Cyber Security

With the huge rise in critical work data on smartphones over the past couple of years, mobile security is more important than ever before. With this in mind, since early 2021 we’ve been re-designing and rewriting the entirety of ATT&CK for Mobile. We’ve also spent a lot of time considering how we want to continue to enhance Mobile moving forward, including increasing community understanding of the mobile threat landscape.

ATT&CK for Mobile Redux

To start out with, we’d like to take this opportunity to (re)introduce ATT&CK for Mobile, by walking through why it exists, how it’s a bit different from ATT&CK for Enterprise, and what’s coming in 2022.

Our ATT&CK for Mobile expedition launched way back in 2016, leveraging community contributions and building on the National Institute for Standards and Technology (NIST) publication Assessing Threats to Mobile Devices & Infrastructure: The Mobile Threat Catalogue, and the accompanying Mobile Threat Catalogue website. ATT&CK for Mobile was originally created to help with the NIST National Cybersecurity Center of Excellence (NCCoE) Mobile Device Security project and the Department of Homeland Security’s Study on Mobile Device Security (2017).

Mobile devices, which we currently scope to smartphones and tablets running Android, iOS, or iPadOS, are almost always powered on, ubiquitously connected to a variety of networks, contain a vast array of sensors, and run a diverse set of applications. While these properties make mobile devices incredibly useful, they also bring significant security threats.

The security architectures featured on mobile devices are based on lessons learned from the traditional PC environment, notably by providing application sandboxes and permission controls. These architectures provide significant security advantages, but threats still exist against mobile devices. The same detection and mitigation approaches used in enterprise PC environments often don’t work in the mobile environment and alternate approaches have to be leveraged. When ATT&CK for Mobile was publicly released in 2017, the goal was to provide those alternate detection and mitigation approaches, and to serve as dedicated resource to the broader mobile community.

Matrix Structure

Like ATT&CK for ICS, and ATT&CK for Enterprise, ATT&CK for Mobile is a Domain in ATT&CK, with its own separate matrix and content. Despite this separation, Mobile’s matrix still leverages ATT&CK for Enterprise’s structure, just with a distinctly Mobile flavor. ATT&CK for Mobile currently features 92 techniques, each with Android and/or iOS (and iPadOS) specific descriptions, procedures, detections, and mitigations. Mobile also shares the same Software and Groups sections as ATT&CK for Enterprise, but with limited overlap between the Enterprise and Mobile entries.

Leveraging Mobile

The Mobile matrix can be operationalized for many of the same use cases as Enterprise ATT&CK. Some of the use cases we’ve seen include:

• Determining and prioritizing development coverage of defensive capabilities
• Identifying commonalities and distinguishing characteristics in adversary tradecraft
• Connecting mitigations, weaknesses, and adversaries
• Determining effective security testing strategies
• Evaluating mobile security products with adversary emulations
• Assessing the security posture of mobile devices

Additionally, with many organizations adopting ATT&CK for Mobile within their public threat intelligence reporting, we’re seeing it being used more frequency as a common language to describe adversary behavior. We’re also aware of ATT&CK for Mobile being used internally within vendors’ threat intelligence teams to categorize observations, as well as by vendors to map their mobile security product capabilities.

2022 ATT&CK for Mobile Roadmap

Now that you’ve had a Mobile refresher, we’d like to highlight what’s next in 2022. We noted these in the mobile section of the ATT&CK 2022 Roadmap, but wanted to spend some more time on the details given the size of the changes coming.

Sub-Techniques

The mobile team has been refactoring and rewriting ATT&CK for Mobile over the last several months, with the goal of content equity with Enterprise. This included the language contained within the Mobile techniques themselves, as well as mobile-specific mitigations and detections. Most significantly, we’ve also been working towards the sub-technique structure Enterprise introduced a couple of years ago.

We plan on releasing a beta version of Mobile sub-techniques in April 2022 with the ATT&CK v11 release. Similar to Enterprise’s sub-technique rollout, we will be providing a crosswalk from old technique IDs to new technique IDs or mapping newly broken-out sub-techniques to higher level techniques. This should minimize the overhead incurred when transitioning to the new sub-technique structure.

