MITRE ATTACK#

Add MITRE ATT&CK classifications to entities to provide additional context for your intelligence.

MITRE ATT&CK versions#

Supported versions of MITRE ATT&CK:

  • Supports MITRE ATT&CK v14.1 for Enterprise

  • Legacy support for older versions of MITRE ATT&CK for Enterprise:

    • Entities exported from earlier versions of EclecticIQ Intelligence Center and imported here will retain their original classifications.

    • You can still apply classifications revoked since ATT&CK v9.0 to entities.

  • Revoked or renamed classifications:

    • Entities imported from earlier versions of EclecticIQ Intelligence Center can carry classifications from older versions of ATT&CK that have since been renamed, or revoked and replaced with a different classification, will carry only the new classification.

      E.g. In ATT&CK v11: T1547.011 Plist modification was revoked and replaced with T1647 Plist File Modification.

    • Caution: If a query (e.g. in a dynamic dataset or in rules) uses a revoked or renamed ATT&CK classification, those queries must be updated to use the updated ATT&CK classification to continue to work.

Permissions#

To be able to assign ATT&CK classifications to an entity, your user must have a role with these permissions:

  • read attack

  • modify entities

All users can still search for and see ATT&CK classifications assigned to entities without the read attack permission.

Tip

MITRE ATT&CK classifications are stored on EclecticIQ Intelligence Center as a built-in taxonomy that is only accessible through the Select MITRE ATT&CK classification modal.

The read attack permission allows access to this built-in taxonomy. With this and modify entities permissions, users can add ATT&CK classifications to entities.

Entities and observables#

You can see MITRE ATT&CK classifications assigned to an entity when you open these in the entity builder:

  • An entity with an ATT&CK classification

  • An entity or observable related to an entity with an ATT&CK classification

Note

Only entities can be assigned ATT&CK classifications.

ATT&CK classifications appear in the following tabs of the entity builder:

Overview tab#

Entities have a MITRE ATT&CK field in the entity builder OVERVIEW tab. This field allows you to add and remove ATT&CK classifications assigned to it.

MITRE ATT&CK in entity builder

Note

MITRE ATT&CK classifications are not displayed when you Edit an entity. They are only visible in the entity OVERVIEW tab.

Neighborhood tab#

You can also see the ATT&CK classifications assigned to a related entity in the NEIGHBORHOOD tab when viewing entities and observables.

ATT&CK classifications appear in two sections under the NEIGHBORHOOD tab:

  • Directly related entities

  • MITRE ATT&CK classifications of entities on the graph

The Directly related entities section displays ATT&CK IDs for related entities that have ATT&CK classifications in the ATT&CK IDs column.

MITRE ATT&CK information in Neighborhood tab.

Here, you can:

  • Select the add icon (Plus) to add and remove ATT&CK classifications for that related entity.

  • Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classfication.

The MITRE ATT&CK classifications of entities on the graph section displays a table of entities in the current entity or observable’s neighborhood neighborhood graph that have ATT&CK classifications:

MITRE ATT&CK information for all entities in graph

Here, you can:

  • Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classification.

  • Select entities in the Classified entities column to open that entity in a new modal.

Add ATT&CK classifications to entities#

Automatic extraction of ATT&CK TTPs

Whenever a report entity is created through a feed or manually, with MITRE ATT&CK classifications (e.g. T1234 or T1234.765) in its Description or Analysis fields, these classifications are extracted and applied to the resulting report entity.

  1. Select an entity to open the entity builder Overview tab.

  2. In the Overview tab, scroll down to the MITRE ATT&CK classifications section.

    MITRE ATT&CK in entity builder
  3. Select + ATT&CK CLASSIFICATION.

  4. In the Select MITRE ATT&CK classification modal that appears, select entries to add them to this entity.

    Select MITRE ATT&CK classification modal
  5. Select Select to save your changes.

Tip

When selecting ATT&CK classifications in Select MITRE ATT&CK classification, you can hover over the information icon (Information) to display information about that ATT&CK classification.

Select READ MORE to go to the page for that classification on https://attack.mitre.org/.

Hover over information icon to display ATT&CK information

Browse by ATT&CK classification#

When viewing entities in Search (Search icon) > GO TO SEARCH AND BROWSE > Entities, you can:

  • Display ATT&CK classifications for results

  • Filter results by ATT&CK classification

MITRE ATT&CK column in BROWSE

If the MITRE ATT&CK column is not visible, you can set EclecticIQ Intelligence Center to display it:

  1. On the right of the table of search results, select the Settings icon (Settings).

    Customize list columns.
  2. In the Customize list columns modal that appears, select MITRE ATT&CK.

