Using ATT&CK to Advance Cyber Threat Intelligence – Part 2

June 4, 2018
Cyber Threat Intelligence: Post by Katie Nickels
Katie Nickels

In my last blog, Using ATT&CK to Advance Cyber Threat Intelligence, we discussed the current state of cyber threat intelligence (CTI) and some of its challenges. We also explained at a high level how ATT&CK can help address some of these challenges. In this post, I will walk you through some practical implementation tips for applying ATT&CK to CTI.

We regularly comb through open source reporting to find examples of Groups and Software samples to add to the ATT&CK website. The process of converting unstructured prose reporting into structured ATT&CK technique examples allows analysts to do valuable comparisons of threat groups to each other or threat groups to defenses, as we explained in the last blog post.

This "technique analysis" process may sound like a simple data entry task, but it's far from that – it is a process that requires careful cyber threat analysis. Analyzing techniques requires a knowledge of adversary behavior in the ATT&CK matrix as well as common ways that analysts describe this behavior. We've gotten questions from the community about how to go about doing this process, so we wanted to share some advice based on our experience to help you feel prepared to do this yourselves.

Figure Out Where to Store It

Before you get started, you should determine where to store the results of your analysis. If you already have an existing threat intelligence repository or database, we'd suggest modifying it to allow you to enter ATT&CK technique information. ATT&CK in STIX/TAXII 2.0 format could help you pull the data you would need to start those modifications.

If you don't have a threat intel repo already, you may consider standing one up. ATT&CK originally started as an Excel spreadsheet, but we quickly found it to be difficult to capture necessary relationships. For several years, we used a MediaWiki for our site, which could be an accessible way for your organization to store ATT&CK technique information if you are not equipped to use STIX 2.0. You could also consider using a threat intelligence platform such as MISP1 -- in fact, MISP has an existing ATT&CK galaxy that could help you out.

Use our Website

Before getting started, we highly recommend you take a careful look at our ATT&CK website. Skim through the descriptions of the tactics (the adversary’s goals) and techniques (how the adversary accomplishes those goals) so you have an idea of what’s available to you to "bin" information about adversary behavior. We'd also recommend skimming over a few Group and Software pages so you can get an idea of how we have performed technique analysis ourselves. As you get started, you can also use our website to conduct keyword searches, which will help point you to how we have applied techniques. For example, if adversaries used HTTP for command and control, you can quickly determine that this would fall under "Standard Application Layer Protocol" by searching for "HTTP" on the site.

Go to the Original Source

As mentioned in the last blog post, analysts often describe adversary behavior in different ways. The best way to avoid misinterpreting what someone else wrote is to get as close to the original information as possible. This may mean going back to original logs from an intrusion or interviewing incident responders about what they observed. If you have an accurate and thorough record of what an adversary did, you will have more success analyzing and identifying the ATT&CK techniques the adversary used.

Start at the Tactic Level

We realize that ATT&CK can be overwhelming at first, and you won't be able to keep track of all 219 techniques off the top of your head. No problem! As you analyze a specific adversary behavior, start by determining what tactic it falls under – there are only 11 tactics in Enterprise ATT&CK, which is much easier to track. Once you’ve decided on the tactic, bring up the page to view techniques that fall under that tactic, and make a selection from there.

Choose Appropriate Information

While we think ATT&CK is great, we realize it won't help in every situation. Certain types of reporting, such as information about API calls in static malware analysis, are usually not fruitful when analyzing for ATT&CK techniques. The most useful reporting to apply to Enterprise ATT&CK is information about what adversaries did during an intrusion. Sadly, this type of reporting can be the most difficult to find, and we hope more organizations will start to share this information. Dynamic malware analysis that includes malware behavior can also be useful to apply techniques to Software samples.

Work as a Team

Just as analysts work as a team to write and edit written reports, we recommend working as a team as you analyze adversary behavior to identify ATT&CK techniques. Within our team, we regularly ask each other for opinions on applying a certain technique if we aren't sure. As we’ve gone through reports, we often find that one analyst may find a different technique that another analyst missed from the same report. This doesn't mean one analyst is deficient, but rather reflects that this process is human-driven analysis that requires interpretation. Any human analysis, including ATT&CK analysis, is subject to cognitive biases, so keep that in mind as you perform this and look for ways to hedge those biases.

Examples from the Community

Now that we’ve given you some tips for how to express your threat intelligence using ATT&CK, we want to mention some examples of other teams who are already doing this. Palo Alto's Unit 422 recently published Adversary Playbooks for OilRig and Sofacy that use PRE-ATT&CK and ATT&CK techniques to describe the groups. A unique feature of the Playbooks is that they divide techniques by the time frame used, which allows for comparison of how the groups changed their behavior over time.

Unit42 Playbook Viewer

McAfee has also started listing ATT&CK techniques along with indicator lists at the end of some blog posts.

These are just two examples of how industry is using ATT&CK for threat intelligence, and we hope those who produce threat intelligence will follow suit. Our vision for the future is that those who produce threat reports will share them in structured ATT&CK format, which would allow organizations to use threat intel in the ways we've described without each organization doing separate ATT&CK analysis of reports.

We continue to be inspired by the ways the community is using ATT&CK to improve their defenses, and we hope these blog posts have given you ideas on how to use ATT&CK to improve your threat intelligence as well.

[1] The MITRE Corporation offers independent, unbiased views. We are not recommending any particular platform or product.

[2] The MITRE Corporation offers independent, unbiased views. We are not recommending any particular platform or product. We are mentioning these companies to provide examples of how private industry is using ATT&CK for threat intelligence.