Cyber Security

Data Sources, Containers, Cloud, and More: What’s New in ATT&CK v9?

By Jamie Williams (MITRE), Jen Burns (MITRE), Cat Self (MITRE), and Adam Pennington (MITRE)

As we promised in the ATT&CK 2021 Roadmap, today marks our April release (ATT&CK v9) and we’re thrilled to share the additions with you, and how to use them. So, what changed with this release?

• Updated: A revamp of data sources (Episode 1 of 2)
• Updated: Some refreshes to macOS techniques
• New: Consolidation of IaaS platforms
• New: The Google Workspace platform
• New: ATT&CK for Containers (and not the kind on boats)

This is in addition to our usual updates and additions to Techniques, Groups, and Software, which you can find more details about on our release notes. Notably this release includes 16 new Groups, 67 new pieces of Software, with updates to 36 Groups and 51 Software entries.

Making Sense of the New Data Sources: Episode I

As much as we love tracking and nerding out over adversary behaviors, one of the most important goals of ATT&CK is to bridge offensive actions with potential defensive countermeasures. We strive to achieve this goal by tagging each (sub-)technique with defensive-focused fields/properties, such as what data to collect (data sources) and how to analyze that data in order to potentially identify specific behaviors (detections).

Many of you in the community have made great use of ATT&CK data sources ¹ ² ³, but we heard from you and recognized the opportunity for improvement. Our goal for the new data sources is to better connect the defensive data in ATT&CK with how operational defenders see and work these challenges.

The initial changes are a revamp of the data sources values, which were previously text strings without additional details or descriptions.

These high-level concepts were a helpful starting point, but along with issues regarding consistency, this level of detail didn’t effectively answer “Am I collecting the right data?”

Redefining Data Sources

Prior to ATT&CK’s v9 release, data sources only highlighted a specific sensor or logging system (e.g., Process Monitoring or PowerShell Logs). What we were trying to capture with this approach was the defender’s requirement to collect data about processes and executed (PowerShell) commands. However, while these clues often directed us to “where we should collect data”, they didn’t always provide details on “what data values are necessary to collect?”

Details on what to collect can be important for mapping from the framework to defensive operations. For example, Process Monitoring can take many forms depending on what technologies you are using and what data about a process is needed (ex: do you need command-line parameters, inter-process interactions, and/or API functions executed by the process?). The same applies to PowerShell logs, which can be collected from a variety of sources (event logs, trace providers, third-party tools).The specifics of what exact data were often only highlighted in the additional context provided by the detection section of the technique.

With this in mind, we redefined data sources to focus on answering “what type of data do we need?” Our new list of data sources describe the types of objects our detection data needs to observe. Examples that are very commonly used across techniques include process, file, command, and network traffic.

Building on this, we added data components to further define specific needed elements within each data source. Going back to the OS Credential Dumping: LSASS Memory (T1003.001) example, we can see how the additional context helps us identify exactly what relevant data we need. Illustrating this with the Sysmon tool, we can quickly map our exact needs for process data to corresponding operational telemetry.

We reviewed and remapped both data sources and data components for all of the Enterprise matrix, including the Cloud and our newest Containers platform (more details about those matrices in the New and Improved Cloud section). Featured below are an example of the new Data Source: Data Component values that replaced the previous text.

These values fulfill the same objective of directing us towards “where we should collect data,” as well as providing the added context of “what specific values are necessary to collect.” As defenders, we can operationalize these Data Source: Data Component pairings as part of our detection engineering process by:

1. Using data sources to identify relevant sensors/logs
(i.e., where and how do/can I collect data about processes?)

2. Using data components to identify relevant events/fields/values
(i.e., what data about processes is provided by each sensor/log and how can these values be used to identify adversary behaviors?)

We’ll add additional details behind each data source when we release data source objects in October, but for now the data sources on the ATT&CK site link to our GitHub repository, where you can read more about each one. As always, we invite feedback and contributions (and a special thanks to those who have already contributed).

For more background about the data sources work, check out our previously published two-part blog series ¹ ² and/or watch us discuss and demonstrate the potential power of these improvements!