The sub-technique beta release will be published on a separate website alongside the main ATT&CK website, clearly charting out the changes. This companion site will give the community a couple of months to preview, process, and provide feedback on the full scope of the changes before we finalize that version and make it official. Once we release the new ATT&CK for Mobile framework with sub-techniques, we welcome your feedback on the good, the bad, and the needs-adjustments. When we’re finished working through the input we receive from the community, we expect to replace the current matrix with the sub-technique structure by Summer 2022.

The screenshots below show a sample parent technique and two sub-techniques: Input Capture, Keylogging (sub), and GUI Input Capture (sub).

Data Sources

Once our sub-techniques are released, we’ll pivot to researching and drafting plans to introduce Data Source objects to Mobile, mirroring the concept of Data Source objects that Enterprise recently published. Some examples of mobile-specific Data Sources could include:

• Application Binaries
• Attestation APIs
• Network Traffic

The new metadata provided by data sources includes the concepts of relationships and data components. These concepts will more effectively represent adversary behavior from a data perspective and will provide an additional sub-layer of context to data sources. Data components narrow the identification of security events, but also create a bridge between high- and low-level concepts to inform data collection strategies. They’ll also provide a good reference point to start mapping telemetry collected in your environment to specific sub(techniques) and/or tactics. With the additional context around each data source, the results can be leveraged with more detail when defining data collection strategy for techniques and sub-techniques.

Mobile Threat Awareness Building

Building on the criticality of a collective community understanding of Mobile threats, we kicked off a mini-series back in 2021 highlighting significant threats to mobile devices, starting with abuse of Android application permissions. We plan to continue the series this year, underscoring some of the key mobile threats, and how to use ATT&CK for Mobile to mitigate them.

In Closing

Mobile’s matrix of adversary behavior has continued to grow with each new ATT&CK content release, in strong part due to the contributions we receive. ATT&CK for Mobile is an evolving effort and our goal is to continue to improve and mature the it. We rely on the mobile security community to share data and validate our content and look forward to collaborating with you to ensure the matrix remains beneficial.

We always welcome feedback on ATT&CK for Mobile, including how you view Mobile and Enterprise security together, and where we can improve. You can check out our Contributions page for additional information, or connect with us via email, Twitter, or Slack.

©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21–00706–23.

---

ATT&CK for Mobile: Reintroduction and 2022 Goals was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Where We’ve Been and Where We’re Going​

In 2021, as we navigated a pandemic and moved into a new normal, we continued evolving ATT&CK without any significant structural overhauls (as promised). We were able to make strides in many areas — including the ATT&CK data sources methodology, to more effectively represent adversary behavior from a data perspective. We refined and added new macOS and Linux content and released ATT&CK for Containers. The Cloud domain benefitted from consolidation of the former AWS, Azure, and GCP platforms into a single IaaS (Infrastructure as a Service) platform. We updated ICS with cross-domain mappings and our infrastructure team introduced new ATT&CK Navigator elements to enhance your layer comparison and visualization experience. Finally, we added 8 new techniques, 27 sub-techniques, 24 new Group and over 100 new Software entries.

2022 Roadmap

We have several exciting adjustments to the framework on the horizon for 2022, and while we will be making some structural changes this year (Mobile sub-techniques and the introduction of Campaigns), it won’t be nearly as painful as the addition of Enterprise sub-techniques in 2020. In addition to Campaigns and Mobile subs, our key adjustments this year include converting detections into objects, innovating how you can use overlays and combinations, and expanding ICS assets. We plan on maintaining the biannual release schedule of April and October, with a point release (v11.1) for Mobile sub-techniques.

ATT&CKcon 3.0 | March 2022

Your wait is finally over for ATT&CKCon, and we’re thrilled to be hosting it in McLean, VA on March 29–30. We welcome you to join the ATT&CK team and those across the community to hear about all the updates, insights, and creative ways organizations and individuals have been leveraging ATT&CK. We’ll be live streaming the full conference for free and you can find all of the latest details and updates on our ATT&CKcon 3.0 page.

