![Pre[requisites of] ATT&CK
There are three conceptual ideas that
are core to the philosophy behind
ATT&CK:
•It maintains the adversary’s
perspective;
•It follows real-world use of activity
through empirical use examples;
•The level of abstraction is appropriate
to bridge offensive action with possible
defensive countermeasures.
“
”
Pg. 20, MITRE ATT&CK: Design and Philosophy (2020)](https://image.slidesharecdn.com/funchessourcesofattack-241113152157-36a2a7da/85/Sources-of-ATT-CK-A-Bibliographic-Journey-through-Enterprise-ATT-CK-Robert-Funches-3-320.jpg)
![Pre[requisites of] ATT&CK
New information relevant to ATT&CK
techniques can come from many
different sources. These sources are
used to help meet the empirical use
criteria:
•Threat intelligence reports
•Conference presentations
•Webinars
•Social media
•Blogs
•Open source code repositories
•Malware samples
“
”
Pg. 21, MITRE ATT&CK: Design and Philosophy (2020)](https://image.slidesharecdn.com/funchessourcesofattack-241113152157-36a2a7da/85/Sources-of-ATT-CK-A-Bibliographic-Journey-through-Enterprise-ATT-CK-Robert-Funches-4-320.jpg)
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert Funches
- 1. Sources of ATT&CK A Bibliographic Journey Through Enterprise ATT&CK Robert J. Funches ATT&CKcon 5.0, October 22-23, 2024 Illustration by John Tenniel. Alice’s Adventures in Wonderland (1865) MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
- 2. PS > $Env:USER • Senior Cyber Security Engineer* • CISSP® • Windows security • Detection engineering • API integration • Identity solutions • Commentary & photography: robertjfunches.com *This talk is presented on an independent basis and not affiliated with my employer. Any views or opinions expressed are my own. This document does not contain controlled technical data as defined within the International Traffic in Arms Regulations (ITAR), Part 120.10, or Export Administration Regulations (EAR), Part 734.7-10. (PRR ID806)
- 3. Pre[requisites of] ATT&CK There are three conceptual ideas that are core to the philosophy behind ATT&CK: •It maintains the adversary’s perspective; •It follows real-world use of activity through empirical use examples; •The level of abstraction is appropriate to bridge offensive action with possible defensive countermeasures. “ ” Pg. 20, MITRE ATT&CK: Design and Philosophy (2020)
- 4. Pre[requisites of] ATT&CK New information relevant to ATT&CK techniques can come from many different sources. These sources are used to help meet the empirical use criteria: •Threat intelligence reports •Conference presentations •Webinars •Social media •Blogs •Open source code repositories •Malware samples “ ” Pg. 21, MITRE ATT&CK: Design and Philosophy (2020)
- 5. …and what is the use of a book without pictures or conversations? “ ” Illustration by Arthur Rackham. Text by Lewis Carroll. Alice’s Adventures in Wonderland (n.d.) Alice
- 6. Illustration by Arthur Rackham. Alice’s Adventures in Wonderland (n.d.) Exfiltration Over Alternative Protocol ← (T1048) d
- 7. The rabbit asks: “What’s at the bottom of this page?”
- 8. ATT&CK Website ATT&CK Workbench Screenshot by MITRE Engenuity ATT&CK Navigator mitreattack-python pip install mitreattack-python from mitreattack.stix20 import MitreAttackData
- 10. • ATT&CK Website • ATT&CK Navigator • ATT&CK Workbench • mitreattack-python • ATT&CK in Excel ATT&CK STIX uses
- 11. PS C: > Install-Module –Name invoke-atomicredteam, powershell-yaml –Scope CurrentUser PS C: > Invoke-AtomicTest T1048 –CheckPrereqs PS C: > Invoke-AtomicTest T1048 Atomic Red Team / Invoke-Atomic Invoke-Atomic only accepts technique IDs (not a critique!)