What’s New with Mac

The community was at the heart of macOS improvements featured in this release. We collaboratively updated several techniques, rescoped others, and added macOS specific malware. Our focus was primarily on Persistence and Execution, building in red team walkthroughs and code examples for a deeper look into the sub-techniques. Along with the rest of Enterprise, we also refactored macOS data sources to start building out visibility for defenders. We’ve only scratched the surface and are excited to continue enhancing and updating macOS and Linux content targeted at our October release.

New and Improved Cloud

As we highlighted in the 2021 roadmap, this release features the consolidation of the former AWS, Azure, and GCP platforms into a single IaaS (Infrastructure as a Service) platform. In addition to community feedback favoring consolidation, this update creates a more inclusive domain that represents all Cloud Service Providers.

We also refactored data sources for Cloud platforms, with a slightly different flavor than the host-based data sources. Specifically for IaaS, we wanted to align more with the events and APIs involved in detections instead of just focusing on the log sources (e.g., AWS CloudTrail logs, Azure Activity Logs). With that goal in mind, the new Cloud data sources include Instance, Cloud Storage, and others that align with terminology found in events within Cloud environments.

An ATT&CK for Cloud bonus in this release is the addition of the Google Workspace platform. Since ATT&CK already covers Office 365, we wanted to ensure that users of Google’s productivity tools were also able to map similar applicable adversary behaviors to ATT&CK. We hope that this platform addition is helpful to the community, and would appreciate any feedback or insights.

Container Updates (that don’t include the Suez Canal)

We’re also excited to publish ATT&CK for Containers in this release! An ATT&CK research team partnered with the Center for Threat-Informed Defense to develop this contribution to ATT&CK. You can find more information about the ATT&CK for Containers research project and the new matrix in their blog post.

What’s Next

We hope you’re as excited as we are about v9 and are looking forward to the rest of the updates and new capabilities we have planned for 2021. October’s release should include episode 2 of data sources, featuring descriptive objects, as well as updates to ATT&CK for ICS and Mobile. We’ll also continue enhancing coverage of macOS and Linux techniques, so now is a great time to let us know if you have contributions or feedback on one of those platforms. We may have some additional improvements to announce in the coming months, but we stand by our promise of nothing as disruptive as the new tactics and sub-techniques from 2020.

We look forward to connecting with you on email, Twitter, or Slack.

©2021 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21–00706–2.

What’s New in ATT&CK v9? was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Written by Adam Pennington and Jen Burns

We’re excited to announce that we’ve released the latest version of MITRE ATT&CK (v8), which includes the integration of PRE-ATT&CK’s scope into Enterprise ATT&CK! This integration removes the PRE-ATT&CK domain from ATT&CK and adds two new tactics to Enterprise — Reconnaissance and Resource Development. Similar to our July release of sub-techniques, this is an update to ATT&CK that’s been under development for some time. You can find this new version of ATT&CK on our website, in the ATT&CK Navigator, as STIX, and via our TAXII server.

PRE-ATT&CK’s History

When we originally launched Enterprise ATT&CK, we focused on the behaviors that adversaries perform after they’ve broken into an environment, roughly the Exploit through Maintain phases of the MITRE Cyber Attack Lifecycle. This aligned well with the visibility of many defenders of their own networks, but it left pre-compromise adversary behaviors uncovered. After ATT&CK’s initial launch, a separate team at MITRE decided to fill in the gap to the left by following the structure of Enterprise ATT&CK and enumerating adversary behaviors leading up to a compromise. This work became PRE-ATT&CK and was released in 2017.

Some of you in the ATT&CK community have embraced and leveraged PRE-ATT&CK since that release to describe pre-compromise adversary behavior, but the framework never found the kind of adoption or contributions we’ve seen for Enterprise ATT&CK. We’ve also heard from a number of organizations over the years that Enterprise ATT&CK’s coverage of only post-compromise behaviors held up their ability to adopt it. In response, we started the process of integrating PRE-ATT&CK into Enterprise in 2018. As the first step of that integration, we deprecated PRE-ATT&CK’s Launch and Compromise tactics and incorporated their scope into the Initial Access tactic in Enterprise.

