Integrating PRE-ATT&CK Techniques Into ATT&CK

April 13, 2018
Cyber Threat Intelligence: Post by Kristin Esbeck and Blake Strom

This post will provide a summary of the newly released changes to ATT&CK’s Enterprise and pre-compromise (PRE-ATT&CK) models.

What's New in ATT&CK and PRE-ATT&CK

With the latest release of ATT&CK and PRE-ATT&CK, we decided to make the following changes:

  • Creation of the new Initial Access tactic category in ATT&CK
  • Deprecation of the Launch and Compromise tactic categories in PRE-ATT&CK
  • Movement of two prior techniques from Launch into Technical Information Gathering and Stage Capabilities in PRE-ATT&CK.

Why the Change?

Although we recognize that ATT&CK and PRE-ATT&CK have unique use cases and audiences, the tactics and techniques of PRE-ATT&CK in Launch and Compromise are inherently more actionable for network defenders. The further right you move in the PRE-ATT&CK matrix, the greater the potential for the network defense community to detect and potentially mitigate adversary techniques.  Because of this, it made sense to reevaluate the existing techniques and include them in ATT&CK so they can be modeled as Enterprise ATT&CK techniques.  In addition, the ATT&CK and PRE-ATT&CK email lists received feedback from the user community seeking clarity about mapping adversaries and how to address adversary initial access into a network. This gave us a prime opportunity to respond to the feedback.

Where Can You Find the Newly-Revised Techniques from Launch and Compromise?

A detailed change log for release can be found under the section "PRE-ATT&CK and ATT&CK Merger:  What's New" at https://attack.mitre.org/wiki/Main_Page. The newly-revised techniques that previously existed in Launch and Compromise can be found in a combination of ATT&CK's Initial Access and Execution tactics. In addition, techniques such as Spearphishing for Information and Dissemination of Removable Media have moved to the Technical Information Gathering and Stage Capabilities tactics in PRE-ATT&CK. For now, the techniques in Launch and Compromise are marked as deprecated on the website, but will still be available by direct link.

Where’s the Data?

The existing Launch and Compromise techniques will still remain available, but will display a deprecation warning on the website. The tactics will not show up in the PRE-ATT&CK matrix nor on the navigation pane on the wiki. The STIX objects for these techniques will be updated with a deprecation tag but will also remain available for use. As new STIX objects are created for the Initial Access techniques, they will become available in the ATT&CK Navigator at https://github.com/mitre/attack-navigator.

The new Initial Access tactic and additional content added to Execution in ATT&CK is meant to cover the core concepts from Launch and Compromise at the same level of detail that matches the rest of ATT&CK. The new techniques will be useful in defensive gap analysis, mapping threat intelligence data, and performing adversary emulation.

We Want Feedback

We're constantly listening to the community to help shape how ATT&CK grows. These changes were largely driven by what we’ve been hearing so far, but we may not cover exactly what the community was expecting. If you don’t see something you think should be there or think we should do it in a different way to make the information easier to use, then let us know.