- 12. Illustration by J.G. Sowerby and H.H. Emmerson. Afternoon Tea: Rhymes for Children (1880) Wouldn’t it be fun to perform adversary emulation by software instead of technique? Nobody asked your opinion.
- 13. How do we map Linux Rabbit to its techniques?
- 14. ATT&CK data ??? Illustration credit unk. Wikimedia Commons / Open Clipart Awesome Windows red teamer Atomic Red Team / Invoke-Atomic
- 15. Illustration credit unk. Wikimedia Commons / Open Clipart ATT&CK STIX JSON Awesome Windows red teamer Atomic Red Team / Invoke-Atomic PowerShell 7
- 16. Using ATT&CK STIX to Crosswalk Techniques (ex: get all techniques for malware “Linux Rabbit”)
- 17. external_references (a blob of nested JSON)
- 18. external_references (nicely formatted JSON objects)
- 19. The rabbit asks: “What’s at the bottom of this page?”
- 21. 22981 Total references* 3268 Unique references* Data from Enterprise ATT&CK version 14.1. *Excludes identity, marking-definition, and x-mitre-* object types
- 22. What can we learn from these references?
- 23. Data from Enterprise ATT&CK version 14.1. References have been deduplicated. References by website top-level domain (TLD) 80% .com 7% .org 4% .gov 3% .io 47 total TLDs com 80% org 7% gov 4% io 3% net 2% other 2% uk 1% co 1%
- 24. welivesecurit y.com 2% securelist.co m 2% crowdstrike.c om 2% secureworks. com 2% symantec .com 1% archive.o rg 1% talosintel ligence.c om 1% cisa.gov 1% apple.co m 1% github.io 1% malware bytes.co m 1% mandiant.c om 1% amazon.c om 1% cisco.co m 1% medium .com 1% proofpo int.com 1% wikipedi a.org 1% google.co m 1% cert.gov 1% cybereaso n.com 1% mcafee .com 1% twitter. com 1% sentine lone.co m 1% checkpoint. com 1% bleepingco mputer.co… security.co m 1% other 59% microsoft.com 14% github.co m 4% paloaltonet works.com 4% fireeye.co m 4% trendmicro. com 3% Data from Enterprise ATT&CK version 14.1. References have been deduplicated. (580 domain names) References by domain name 14% microsoft.com 4% fireeye.com 4% paloaltonetworks.com 4% github.com 590 total domain names
- 25. Data from Enterprise ATT&CK version 14.1 References by year published, per ATT&CK object type 0 500 1000 1500 2000 2500 3000 3500 4000 1982 1986 1990 1994 1998 2002 2006 2010 2014 2018 2022 attack-pattern campaign course-of-action intrusion-set malware relationship tool
- 26. 0 500 1000 1500 2000 2500 3000 3500 4000 1982 1986 1990 1994 1998 2002 2006 2010 2014 2018 2022 attack-pattern campaign course-of-action intrusion-set malware relationship tool Data from Enterprise ATT&CK version 14.1 References by year published, per ATT&CK object type
- 27. Data from Enterprise ATT&CK version 14.1
- 28. Data from Enterprise ATT&CK version 14.1. References have been deduplicated. References without publication dates Has Publication Date 2803 No Date 475 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
- 29. Data from Enterprise ATT&CK version 14.1 References by year ATT&CK object was added 0 500 1000 1500 2000 2500 3000 3500 4000 4500 attack-pattern campaign course-of-action intrusion-set malware relationship tool 2017 2018 2019 2020 2021 2022 2023
- 30. Data from Enterprise ATT&CK version 14.1. References have been deduplicated ATT&CK objects by year added 0 500 1000 1500 2000 2500 3000 3500 4000 4500 attack-pattern campaign course-of-action intrusion-set malware relationship tool 2017 2018 2019 2020 2021 2022 2023
- 31. 60 25 26 44 10 5 8 16 321 26 23 21 0 50 100 150 200 250 300 350 2017 2018 2019 2020 2021 2022 2023 Technique Sub-Technique Data from Enterprise ATT&CK version 14.1 Techniques vs. sub-techniques, year added
- 32. Sub-techniques were added in 2020 (versions 7.0-beta and 7.2)
- 33. Data from Enterprise ATT&CK version 14.1 102 106 95 85 55 37 42 21 17 8 6 5 0 2 3 1 0 20 40 60 80 100 120 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Technique objects Number of references Number of references per ATT&CK technique
- 34. Data from Enterprise ATT&CK version 14.1 Number of references per ATT&CK relationship object 11163 2178 534 183 68 48 19 15 10 5 0 2000 4000 6000 8000 10000 12000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Relationship objects Number of references
- 35. 0 100 200 300 400 500 600 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ATT&CK objects Number of references attack-pattern campaign intrusion-set malware tool Number of references per ATT&CK object type Data from Enterprise ATT&CK version 14.1. Excludes relationship objects.
