MITRE ATTACK#

Add MITRE ATT&CK classifications to entities to provide additional context for your intelligence.

MITRE ATT&CK versions #

Supported versions of MITRE ATT&CK:

Supports MITRE ATT&CK v12.1 for Enterprise
Legacy support for MITRE ATT&CK v9.0 for Enterprise:
- Entities exported from earlier versions of EclecticIQ Intelligence Center and imported here will retain their original classifications.
- You can still apply classifications revoked since ATT&CK v9.0 to entities.
Revoked or renamed classifications:
- Entities imported from earlier versions of EclecticIQ Intelligence Center can carry classifications from ATT&CK <v12.1 that have since been renamed, or revoked and replaced with a different classification, will carry only the new classification.
  
  E.g. In ATT&CK v11: T1547.011 Plist modification was revoked and replaced with T1647 Plist File Modification.
- Caution: If a query (e.g. in a dynamic dataset or in rules) uses a revoked or renamed ATT&CK classification, those queries must be updated to use the updated ATT&CK classification to continue to work.

Permissions #

To be able to assign ATT&CK classifications to an entity, your user must have a role with these permissions:

read attack
modify entities

All users can still search for and see ATT&CK classifications assigned to entities without the read attack permission.

Tip

MITRE ATT&CK classifications are stored on EclecticIQ Intelligence Center as a built-in taxonomy that is only accessible through the Select MITRE ATT&CK classification modal.

The read attack permission allows access to this built-in taxonomy. With this and modify entities permissions, users can add ATT&CK classifications to entities.

Entities and observables #

You can see MITRE ATT&CK classifications assigned to an entity when you open these in the entity builder:

An entity with an ATT&CK classification
An entity or observable related to an entity with an ATT&CK classification

Note

Only entities can be assigned ATT&CK classifications.

ATT&CK classifications appear in the following tabs of the entity builder:

Overview tab #

Entities have a MITRE ATT&CK field in the entity builder OVERVIEW tab. This field allows you to add and remove ATT&CK classifications assigned to it.

Note

MITRE ATT&CK classifications are not displayed when you Edit an entity. They are only visible in the entity OVERVIEW tab.

Neighborhood tab #

You can also see the ATT&CK classifications assigned to a related entity in the NEIGHBORHOOD tab when viewing entities and observables.

ATT&CK classifications appear in two sections under the NEIGHBORHOOD tab:

Directly related entities
MITRE ATT&CK classifications of entities on the graph

The Directly related entities section displays ATT&CK IDs for related entities that have ATT&CK classifications in the ATT&CK IDs column.

MITRE ATT&CK information in Neighborhood tab.

Here, you can:

Select the add icon () to add and remove ATT&CK classifications for that related entity.
Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classfication.

The MITRE ATT&CK classifications of entities on the graph section displays a table of entities in the current entity or observable’s neighborhood neighborhood graph that have ATT&CK classifications:

MITRE ATT&CK information for all entities in graph

Here, you can:

Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classification.
Select entities in the Classified entities column to open that entity in a new modal.

Add ATT&CK classifications to entities #

Select an entity to open the entity builder Overview tab.
In the Overview tab, scroll down to the MITRE ATT&CK classifications section.
Select + ATT&CK CLASSIFICATION.
In the Select MITRE ATT&CK classification modal that appears, select entries to add them to this entity.
Select Select to save your changes.

Tip

When selecting ATT&CK classifications in Select MITRE ATT&CK classification, you can hover over the information icon () to display information about that ATT&CK classification.

Select READ MORE to go to the page for that classification on https://attack.mitre.org/.

Hover over information icon to display ATT&CK information

Browse by ATT&CK classification #

When viewing entities in Search () > GO TO SEARCH AND BROWSE > Entities, you can:

Display ATT&CK classifications for results
Filter results by ATT&CK classification

If the MITRE ATT&CK column is not visible, you can set EclecticIQ Intelligence Center to display it:

On the right of the table of search results, select the Settings icon ().
In the Customize list columns modal that appears, select MITRE ATT&CK.
Select SAVE.

You can filter results by ATT&CK classification in BROWSE > Entities by:

Selecting Filter () in the top left.
Select the MITRE ATT&CK section to expand it.
Start typing to search for an ATT&CK classification.

Select one or more ATT&CK classifications from the list to filter results by.