Finishing the Merger

In my ATT&CKcon 2.0 presentation, I talked about how PRE-ATT&CK + Enterprise ATT&CK covering the complete Cyber Attack Lifecycle/Cyber Kill Chain® is a bit of an understatement. The scope of PRE-ATT&CK actually starts before Recon, with multiple tactics covering pre-reconnaissance intelligence planning. It also includes some behaviors that don’t leave technical footprints or might not have been seen in the wild. In early 2019, MITRE’s Ingrid Parker worked with the ATT&CK team to develop the following criteria for determining which PRE-ATT&CK behaviors could assimilate into Enterprise ATT&CK:

• Technical — the behavior has something to do with electronics/computers and is not planning or human intelligence gathering.
• Visible to some defenders — the behavior is visible to a defender somewhere without requiring state-level intelligence capabilities, for example an ISP or a DNS provider.
• Evidence of adversary use — the behavior is known to have been used “in the wild” by an adversary.

She found that PRE-ATT&CK could be divided into three sections. Based on the criteria, the first section, including PRE-ATT&CK Priority Definition Planning, Priority Definition Direction, and Target Selection tactics as well as a number of other techniques, are out of scope. That left us with two sections that divided quite well into the new tactics we released today:

1. Reconnaissance — focused on an adversary trying to gather information they can use to plan future operations, including techniques that involve adversaries actively or passively gathering information that can be used to support targeting.

2. Resource Development — focused on an adversary trying to establish resources they can use to support operations, including techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting.

Over the course of 2019 and a number of whiteboard sessions, I worked with former ATT&CK team member Katie Nickels to identify the techniques and sub-techniques that fit the three criteria, and covered the scope of the remaining techniques in the Reconnaissance and Resource Development portions of PRE-ATT&CK. This work was largely complete last October, and you might notice that the preview from ATT&CKcon 2.0 is very similar to what we released today. Because Reconnaissance and Resource Development leveraged sub-techniques, the work was suspended until those were implemented in Enterprise ATT&CK with our recent release. With sub-techniques out the door, ATT&CK team members Jamie Williams and Mike Hartley picked up the ball and created the content for the 73 new techniques and sub-techniques.

The PRE Platform

A question that arose during the creation of the Reconnaissance and Resource Development techniques is “What platform should these be?” For example, Gather Victim Identity Information (T1589) isn’t really Windows, macOS, Cloud or any specific existing enterprise platform. In order to reflect the different nature of these new techniques (and as a homage to PRE-ATT&CK), we added techniques in Reconnaissance and Resource Development to a new PRE platform.

Another unique characteristic of these new PRE techniques is their detection. While we scoped techniques to those “visible to some defenders,” most adversary Reconnaissance and Resource Development isn’t observable to the majority of defenders. In many cases, we’ve highlighted the related techniques where there may be an opportunity to detect an adversary. For the subset of techniques that are detectible by a broad set of defenders, we’ve described detections, some of which may require new Data Sources to see.

Mitigating Reconnaissance and Resource Development techniques can be challenging or unfeasible, as they take place in a space outside of an enterprise’s defenses and control. We’ve created a new Pre-compromise mitigation to recognize this difficulty, and noted where organizations may be able to minimize the amount and sensitivity of data available to external parties.

While these new techniques don’t typically take place on enterprise systems, are difficult to detect, and potentially impossible to mitigate, it’s still important to consider them. Even without perfect detection of adversary information collection, understanding what and how they’re collecting from Reconnaissance can help us examine our exposure and inform our operational security decisions. Similarly, our sensors may not detect most activity from Resource Development, but the tactic can offer valuable context. Many of the behaviors leave evidence visible to the right open/closed source intelligence gathering or can be discovered through an intelligence sharing relationship with someone who does have visibility.

Going Forward

We’re interested in your feedback on the content we’ve added and your input on any techniques, sub-techniques, detections, and mitigations you think we’ve missed. Do you have a way of detecting a particular Resource Development technique or preventing an adversary from successfully performing Reconnaissance? Please let us know by sending us an email, or contributing what you believe is currently missing.

Finally, if you aren’t ready to make the switch from PRE-ATT&CK, we’re still here for you. PRE-ATT&CK is still available in the previous version of our website, in the v7.2 and earlier versions of our STIX 2.0 content, and by filtering on the prepare stage in a previous version of the ATT&CK Navigator.