Detection Objects | April & October 2022

Over the past few years, transforming various actionable ATT&CK fields into managed objects has been a reoccurring theme. In v5 of ATT&CK, we converted mitigations into objects to enhance their value and usability — with this conversion, you can now identify a mitigation and pivot to various techniques it can potentially prevent. This has been a feature that many of you have leveraged to map ATT&CK to different control/risk frameworks. We also converted data sources to objects for the v10 release, enabling similar pivoting and analysis opportunities.

Next, we plan on implementing a parallel approach for detections, taking the currently free text featured in techniques, and refining and merging them into descriptions that are connected to data sources. This will enable us to describe for each technique what you need to collect as inputs for that detection (data sources), as well as how you could analyze that data to identify a given technique (detection).

Campaigns | October 2022

One of the more significant changes you can expect this year is the introduction of Campaigns. We define campaigns as a grouping of intrusion activity conducted over a specific period of time with common targets and objectives; this activity may or may not be linked to a specific threat actor. The Solar Winds cyber intrusion, for instance, would become a campaign attributed to the G0016 threat group in ATT&CK. In ATT&CK’s existing structure, all activity for a given threat actor is combined under a single Group entry, making it challenging to accurately see trends, understand how a threat actor has evolved over time (or not), identify the variance between different events, or, conversely, identify certain techniques that an actor may rely on.

In ATT&CK, we’ve never added activity as a Group that hasn’t been given a name by someone else. For example, if a report describes the behaviors of a group or campaign, but never gives that intrusion activity a unique name like FUZZYSNUGGLYDUCK/APT1337 (or links it to someone else’s reporting that does), we wouldn’t incorporate that report into ATT&CK. With the introduction of Campaigns we’ll start including reports that leave activity unnamed and use our own identifiers (watch out for Campaign C0001). On the flip side, this new structure will let us better manage activity where too many things have been given the same name (e.g., Lazarus), providing us a way to tease apart activity that shouldn’t have been grouped together. Finally, we’ll be able to better address intrusion activity where multiple threat actors may be involved, such are Ransomware-as-a-Service operations.

We’re still working to best determine how Campaigns and associated IDs will be displayed in ATT&CK and will provide additional detail in the coming months. Group and Software pages will mostly remain unchanged — they’ll still feature collective lists of techniques and sub-techniques so network defenders can continue to create overall associated Navigator layers and conduct similar analysis. However, we’ll be adding Campaign links to the associated Group/Software pages. We’ll be providing additional details later in the year, as we prepare to integrate Campaigns as part of the October release.

Mobile | April 2022

We’ve been talking about Mobile sub-techniques for a while, and we’re thrilled to say that they’re almost here. The Mobile team was hard at work in 2021, bringing ATT&CK for Mobile into feature equity with ATT&CK for Enterprise, including identifying where sub-techniques would fit into the Mobile matrix. As we covered in our October 2021 v10 release post, the Mobile sub-techniques will mirror the structure of the Enterprise sub-techniques to address granularity levels. We’ll be including a beta version of the sub-techniques, similar to what we did with Enterprise, for community feedback as part of the April ATT&CK v11 release. We plan on publishing the finalized sub-techniques in a point release (e.g., v11.1), and we’ll include more details about the subs process and timeline in our April release post. In addition to sub-techniques, we’ll be working on a concept for Mobile data source objects, and reigniting our mini-series highlighting significant threats to mobile devices that we kicked off last year. As always, we remain very interested in adversary behavior targeting mobile devices, so if you would like to help us create new techniques, or if you have observed behaviors you’d like to share, reach out to us.

Finally, stay tuned for the ATT&CK for Mobile 2022 Roadmap that will be arriving soon. While we don’t typically publish separate roadmaps for technology domains, Mobile needs some additional space this year to cover the updates and planned content changes.

MacOS and Linux | April & October 2022

We made many adjustments, additions, and content updates to the macOS and Linux platforms last year, with a focus on macOS. For 2022 we hope to maintain the macOS momentum while transitioning our focus to updating Linux. Our April release will center around resolving several macOS contributions from last year. These updates include broadening the scope of parent techniques to include additional platforms, adding sub-techniques, updating procedures with specific usage examples, and supporting the data sources + detection efforts. We will continue to update macOS throughout the year and greatly appreciate the community engagement and all of the contributors that have enabled us to better represent this platform.

