWSE > Entities by:
Search by ATT&CK classification#
You can search for entities that have ATT&CK classifications by searching EclecticIQ Intelligence Center with these queries:
Query |
Description |
---|---|
|
Retrieves entities classified with that ATT&CK ID. For the possible ways to
write For example: meta.attack.id: T1001
Retrieves all entities that are classified with technique T1001. |
|
Retrieves entities whose assigned
ATT&CK classifications
contains For example: meta.attack.name: "encrypted"
Retrieves all entities that have ATT&CK classifications with names that contain “encryption”, such as techniques “T1573 Encrypted Channel” and “T1486 Data Encrypted for Impact”. |
<ATT&CK_ID>
can be written in these ways:
Syntax |
Example |
---|---|
|
|
|
|
|
|
|
|
Export entities#
Only the EclecticIQ JSON export format supports ATT&CK classifications.
When exporting to JSON,
the ATT&CK classifications
appear in the meta.attack
field of the resulting JSON object:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
// Other entities
{
"attachments": [],
"data": {
// Data for this entity
},
"enrichment_extracts": [],
"external_url": "https://platform.example.com/entity/8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
"extracts": [
// Observables
],
"id": "8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
"meta": {
"attack": [
{
"id": "TA0040:T1486",
"name": "Data Encrypted for Impact"
},
{
"id": "TA0011:T1001",
"name": "Data Obfuscation"
},
{
"id": "TA0040:T1485",
"name": "Data Destruction"
},
{
"id": "TA0001:T1190",
"name": "Exploit Public-Facing Application"
},
{
"id": "TA0003:T1505",
"name": "Server Software Component"
},
{
"id": "TA0002:T1072",
"name": "Software Deployment Tools"
},
{
"id": "TA0008:T1072",
"name": "Software Deployment Tools"
},
{
"id": "TA0002:T1059",
"name": "Command and Scripting Interpreter"
},
{
"id": "TA0011:T1090",
"name": "Proxy"
},
{
"id": "TA0042:T1583.005",
"name": "Botnet"
}
],
// Other metadata for this entity
"title": "TITLE OF REPORT",
"tlp_color": "WHITE"
},
"relevancy": 0.9516951530106196,
"sources": [
{
"name": "Feed name",
"source_id": "4e72f561-1c28-457a-a625-2ec9f40c87d1",
"source_type": "incoming_feed"
}
]
},
// Other entities
],
"entity_counts": {
"relation": 78,
"report": 1
},
"outgoing_feed_name": "Exported Entities",
"platform-version": "2.10.0",
"timestamp": "2021-06-07T12:28:39.993744+00:00"
}
Known limitations#
Enterprise ATT&CK#
EclecticIQ Intelligence Center only has Enterprise ATT&CK classifications built into EclecticIQ Intelligence Center.
You cannot add to these built-in ATT&CK classifications on the plafrom, or change them.
Assign techniques with ambiguous tactics#
ATT&CK techniques and sub-techniques may belong to more than one tactic.
For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in both “TA0002 Execution” and “TA0008 Lateral Movement” tactics. The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK where techniques or sub-techniques can be identified, but tactics are ambiguous or unavailable.
EclecticIQ Intelligence Center does not support this ambiguity. All ATT&CK classifications on EclecticIQ Intelligence Center must have a specific parent tactic.
To work around this, you can assign all possible instances of an ATT&CK classification where the parent classification is ambiguous.
For example, if an entity should be assigned T1072, but has an ambiguous parent tactic, then assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.