MITRE ATTACK#

Add MITRE ATT&CK classifications to entities to provide additional context for your intelligence.

MITRE ATT&CK versions#

Supported versions of MITRE ATT&CK:

  • Supports MITRE ATT&CK v12.1 for Enterprise

  • Legacy support for MITRE ATT&CK v9.0 for Enterprise:

    • Entities exported from earlier versions of EclecticIQ Intelligence Center and imported here will retain their original classifications.

    • You can still apply classifications revoked since ATT&CK v9.0 to entities.

  • Revoked or renamed classifications:

    • Entities imported from earlier versions of EclecticIQ Intelligence Center can carry classifications from ATT&CK <v12.1 that have since been renamed, or revoked and replaced with a different classification, will carry only the new classification.

      E.g. In ATT&CK v11: T1547.011 Plist modification was revoked and replaced with T1647 Plist File Modification.

    • Caution: If a query (e.g. in a dynamic dataset or in rules) uses a revoked or renamed ATT&CK classification, those queries must be updated to use the updated ATT&CK classification to continue to work.

Permissions#

To be able to assign ATT&CK classifications to an entity, your user must have a role with these permissions:

  • read attack

  • modify entities

All users can still search for and see ATT&CK classifications assigned to entities without the read attack permission.

Tip

MITRE ATT&CK classifications are stored on EclecticIQ Intelligence Center as a built-in taxonomy that is only accessible through the Create ATT&CK classification modal.

The read attack permission allows access to this built-in taxonomy. With this and modify entities permissions, users can add ATT&CK classifications to entities.

Entities and observables#

You can see MITRE ATT&CK classifications assigned to an entity when you open these in the entity builder:

  • An entity with an ATT&CK classification

  • An entity or observable related to an entity with an ATT&CK classification

Note

Only entities can be assigned ATT&CK classifications.

ATT&CK classifications appear in the following tabs of the entity builder:

Overview tab#

Entities have a MITRE ATT&CK field in the entity builder OVERVIEW tab. This field allows you to add and remove ATT&CK classifications assigned to it.

MITRE ATT&CK in entity builder

Note

MITRE ATT&CK classifications are not displayed when you Edit an entity. They are only visible in the entity OVERVIEW tab.

Neighborhood tab#

You can also see the ATT&CK classifications assigned to a related entity in the NEIGHBORHOOD tab when viewing entities and observables.

ATT&CK classifications appear in two sections under the NEIGHBORHOOD tab:

  • Directly related entities

  • MITRE ATT&CK classifications of entities on the graph

The Directly related entities section displays ATT&CK IDs for related entities that have ATT&CK classifications in the ATT&CK IDs column.

MITRE ATT&CK information in Neighborhood tab.

Here, you can:

  • Select the add icon (Plus) to add and remove ATT&CK classifications for that related entity.

  • Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classfication.

The MITRE ATT&CK classifications of entities on the graph section displays a table of entities in the current entity or observable’s neighborhood neighborhood graph that have ATT&CK classifications:

MITRE ATT&CK information for all entities in graph

Here, you can:

  • Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classfication.

  • Select entities in the Classified entities column to open that entity in a new modal.

Add ATT&CK classifications to entities#

  1. Select an entity to open the entity builder Overview tab.

  2. In the Overview tab, scroll down to the MITRE ATT&CK classifications section.

    MITRE ATT&CK in entity builder

  3. Select + ATT&CK CLASSIFICATION.

  4. In the Create ATT&CK classification modal that appears, select the drop-down menu.

    Start typing to filter the entries in the drop-down menu, and select one or more classifications.

    Create ATT&CK classification modal

  5. Select CLASSIFY to save your changes.

Tip

When selecting ATT&CK classifications in Create ATT&CK classification, you can hover over the information icon (Information) to display information about that ATT&CK classification.

Select READ MORE to go to the page for that classification on https://attack.mitre.org/.

Hover over information icon to display ATT&CK information

Browse by ATT&CK classification#

When viewing entities in Search (Search icon) > GO TO SEARCH AND BROWSE > Entities, you can:

  • Display ATT&CK classifications for results

  • Filter results by ATT&CK classification

MITRE ATT&CK column in BROWSE

If the MITRE ATT&CK column is not visible, you can set EclecticIQ Intelligence Center to display it:

  1. On the right of the table of search results, select the Settings icon (Settings).

    Customize list columns.

