We introduced MITRE ATT&CK in our previous blog post where we explored threat intelligence. In this post, we’ll take a look at every aspect of MITRE ATT&CK in detail. We’ll also check out the Python SDK provided by MITRE, enabling scripting while leveraging the framework.
MITRE ATT&CK: Framework with many facets
If you are even a little bit familiar with the threat intelligence field, you must have heard about MITRE and its ATT&CK framework. It is an extensive knowledge base that focuses on numerous tactics and methodologies that adversaries use to carry out attacks. Interestingly enough, these metrics are based on an analysis of attacks that had taken place in the real world, making the data more credible. The framework is divided into tactics, techniques, and sub-techniques, which we have explained below:
Tactics: In MITRE’s own words, tactics represent the “why” behind the actions of an attacker. Simply put, tactics define the motive. Let’s use an example. An attacker performs phishing on an employee of ABC Corporation to gain initial access to their system. Here the “why” is initial access and phishing is the “how” i.e the action performed to achieve the why. Initial access is one of the 14 tactics defined in the Enterprise section of the framework.
Some other tactics worth mentioning are: execution, persistence, privilege escalation, lateral movement and many more. The names are pretty self-explanatory, digging deeper into that specific step of the complete attack process. Like privilege escalation describes how higher-level permissions are gained and lateral movement explains how attackers pivot to different systems within a network.
Techniques: In our previous example of phishing to gain initial access, this is only one way. There could be multiple. These are defined as techniques, in the MITRE ATT&CK framework, the actual approach that is taken by an attacker to successfully achieve one of the tactics, turning these techniques into our “how”, as mentioned in the previous point. Continuing our example, “initial access” can be attained by numerous techniques, as defined in the framework: exploiting a public-facing application, compromising accounts, compromising supply chain modules, etc.
Sub-techniques: Call us lazy, but we are going to continue with our previous example. So we know the attacker used the “phishing” technique to gain “initial access “ tactics. We can go further in defining the nature of the phishing technique here: it could be spearphishing - through an email attachment, a malicious link, or a malicious service. These are called sub-techniques, which further explain and explore the nature of the attack. There is one catch here, not every technique has a sub-technique attached to it. This could be because some of them might not have further classifications worth noting.
Let’s take another example of supply chain attacks. When adversaries tinker with development infrastructure (code, dependencies, tools, software, etc), the malicious changes, if unnoticed, get propagated to whoever is using the end product resulting in the compromise of the “supply chain”. But what is the end goal of an adversary here? Initial access into the systems of whoever is using the infected software (remember the havoc Solarwinds attacks created). So this lets us conclude that to gain “initial access” tactics, the attacker used “supply chain compromise” technique.
Tactics, techniques, and sub-techniques make up the core of the ATT&CK framework, allowing a better understanding of an attacker’s methodology and co-relation with real-world events a security professional might witness. Different tactics come under three main categories: enterprise, mobile and ICS (industrial control systems). The nature of techniques changes depending on which category they belong to. It goes even further.
There is a collection of known APTs/groups which are then co-related to the techniques they use and the malicious software used to carry out these techniques. This gives the defender an upper hand as it makes it possible, to an extent, based on collected evidence in case of a cyberattack what are the motives and next action of the threat actor. MITRE ATT&CK framework can be plugged into the existing security infrastructure of an organization. To perform such a seamless connection, most of the time, API SDK is required and MITRE ATT&CK provides exactly that. We will cover this topic in the next section.
MITRE ATT&CK: Python API
In order to work with the ATT&CK framework and the related matrices, MITRE already provides a web application called ATT&CK Navigator, where you can play around with the framework and make it suitable for use as per your requirements. To work with Navigator and its layers through scripting, there is a python API for it as well. The API is split into four main parts:
- navlayers: This module allows you to mimic the layer behaviour of the Navigator web app, including import, export and the ability to make changes to their layers.
- attackToExcel: This functionality brings to you the complete MITRE ATT&CK dataset to your system, allowing you to convert them to Excel Spreadsheets or export the dataset as DataFrames (a Panda filetype) to work with the data programmatically.
- collections: This allows you to create collections from data that you work with. You can also create collection indexes.
- diffStix: Let’s you see the difference between two different versions of ATT&CK framework content, in STIX2 bundles.
Let’s take a look at a few examples:
Below code snippet lets you hold the entire framework data in a single variable:
import mitreattack.attackToExcel.attackToExcel as aTE import mitreattack.attackToExcel.stixToDf as sTDf attackData =aTE.get_stix_data("enterprise-attack") techniquesData = sTD.techniquesToDf(attackdata, "enterprise-attack")
techniquesData stores the data in a dictionary format with the following keys:
techniquesData.keys(): -> dict_keys(['techniques', 'procedure examples', 'associated mitigations', 'citations'])
The data inside this dictionary is stored as DataFrames, as seen in the image below:
You can store these DataFrames as dictionaries, to make it easier working with them.
techniquesData['techniques'].to_dict().keys(): -> dict_keys(['ID', 'name', 'description', 'url', 'created', 'last modified', 'version', 'tactics', 'detection', 'platforms', 'data sources', 'is sub-technique', 'sub-technique of', 'defenses bypassed', 'contributors', 'permissions required', 'supports remote', 'system requirements', 'CAPEC ID', 'impact type', 'effective permissions', 'relationship citations'])
Now you have a strong resource collection of ATT&CK framework inside a single variable! Play around with the Python SDK and check out their Github repo for further material.
MITRE TAXII Server
We mentioned “STIX2” while discussing the Python API for MITRE ATT&CK and probably left you confused! So what is STIX? In layman's terms, it is a standardized way of sharing threat intelligence. Structured Threat Information eXpression or STIX was developed by MITRE and OASIS Committee in a collaborative effort. STIX is a way to share threat intelligence in a machine-readable form, which allows programmatic use.
Standardized information needs standardized transportation. That’s where TAXII comes into play: Trusted Automated eXchange of Intelligence Information or TAXII defines how threat intel will be shared among different organizations and communities. It is made specifically to work with the STIX standard. One thing to keep in mind when it comes to threat intel: sharing is of utmost importance. If one organization faces an attack and it shares the intel collected during this attack with other organizations, they can benefit from it and take proactive measures rather than reactive measures.
MITRE has its own TAXII server that can be leveraged to pull threat intel data from the ATT&CK database. It follows TAXII 2.0 and STIX 2.0 specifications. Covering complete TAXII is out of scope for this article, this small section was intended as an introduction to this interesting subsection of threat intelligence. To dig into this further, check out MITRE’s TAXII advisory.
MITRE ATT&CK framework is an essential tool in any blue team’s arsenal as it can result in a better defensive security posture. MITRE organization is continuously making efforts to improve ATT&CK and in fact, they recently showcased their new framework, D3FEND, which is focused on mitigation techniques. ATT&CK and D3FEND encompass a large surface of the security industry and can prove to be crucial in your organization's security infrastructure. We encourage you to get your hands dirty and play around with these frameworks, which will deepen your understanding further.