- 36. Data from Enterprise ATT&CK version 14.1 Object Type # of References ATT&CK ID Name Tool 5 S1040 S1063 Rclone Brute Ratel C4 Software 13 S0367 Emotet Campaign 13 C0024 SolarWinds Compromise Technique 18 T1547.006 Kernel Modules and Extensions Group 28 G0016 APT29 Most number of references by object type
- 37. Data from Enterprise ATT&CK version 14.1. Excludes relationship objects. How often references are reused in ATT&CK 2114 464 139 50 29 11 7 5 1 1 1 1 3 1 1 1 0 500 1000 1500 2000 2500 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 Count of References Count of Times Reference Used
- 38. 2114 464 139 50 29 11 7 5 1 1 1 1 3 1 1 1 0 500 1000 1500 2000 2500 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 Count of References Count of Times Reference Used Data from Enterprise ATT&CK version 14.1. Excludes relationship objects. How often references are reused in ATT&CK
- 39. Data from Enterprise ATT&CK version 14.1 Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. T1001 T1001.001 T1001.002 T1001.003 T1008 T1030 T1041 T1048 T1048.001 T1048.002 T1048.003 T1071 T1071.001 T1071.002 T1071.003 T1071.004 T1090 T1090.001 T1090.002 T1095 T1102 T1102.001 T1102.002 T1102.003 T1005 T1132 T1132.001 T1132.002 T1571 T1572 T1573 T1573.001 T1573.002 14 techniques + 19 sub-techniques = 33
- 40. Exfiltration Over Alternative Protocol ← (T1048) d Illustration by Arthur Rackham. Alice’s Adventures in Wonderland (n.d.)
- 41. If you maintain ATT&CK… • Keep working on data normalization and quality control T1574.001 / “Microsoft Security Advisory 2269637” - malformed published date: “(, May 23)” T1218 / “split man page” - malformed published date: “(2020, March null)” G1001 / “SecureWorks August 2019” - malformed published date (missing parentheses?) - malformed retrieval date: “Retrieved. 2019/11/19”
- 42. If you produce cyber threat intelligence… • Keep doing what you’re doing • Open reporting is important to the community • Consider directly contributing content to ATT&CK based on your own research • Encourage others to produce CTI
- 43. If you are blue/red/purple teaming… • Read the underlying sources of ATT&CK as you use objects from the framework • Discover new sources of CTI • Help drive web traffic to smaller sources…they deserve attention too
- 44. If you work with decision makers… • Pitch ATT&CK on its deep roots in CTI • Highlight the robust nature of the dataset • Demonstrate its usefulness in the cyber toolbox
- 45. If you work in PowerShell… • PowerShell lacks a current mitreattack-python module • A few projects on GitHub, but out of date
- 46. The End Illustration by John Tenniel. Cheshire Cat in the Tree Above Alice (1889)