  3. Select SAVE.

You can filter results by ATT&CK classification in BROWSE > Entities by:

  1. Selecting Filter (Filter) in the top left.

  2. Select the MITRE ATT&CK section to expand it.

  3. Start typing to search for an ATT&CK classification.

    Select one or more ATT&CK classifications from the list to filter results by.

    Filter by ATT&CK classification

Search by ATT&CK classification#

You can search for entities that have ATT&CK classifications by searching EclecticIQ Intelligence Center with these queries:

Query

Description

meta.attack.id: <ATT&CK_ID>

Retrieves entities classified with that ATT&CK ID.

For the possible ways to write <ATT&CK_ID>, see the table below.

For example:

meta.attack.id: T1001

Retrieves all entities that are classified with technique T1001.

meta.attack.name: <string>

Retrieves entities whose assigned ATT&CK classifications contains <string> in their names.

For example:

meta.attack.name: "encrypted"

Retrieves all entities that have ATT&CK classifications with names that contain “encryption”, such as techniques “T1573 Encrypted Channel” and “T1486 Data Encrypted for Impact”.

<ATT&CK_ID> can be written in these ways:

Syntax

Example

<TACTIC_ID>

TA0042

<TECHNIQUE_ID>

T1583

<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>

T1583.005

<TACTIC_ID>:<TECHNIQUE_ID>.<SUBTECHNIQUE_ID>

TA0042:T1583.005

Export entities#

Only the EclecticIQ JSON export format supports ATT&CK classifications.

When exporting to JSON, the ATT&CK classifications appear in the meta.attack field of the resulting JSON object:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "enrichments": [],
  "entities": [
    // Other entities
    {
      "attachments": [],
      "data": {
        // Data for this entity
      },
      "enrichment_extracts": [],
      "external_url": "https://platform.example.com/entity/8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "extracts": [
        // Observables
      ],
      "id": "8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
      "meta": {
        "attack": [
          {
            "id": "TA0040:T1486",
            "name": "Data Encrypted for Impact"
          },
          {
            "id": "TA0011:T1001",
            "name": "Data Obfuscation"
          },
          {
            "id": "TA0040:T1485",
            "name": "Data Destruction"
          },
          {
            "id": "TA0001:T1190",
            "name": "Exploit Public-Facing Application"
          },
          {
            "id": "TA0003:T1505",
            "name": "Server Software Component"
          },
          {
            "id": "TA0002:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0008:T1072",
            "name": "Software Deployment Tools"
          },
          {
            "id": "TA0002:T1059",
            "name": "Command and Scripting Interpreter"
          },
          {
            "id": "TA0011:T1090",
            "name": "Proxy"
          },
          {
            "id": "TA0042:T1583.005",
            "name": "Botnet"
          }
        ],
        // Other metadata for this entity
        "title": "TITLE OF REPORT",
        "tlp_color": "WHITE"
      },
      "relevancy": 0.9516951530106196,
      "sources": [
        {
          "name": "Feed name",
          "source_id": "4e72f561-1c28-457a-a625-2ec9f40c87d1",
          "source_type": "incoming_feed"
        }
      ]
    },
    // Other entities
  ],
  "entity_counts": {
    "relation": 78,
    "report": 1
  },
  "outgoing_feed_name": "Exported Entities",
  "platform-version": "2.10.0",
  "timestamp": "2021-06-07T12:28:39.993744+00:00"
}

Known limitations#

Enterprise ATT&CK#

EclecticIQ Intelligence Center only has Enterprise ATT&CK classifications built into EclecticIQ Intelligence Center.

You cannot add to these built-in ATT&CK classifications on the plafrom, or change them.

Assign techniques with ambiguous tactics#

ATT&CK techniques and sub-techniques may belong to more than one tactic.

For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in both “TA0002 Execution” and “TA0008 Lateral Movement” tactics. The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK where techniques or sub-techniques can be identified, but tactics are ambiguous or unavailable.

EclecticIQ Intelligence Center does not support this ambiguity. All ATT&CK classifications on EclecticIQ Intelligence Center must have a specific parent tactic.

To work around this, you can assign all possible instances of an ATT&CK classification where the parent classification is ambiguous.

For example, if an entity should be assigned T1072, but has an ambiguous parent tactic, then assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.