MITRE ATTACK#
Add MITRE ATT&CK classifications to entities to provide additional context for your intelligence.
MITRE ATT&CK versions#
Supported versions of MITRE ATT&CK:
Supports MITRE ATT&CK v14.1 for Enterprise
Legacy support for older versions of MITRE ATT&CK for Enterprise:
Entities exported from earlier versions of EclecticIQ Intelligence Center and imported here will retain their original classifications.
You can still apply classifications revoked since ATT&CK v9.0 to entities.
Revoked or renamed classifications:
Entities imported from earlier versions of EclecticIQ Intelligence Center can carry classifications from older versions of ATT&CK that have since been renamed, or revoked and replaced with a different classification, will carry only the new classification.
E.g. In ATT&CK v11: T1547.011 Plist modification was revoked and replaced with T1647 Plist File Modification.
Caution: If a query (e.g. in a dynamic dataset or in rules) uses a revoked or renamed ATT&CK classification, those queries must be updated to use the updated ATT&CK classification to continue to work.
Permissions#
To be able to assign ATT&CK classifications to an entity, your user must have a role with these permissions:
read attack
modify entities
All users can still search for and see
ATT&CK classifications assigned to entities
without the read attack
permission.
Tip
MITRE ATT&CK classifications are stored on EclecticIQ Intelligence Center as a built-in taxonomy that is only accessible through the Select MITRE ATT&CK classification modal.
The read attack
permission allows
access to this built-in taxonomy.
With this and
modify entities
permissions,
users can add
ATT&CK classifications to entities.
Entities and observables#
You can see MITRE ATT&CK classifications assigned to an entity when you open these in the entity builder:
An entity with an ATT&CK classification
An entity or observable related to an entity with an ATT&CK classification
Note
Only entities can be assigned ATT&CK classifications.
ATT&CK classifications appear in the following tabs of the entity builder:
Overview tab#
Entities have a MITRE ATT&CK field in the entity builder OVERVIEW tab. This field allows you to add and remove ATT&CK classifications assigned to it.
Note
MITRE ATT&CK classifications are not displayed when you Edit an entity. They are only visible in the entity OVERVIEW tab.
Neighborhood tab#
You can also see the ATT&CK classifications assigned to a related entity in the NEIGHBORHOOD tab when viewing entities and observables.
ATT&CK classifications appear in two sections under the NEIGHBORHOOD tab:
Directly related entities
MITRE ATT&CK classifications of entities on the graph
The Directly related entities section displays ATT&CK IDs for related entities that have ATT&CK classifications in the ATT&CK IDs column.
Here, you can:
Select the add icon () to add and remove ATT&CK classifications for that related entity.
Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classfication.
The MITRE ATT&CK classifications of entities on the graph section displays a table of entities in the current entity or observable’s neighborhood neighborhood graph that have ATT&CK classifications:
Here, you can:
Select the ATT&CK ID (e.g., T1059.004) to display a description of that ATT&CK classification.
Select entities in the Classified entities column to open that entity in a new modal.
Add ATT&CK classifications to entities#
Automatic extraction of ATT&CK TTPs
Whenever a report entity is created through a feed or manually,
with MITRE ATT&CK classifications (e.g. T1234
or T1234.765
) in its
Description or Analysis fields, these
classifications are extracted and applied
to the resulting report entity.
Select an entity to open the entity builder Overview tab.
In the Overview tab, scroll down to the MITRE ATT&CK classifications section.
Select + ATT&CK CLASSIFICATION.
In the Select MITRE ATT&CK classification modal that appears, select entries to add them to this entity.
Select Select to save your changes.
Tip
When selecting ATT&CK classifications in Select MITRE ATT&CK classification, you can hover over the information icon () to display information about that ATT&CK classification.
Select READ MORE to go to the page for that classification on https://attack.mitre.org/.
