MITRE ATT&CK | Classifications | Manage

In Intelligence Center, you can:

• Assign classifications to an entity.

• Unassign an entity’s classifications.

• (Un)assign as a bulk action

• Classify entities with techniques for which it’s ambiguous which tactic they belong to.

Permissions

To be able to work with classifications, your user must have a role with these permissions:

• read attack to access to the MITRE ATT&CK classification taxonomy and use it to search and filter entities.

• modify entities to add ATT&CK classifications to entities.

Assign classifications to an entity

Automatic extraction of ATT&CK classifications

When a Report entity is created with MITRE ATT&CK classifications (e.g. T1234 or T1234.765) in its Description or Analysis field, these classifications will be extracted and added to that Entity. This is true for both manually created and ingested entities.

1. Open an entity (through search and browse, for example).

2. On the Overview tab, scroll down to the MITRE ATT&CK classifications section.

3. Select + ATT&CK CLASSIFICATION.

4. In the Select MITRE ATT&CK classification modal that appears, select classifications to add them to this entity.

5. Select Select to save your changes.

Unassign an entity’s classifications

1. Open an entity (through search and browse, for example).

2. On the Overview tab, scroll down to the MITRE ATT&CK classifications section.

3. In the row of the classifications that you want to unassign, select X Delete classification.

(Un)assign as a bulk action

You can also (un)assign classifications for multiple entities at once as a bulk action.

1. In an entity table, either: * select all entities you want change classifications for using the checkboxes in their rows. * select all entities in view with the checkbox in the top-left corner of the table. * select all entities in the current entity table (with applied filters) by selecting the checkbox in the top-left corner of the table and then selecting Select all … entities.

2. Select MITRE ATT&CK from the entity table header.

3. Unassign classifications by selecting individual classifications from the field or by selecting Remove all techniques and tactics.

4. Assign new classifications by entering a query in the Select one or more techniques and tactics field or selecting new classifications from the dropdown.

5. Select Save.

Techniques with ambiguous tactics

Some MITRE ATT&CK techniques and sub-techniques are associated with more than one tactic.

For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in two tactics: “TA0002 Execution” and “TA0008 Lateral Movement” tactics.
The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK when techniques or sub-techniques can be identified, but its unknown to which parent tactic it .

EclecticIQ Intelligence Center does not support this ambiguity. All ATT&CK classifications in EclecticIQ Intelligence Center must have a specific parent tactic.

To work around this, in instances where an ATT&CK classification’s parent tactic is ambiguous, assign all possible parent tactics.
For example, to assign “T1072 Software Deployment Tools” to an entity and leave its parent tactic ambiguous, assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.