Search by ATT&CK classification #

You can search for entities that have ATT&CK classifications by searching EclecticIQ Intelligence Center with these queries:

Query	Description
`meta.attack.id: <ATT&CK_ID>`	Retrieves entities classified with that ATT&CK ID. For the possible ways to write `<ATT&CK_ID>`, see the table below. For example: meta.attack.id: T1001 Retrieves all entities that are classified with technique T1001.
`meta.attack.name: <string>`	Retrieves entities whose assigned ATT&CK classifications contains `<string>` in their names. For example: meta.attack.name: "encrypted" Retrieves all entities that have ATT&CK classifications with names that contain “encryption”, such as techniques “T1573 Encrypted Channel” and “T1486 Data Encrypted for Impact”.

Query

Description

meta.attack.id: <ATT&CK_ID>

Retrieves entities classified with that ATT&CK ID.

For the possible ways to write <ATT&CK_ID>, see the table below.

For example:

meta.attack.id: T1001

Retrieves all entities that are classified with technique T1001.

meta.attack.name: <string>

Retrieves entities whose assigned ATT&CK classifications contains <string> in their names.

For example:

meta.attack.name: "encrypted"

Retrieves all entities that have ATT&CK classifications with names that contain “encryption”, such as techniques “T1573 Encrypted Channel” and “T1486 Data Encrypted for Impact”.

<ATT&CK_ID> can be written in these ways:

Syntax	Example
`<TACTIC_ID>`	`TA0042`
`<TECHNIQUE_ID>`	`T1583`
`<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>`	`T1583.005`
`<TACTIC_ID>:<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>`	`TA0042:T1583.005`

Export entities #

Only the EclecticIQ JSON export format supports ATT&CK classifications.

When exporting to JSON, the ATT&CK classifications appear in the meta.attack field of the resulting JSON object:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "enrichments": [],
  "entities": [
    // Other entities
    {
      "attachments": [],
      "data": {
        // Data for this entity
      },
      "enrichment_extracts": [],
      "external_url": "https://platform.example.com/entity/8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "extracts": [
        // Observables
      ],
      "id": "8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "meta": {
        "attack": [
          {
            "id": "TA0040:T1486",
            "name": "Data Encrypted for Impact"
          },
          {
            "id": "TA0011:T1001",
            "name": "Data Obfuscation"
          },
          {
            "id": "TA0040:T1485",
            "name": "Data Destruction"
          },
          {
            "id": "TA0001:T1190",
            "name": "Exploit Public-Facing Application"
          },
          {
            "id": "TA0003:T1505",
            "name": "Server Software Component"
          },
          {
            "id": "TA0002:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0008:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0002:T1059",
            "name": "Command and Scripting Interpreter"
          },
          {
            "id": "TA0011:T1090",
            "name": "Proxy"
          },
          {
            "id": "TA0042:T1583.005",
            "name": "Botnet"
          }
        ],
        // Other metadata for this entity
        "title": "TITLE OF REPORT",
        "tlp_color": "WHITE"
      },
      "relevancy": 0.9516951530106196,
      "sources": [
        {
          "name": "Feed name",
          "source_id": "4e72f561-1c28-457a-a625-2ec9f40c87d1",
          "source_type": "incoming_feed"
        }
      ]
    },
    // Other entities
  ],
  "entity_counts": {
    "relation": 78,
    "report": 1
  },
  "outgoing_feed_name": "Exported Entities",
  "platform-version": "2.10.0",
  "timestamp": "2021-06-07T12:28:39.993744+00:00"
}

Known limitations #

Enterprise ATT&CK #

EclecticIQ Intelligence Center only has Enterprise ATT&CK classifications built into EclecticIQ Intelligence Center.

You cannot add to these built-in ATT&CK classifications on the plafrom, or change them.

Assign techniques with ambiguous tactics #

ATT&CK techniques and sub-techniques may belong to more than one tactic.

For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in both “TA0002 Execution” and “TA0008 Lateral Movement” tactics. The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK where techniques or sub-techniques can be identified, but tactics are ambiguous or unavailable.

EclecticIQ Intelligence Center does not support this ambiguity. All ATT&CK classifications on EclecticIQ Intelligence Center must have a specific parent tactic.

To work around this, you can assign all possible instances of an ATT&CK classification where the parent classification is ambiguous.

For example, if an entity should be assigned T1072, but has an ambiguous parent tactic, then assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.