  2. In the Customize list columns modal that appears, select MITRE ATT&CK.

  3. Select SAVE.

You can filter results by ATT&CK classification in BROWSE > Entities by:

  1. Selecting Filter (Filter) in the top left.

  2. Select the MITRE ATT&CK section to expand it.

  3. Start typing to search for an ATT&CK classification.

    Select one or more ATT&CK classifications from the list to filter results by.

    Filter by ATT&CK classification

Search by ATT&CK classification#

You can search for entities that have ATT&CK classifications by searching EclecticIQ Intelligence Center with these queries:

Query

Description

meta.attack.id: <ATT&CK_ID>

Retrieves entities classified with that ATT&CK ID.

For the possible ways to write <ATT&CK_ID>, see the table below.

For example:

meta.attack.id: T1001

Retrieves all entities that are classified with technique T1001.

meta.attack.name: <string>

Retrieves entities whose assigned ATT&CK classifications contains <string> in their names.

For example:

meta.attack.name: "encrypted"

Retrieves all entities that have ATT&CK classifications with names that contain “encryption”, such as techniques “T1573 Encrypted Channel” and “T1486 Data Encrypted for Impact”.

<ATT&CK_ID> can be written in these ways:

Syntax

Example

<TACTIC_ID>

TA0042

<TECHNIQUE_ID>

T1583

<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>

T1583.005

<TACTIC_ID>:<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>

TA0042:T1583.005

Export entities#

Only the EclecticIQ JSON export format supports ATT&CK classifications.

When exporting to JSON, the ATT&CK classifications appear in the meta.attack field of the resulting JSON object:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "enrichments": [],
  "entities": [
    // Other entities
    {
      "attachments": [],
      "data": {
        // Data for this entity
      },
      "enrichment_extracts": [],
      "external_url": "https://platform.example.com/entity/8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "extracts": [
        // Observables
      ],
      "id": "8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "meta": {
        "attack": [
          {
            "id": "TA0040:T1486",
            "name": "Data Encrypted for Impact"
          },
          {
            "id": "TA0011:T1001",
            "name": "Data Obfuscation"
          },
          {
            "id": "TA0040:T1485",
            "name": "Data Destruction"
          },
          {
            "id": "TA0001:T1190",
            "name": "Exploit Public-Facing Application"
          },
          {
            "id": "TA0003:T1505",
            "name": "Server Software Component"
          },
          {
            "id": "TA0002:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0008:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0002:T1059",
            "name": "Command and Scripting Interpreter"
          },
          {
            "id": "TA0011:T1090",
            "name": "Proxy"
          },
          {
            "id": "TA0042:T1583.005",
            "name": "Botnet"
          }
        ],
        // Other metadata for this entity
        "title": "TITLE OF REPORT",
        "tlp_color": "WHITE"
      },
      "relevancy": 0.9516951530106196,
      "sources": [
        {
          "name": "Feed name",
          "source_id": "4e72f561-1c28-457a-a625-2ec9f40c87d1",
          "source_type": "incoming_feed"
        }
      ]
    },
    // Other entities
  ],
  "entity_counts": {
    "relation": 78,
    "report": 1
  },
  "outgoing_feed_name": "Exported Entities",
  "platform-version": "2.10.0",
  "timestamp": "2021-06-07T12:28:39.993744+00:00"
}

Known limitations#

Enterprise ATT&CK#

EclecticIQ Intelligence Center only has Enterprise ATT&CK classifications built into EclecticIQ Intelligence Center.

You cannot add to these built-in ATT&CK classifications on the plafrom, or change them.

Assign techniques with ambiguous tactics#

ATT&CK techniques and sub-techniques may belong to more than one tactic.

For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in both “TA0002 Execution” and “TA0008 Lateral Movement” tactics. The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK where techniques or sub-techniques can be identified, but tactics are ambiguous or unavailable.

EclecticIQ Intelligence Center does not support this ambiguity. All ATT&CK classifications on EclecticIQ Intelligence Center must have a specific parent tactic.

To work around this, you can assign all possible instances of an ATT&CK classification where the parent classification is ambiguous.

For example, if an entity should be assigned T1072, but has an ambiguous parent tactic, then assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.