The April release will also feature revised language and platform mapping for Linux. We’re aiming for an improved representation of Linux within ATT&CK for all techniques by our October release. Although Linux is frequently leveraged by adversaries, public reporting is often scarce on detail making this a challenging platform for ATT&CK. Our ability to describe this space is closely tied to those of you in the Linux security community, and we hope to engage and establish more connections with you over the next several months. If you’re interested in sharing any observed activities or suggestions for techniques, please reach out and let us know.

ICS | October 2022

We updated our ICS content and data sources in 2021, and over the next several months, we’ll be expanding ICS Assets and adding detections. Asset names are tied to specific ICS verticals (e.g., electric power, water treatment, manufacturing), and the associated technique mappings enable users to understand if and how techniques apply to their environments. In addition, more granular asset definitions will help to highlight similarities and differences in functionality across technologies and verticals. The detections we’ll be adding to each technique will provide guidance on how the recently updated data sources can be used to identify adversary behavior. Finally, we’re preparing to integrate ICS onto the same platform as Enterprise and join the rest of the domains on the ATT&CK website (attack.mitre.org) later this year.

Overlays and Combinations | October 2022

Throughout the next several months, we’ll continue moving towards developing and sharing ideas for overlays and combinations, or how you can pull various ATT&CK platforms and domains together into a specialized view of ATT&CK. Using Linux and Containers together, for example, or integrating security across Enterprise and Mobile, or between Enterprise and ICS. Our goal with this effort is to provide the tools and resources for the community to leverage the various spaces of ATT&CK, and tailor them to their security needs.

Connect With Us!

ATT&CK will always be community-driven and our continued impact hinges on our collaboration with all of you. Your on-the-ground experience and input enables us to continue to evolve and we look forward to connecting with you on email, Twitter, or Slack.

---

ATT&CK 2022 Roadmap was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introducing ATT&CK v10: More Objects, Parity, and Features

By Amy L. Robertson (MITRE), Alexia Crumpton (MITRE), and Chris Ante (MITRE)

As announced a couple of weeks ago, we’re back with the latest release and we’re thrilled to reveal all the updates and features waiting for you in ATT&CK v10. The v10 release includes the next episode in our data sources saga, as well as new content and our usual enhancements to (sub-)Techniques, Groups, and Software across Enterprise, Mobile and ICS, which you can find more details about on our release notes.

Making Sense of the New Data Sources: Episode II

In ATT&CK v9, we launched the new form of data sources which featured an updated structure for the data source names (Data Source: Data Component), reflecting

“What is the subject/topic of the collected data (file, process, network traffic, etc.)?” :

“What specific values/properties are needed in order to detect adversary behaviors?”

These updates were linked to Yaml files in GitHub, but weren’t fully integrated into the rest of ATT&CK yet. Our updated content in ATT&CK v10 aggregates this information about data sources, while structuring them as the new ATT&CK data source objects (somewhat similar to how Mitigations are reflected).

The data source object features the name of the data source as well as key details and metadata, including an ID, a definition, where it can be collected (collection layer), what platform(s) it can be found on, and the data components highlighting relevant values/properties that comprise the data source. Featured below is an example of a data source page in ATT&CK v10.

Data Components are also listed below, each highlighting mappings to the various (sub-)techniques that may be detected with that particular data. On individual (sub-)techniques, data sources and components have been relocated from the metadata box at the top of the page to be collocated with Detection content.

These data sources are available for all platforms of Enterprise ATT&CK, including our newest additions that cover OSINT-related data sources mapped to PRE platform techniques.

These updated structures are also visible in ATT&CK’s STIX representation, with both the data sources and the data components captured as custom STIX objects. You’ll be able to see the relationships between those objects, with the data sources featuring one or more data components, each of which detects one or more techniques. For more information about ATT&CK’s STIX representation, including these new objects and relationships, you can check out our STIX usage document.

We hope that these enhancements further increase our ability to translate our understanding of the adversary behaviors captured within ATT&CK to the data we collect as defenders. We are very excited to see these data source objects grow and evolve, and like the rest of ATT&CK, invite the community to submit contributions and feedback!

