MITRE ATT&CK | Classifications | Manage#
In Intelligence Center, you can:
Classify entities with techniques for which it’s ambiguous which tactic they belong to.
Permissions#
To be able to work with classifications, your user must have a role with these permissions:
read attack
to access to the MITRE ATT&CK classification taxonomy and use it to search and filter entities.modify entities
to add ATT&CK classifications to entities.
Assign classifications to an entity#
Automatic extraction of ATT&CK classifications
When a Report entity is created with MITRE ATT&CK classifications
(e.g. T1234
or T1234.765
) in its
Description or Analysis field, these
classifications will be extracted and added
to that Entity. This is true for both manually
created and ingested entities.
Open an entity (through search and browse, for example).
On the Overview tab, scroll down to the MITRE ATT&CK classifications section.
Select + ATT&CK CLASSIFICATION.
In the Select MITRE ATT&CK classification modal that appears, select classifications to add them to this entity.
Select Select to save your changes.
Unassign an entity’s classifications#
Open an entity (through search and browse, for example).
On the Overview tab, scroll down to the MITRE ATT&CK classifications section.
In the row of the classifications that you want to unassign, select X Delete classification.
(Un)assign as a bulk action#
You can also (un)assign classifications for multiple entities at once as a bulk action.
In an entity table, either: * select all entities you want change classifications for using the checkboxes in their rows. * select all entities in view with the checkbox in the top-left corner of the table. * select all entities in the current entity table (with applied filters) by selecting the checkbox in the top-left corner of the table and then selecting Select all … entities.
Select MITRE ATT&CK from the entity table header.
Unassign classifications by selecting individual classifications from the field or by selecting Remove all techniques and tactics.
Assign new classifications by entering a query in the Select one or more techniques and tactics field or selecting new classifications from the dropdown.
Select Save.
Techniques with ambiguous tactics#
Some MITRE ATT&CK techniques and sub-techniques are associated with more than one tactic.
For example, the MITRE ATT&CK data model allows you to
classify a threat actor with the technique “T1072 Software
Deployment Tools”.
However, T1072
occurs in two tactics: “TA0002
Execution” and “TA0008
Lateral Movement”
tactics.
The ATT&CK model does not require you to specify a
tactic for an observed technique or sub-technique.
This allows for analysts to map data to ATT&CK
when techniques or sub-techniques can be identified,
but its unknown to which parent tactic it .
EclecticIQ Intelligence Center does not support this ambiguity. All ATT&CK classifications in EclecticIQ Intelligence Center must have a specific parent tactic.
To work around this, in instances where an ATT&CK classification’s parent tactic
is ambiguous, assign all possible parent tactics.
For example, to assign “T1072
Software Deployment Tools” to an entity and leave its parent tactic ambiguous,
assign both TA0002:T1072
and TA0008:T1072
to
the entity to maintain that ambiguity.