©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20–00841–15.

Bringing PRE into Enterprise was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

By Matt Malone (MITRE), Jamie Williams (MITRE), Jen Burns (MITRE), and Adam Pennington (MITRE)

Last updated 19 April 2021 12:00pm EDT

Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used.

MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively and more recently attributed to the existing APT29/Cozy Bear/The Dukes threat group by members of the US Intelligence Community, as well as SUNBURST, SUNSPOT, Raindrop, and TEARDROP malware. We have now published a point release to ATT&CK, v8.2, with the information we’ve mapped and new techniques we’ve spotted so far.

It’s also been difficult keeping up with all the reporting and updates while trying to track down descriptions of adversary behavior, particularly as we’re looking for direct analysis of intrusion data rather than derivative reporting. We were originally listing reports we were tracking in this blog post itself, but have moved our tracking to a GitHub repository and are continuing to update that in partnership with MITRE Engenuity’s Center for Threat-Informed Defense.

A key challenge mapping current reporting is that the actor used a number of behaviors not currently described by ATT&CK Enterprise or Cloud techniques. We have added new techniques, sub-techniques, and expansions of scope on existing content to improve this coverage and wanted to describe what’s new in ATT&CK in v8.2.

UNC2452 Technique Analysis

First and foremost, we would like to thank the individuals and teams responsible for analyzing, publishing, and/or contributing invaluable information to help the community react and respond to this incident. This wealth of publicly available intelligence has described many behaviors performed by the threat actor identified as UNC2452/Dark Halo/SolarStorm. Mapping these behaviors to ATT&CK, we see a combination of very commonly used techniques (such as T1059 Command and Scripting Interpreter, T1105 Ingress Tool Transfer, and T1218 Signed Binary Proxy Execution) as well others that are less often disclosed in public reporting (ex: T1195 Supply Chain Compromise). You can see the techniques we currently have mapped in the ATT&CK Navigator here, or grab the Navigator layer file from our repository here.

Several behaviors were identified that weren’t previously explicitly captured within existing techniques. We have now released updates that include:

• New procedural example variations of techniques, such as T1070 Indicator Removal on Host including UNC2452 reverting changes to legitimate utilities and tasks after abuse and T1098.002 Account Manipulation: Exchange Email Delegate Permissions including them granting additional permissions to the target Application or Service Principal to read mail content from Exchange Online via Microsoft Graph or Outlook REST
• Expansion of current technique scoping, such as the T1098.001 Account Manipulation: Additional Cloud Credentials description being amended to include adding credentials to legitimate OAuth Applications as well as Service Principals in Azure AD
• New (sub-)techniques not previously published within ATT&CK, such as those necessary to describe UNC2452 forging web cookies (T1606.001 Forge Web Credentials: Web Cookies) and SAML tokens (T1606.002 Forge Web Credentials: SAML Tokens) via stolen secret keys and compromised signing certificates (T1552.004 Unsecured Credentials: Private Keys) and making malicious modifications to domain federation trust settings to include adversary owned objects (T1484.002 Domain Policy Modification: Domain Trust Modification)

New Group/Software Entries

Along with new/updated techniques we have added several new group and software entries to ATT&CK including:

• A new group representing the threat group responsible for the intrusions, added as UNC2452 with associated group names of Solorigate, StellarParticle and Dark Halo.
• New malware first spotted in this intrusion, including Sunburst, Teardrop, Sunspot, and Raindrop.
• An existing tool used in this intrusion, AdFind.

More to Come?

We don’t expect to add more content to ATT&CK itself before our next major release (announced as planned for April 2021 in our recent State of the ATT&CK), but anticipate that more reporting on this intrusion will continue to be released. We will be continuing to watch and add reporting to our public report tracking, as well as any new techniques or software that appear to the next release of ATT&CK.

If you see a technique we’re missing from existing reporting, a report with unique information that we’re missing out on, or want to share a mapping of a new report you’ve done, please reach out to us at [email protected].

©2020-2021 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 20–00841–22.

Identifying UNC2452-Related Techniques for ATT&CK was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.