Note: We will no longer be working with Enterprise data sources in GitHub after ATT&CK v10. Moving forward we will accept all related contributions through our normal contribution process.

MacOS and Linux: Now with New Content!

Over the past several months, we’ve been continuing to improve and expand coverage across the macOS and Linux platforms. We understand adversaries actively target these platforms, however there is significantly less public reporting for adversarial hands-on-keyboard procedures and malware analysis. We’re pleased to report that we’ve been collaborating with macOS security and vulnerability research contributors across the globe to address these challenges. In upcoming releases, we’re hoping to leverage this same community engagement for Linux. We’re excited to see the growth in content from the community’s contribution, and the improvements ranging from how we capture new techniques to conveying the impact of existing techniques was a collaborative effort.

One of the most notable changes we made for techniques across the board was providing more in-depth references and use-cases on how procedures and processes work, and the impact they have. Remote services along with additional techniques for macOS and Linux received some attention, but most improvements were more detailed examples in the description section with supporting detection ideas. Along with the rest of Enterprise, we also updated our macOS data sources to enhance defender visibility.

ICS : Object-Oriented and Integrating

ICS has been focusing on feature equity with Enterprise, including updating data sources, adding and refining techniques, revamping assets, and charting out our detections plan. We’re also making some key changes to facilitate hunting in ICS environments. As we noted in the 2021 Roadmap, v10 also includes cross-domain mappings of Enterprise techniques to software that were previously only represented in the ICS Matrix, including Stuxnet, Industroyer, and several others. The fact that adversaries don’t respect theoretical boundaries is something we’ve consistently emphasized, and we think it’s crucial to feature Enterprise-centric mappings for more comprehensive coverage of all the behaviors exhibited by the software. With Stuxnet and Industroyer specifically, both malware operated within OT/ICS networks, but the two incidents displayed techniques that are also well researched and represented within the Enterprise matrix. Based on this, we created Enterprise entries for the ICS-focused software to provide network defenders with a view of software behavior spanning both matrices. We also expect the cross-domain mappings to enable you to leverage the knowledge bases together more effectively.

For data sources, we’re aligning with Enterprise ATT&CK in updating data source names. ICS’s current release reflects Enterprise’s v9 data sources update, with the new name format and content featured in GitHub. These data sources will be linked to YAML files that provide more detail, including what the data sources are and how they should be used. For future releases we plan on mapping the more granular assets to techniques to enable you to track how these behaviors can affect a technique, or what assets these behaviors are associated with. On the detections front, we’re working behind the scenes to add detections to each technique, and this will be reflected in future releases (we expect detections to really help out in hunt and continuous monitoring). Also in 2022, we’re preparing to integrate onto the same development platform as Enterprise, the ATT&CK Workbench, and join the rest of the domains on the ATT&CK website (attack.mitre.org).

Expanding Our Mobile Features

In the Mobile space, we’ve been focused on catching up on the contributions from the community, updating (sub-)techniques, Groups, and Software, and enhancing general parity with Enterprise. We’ve also been working hard behind the scenes to implement sub-techniques as mentioned in our 2021 Roadmap. We’re excited to introduce this new Mobile structure in April 2022, to better align with other platforms on Enterprise. Our plan is to do a beta release for the sub-techniques prior to the release of v11 to provide you with an opportunity to test out those updates and provide feedback.

About Cloud

Along with the rest of Enterprise, we’ve been updating content across Cloud, collaborating with community members on activity in the Cloud domain, and keeping an eye out for new platforms to add to the space. We also continued working on data sources, although as we outlined for the v9 release, our Cloud data sources are a little different than the host-based data sources, specifically aligning more with the events and APIs involved in detections instead of just focusing on the log sources.

What’s Next in 2022?

We hope you’re as excited as we are about v10, and we’d love your feedback and for you to join us in shaping our v11 release. We already have a lot on the horizon for 2022, included structured detections​, campaigns, tools to enable overlays and combinations, and ATT&CKcon. If you have feedback, comments, contributions, or just want to ask questions, connect with us on email, Twitter, or Slack.

©2021 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21–00706–18.

---

Introducing ATT&CK v10: More Objects, Parity and Features was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.