ATT&CK™ content available in STIX™ 2.0 via public TAXII™ 2.0 server

May 14, 2018
Cyber Threat Intelligence: Post by Jen Burns and Anthony Masi

We are excited to announce that all of MITRE’s Adversarial Tactics, Techniques, and Common Knowledge content, including ATT&CK for Enterprise , PRE-ATT&CK™, and ATT&CK for Mobile, is now available via our TAXII 2.0 server. This consolidation of content onto our TAXII server is another advancement toward our goal of making ATT&CK easier to use through tooling and APIs. Prior to this announcement, we also released the ATT&CK content as STIX 2.0 in our GitHub repository and published the ATT&CK™ Navigator, which uses the STIX 2.0 content to provide an interactive visualization of the ATT&CK matrices.

The TAXII server is an open-source module designed to serve STIX 2.0 content in compliance with the TAXII 2.0 specification. Written in JavaScript, it takes advantage of Node.js's asynchronous I/O model to handle incoming connections, allowing the server to handle connections smoothly under load. The module runs as a part of the overarching Unfetter Discover project, connected to a data store that contains the ATT&CK content expressed as STIX 2.0.

You can use existing and forthcoming libraries and tools to work with ATT&CK content, thanks to the move to STIX and TAXII. You can access ATT&CK content on our TAXII server through the cti-python-stix2 and cti-taxii-client libraries. Under Department of Homeland Security sponsorship, MITRE developed both of these libraries and contributed to the OASIS Technical Committee for Cyber Threat Intelligence, which develops the STIX and TAXII standards.

Here is an example of how to use these libraries to print the names and IDs of each available ATT&CK technology-domain:

The ID of each collection can then be used to get the content of that collection. Here's an example of using Enterprise ATT&CK’s ID to get that content. You'll see that changing the ID in the URL, which is highlighted in the code, allows you to get the content from another specified domain, such as ATT&CK for Mobile or PRE-ATT&CK.

With the introduction of this new TAXII 2 service for ATT&CK content, we are deprecating the existing MediaWiki APIs that are accessible via the ATT&CK website. While the MediaWiki APIs will still be available for the short term, our intent is to transition completely to STIX/TAXII-based access. More information on the usage of the ATT&CK content expressed as STIX 2.0 can be found here.