Browse by ATT&CK classification#
When viewing entities in Search () > GO TO SEARCH AND BROWSE > Entities, you can:
Display ATT&CK classifications for results
Filter results by ATT&CK classification
If the MITRE ATT&CK column is not visible, you can set EclecticIQ Intelligence Center to display it:
On the right of the table of search results, select the Settings icon ().
In the Customize list columns modal that appears, select MITRE ATT&CK.
Select SAVE.
You can filter results by ATT&CK classification in BROWSE > Entities by:
Search by ATT&CK classification#
You can search for entities that have ATT&CK classifications by searching EclecticIQ Intelligence Center with these queries:
Query |
Description |
---|---|
|
Retrieves entities classified with that ATT&CK ID. For the possible ways to
write For example: meta.attack.id: T1001
Retrieves all entities that are classified with technique T1001. |
|
Retrieves entities whose assigned
ATT&CK classifications
contains For example: meta.attack.name: "encrypted"
Retrieves all entities that have ATT&CK classifications with names that contain “encryption”, such as techniques “T1573 Encrypted Channel” and “T1486 Data Encrypted for Impact”. |
<ATT&CK_ID>
can be written in these ways:
Syntax |
Example |
---|---|
|
|
|
|
|
|
|
|
Export entities#
Only the EclecticIQ JSON export format supports ATT&CK classifications.
When exporting to JSON,
the ATT&CK classifications
appear in the meta.attack
field of the resulting JSON object:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
// Other entities
{
"attachments": [],
"data": {
// Data for this entity
},
"enrichment_extracts": [],
"external_url": "https://platform.example.com/entity/8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
"extracts": [
// Observables
],
"id": "8629ca97-9cc0-4974-9d4b-a4e56b734ca4",
"meta": {
"attack": [
{
"id": "TA0040:T1486",
"name": "Data Encrypted for Impact"
},
{
"id": "TA0011:T1001",
"name": "Data Obfuscation"
},
{
"id": "TA0040:T1485",
"name": "Data Destruction"
},
{
"id": "TA0001:T1190",
"name": "Exploit Public-Facing Application"
},
{
"id": "TA0003:T1505",
"name": "Server Software Component"
},
{
"id": "TA0002:T1072",
"name": "Software Deployment Tools"
},
{
"id": "TA0008:T1072",
"name": "Software Deployment Tools"
},
{
"id": "TA0002:T1059",
"name": "Command and Scripting Interpreter"
},
{
"id": "TA0011:T1090",
"name": "Proxy"
},
{
"id": "TA0042:T1583.005",
"name": "Botnet"
}
],
// Other metadata for this entity
"title": "TITLE OF REPORT",
"tlp_color": "WHITE"
},
"relevancy": 0.9516951530106196,
"sources": [
{
"name": "Feed name",
"source_id": "4e72f561-1c28-457a-a625-2ec9f40c87d1",
"source_type": "incoming_feed"
}
]
},
// Other entities
],
"entity_counts": {
"relation": 78,
"report": 1
},
"outgoing_feed_name": "Exported Entities",
"platform-version": "2.10.0",
"timestamp": "2021-06-07T12:28:39.993744+00:00"
}
Known limitations#
Enterprise ATT&CK#
EclecticIQ Intelligence Center only has Enterprise ATT&CK classifications built into EclecticIQ Intelligence Center.
You cannot add to these built-in ATT&CK classifications on the plafrom, or change them.
Assign techniques with ambiguous tactics#
ATT&CK techniques and sub-techniques may belong to more than one tactic.
For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in both “TA0002 Execution” and “TA0008 Lateral Movement” tactics. The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK where techniques or sub-techniques can be identified, but tactics are ambiguous or unavailable.
EclecticIQ Intelligence Center does not support this ambiguity. All ATT&CK classifications on EclecticIQ Intelligence Center must have a specific parent tactic.
To work around this, you can assign all possible instances of an ATT&CK classification where the parent classification is ambiguous.
For example, if an entity should be assigned T1072, but has an ambiguous parent tactic, then assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.