What's Next for ATT&CK™

January 5, 2018
Cyber Threat Intelligence: Post by John Wunder
John Wunder

Just as adversaries keep sharpening their techniques, MITRE continues to advance the ATT&CK knowledge base. ATT&CK started back in 2013 with 64 techniques for Windows, and we now have 169 techniques across Windows, Linux, and Mac. We moved from exclusively post-exploit techniques on enterprise systems to providing an entire knowledge base dedicated to the early stages of the adversary's cyber attack lifecycle, PRE-ATT&CK™, and a Mobile ATT&CK model for the iOS and Android platforms.

ATT&CK has also grown from an internal MITRE project to a public knowledge base that's referenced in conferences across the world and used by organizations as varied as Endgame, Palo Alto, and Pfizer. It even achieved the highest honor possible in 2017—being tweeted as an internet meme.

In recognition of that, we'd like to talk a little bit about where MITRE is headed with ATT&CK. As usual, there are regular content updates, but beyond that we also have some great ideas (validated from talking to folks using ATT&CK) for how to structure, use, and manage ATT&CK. Specifically, we plan to:

  • Restructure ATT&CK as a single knowledge base across multiple platforms and all phases of the lifecycle.
  • Build out the "launch" and "compromise" tactics, currently in PRE-ATT&CK, to contain the level of technical detail present in Enterprise ATT&CK.
  • Expand detail that's available via the creation of "sub-techniques" to better define variations on how techniques can be performed.
  • Develop a more robust set of tooling, including an embeddable ATT&CK matrix visualization tool (the ATT&CK Navigator) and STIX/TAXII-based APIs.
  • Perhaps most importantly, introduce a new strategy for operating ATT&CK in partnership with industry, with a more robust feedback and governance process that ensures ATT&CK is available and contains relevant, useful information for the long term.

As we refine ATT&CK, make it easier to use, and secure its future, we know that we have to support current users. To that end, we encourage you to engage with us. We will continue to make announcements via Twitter, so follow us, review our plans as we make them available, and share your feedback.

One ATT&CK – Spring 2018

First, let's talk about how ATT&CK is currently structured. Right now, there are three published websites:

  • Enterprise ATT&CK, which contains content for the post-exploit phases of the lifecycle on Windows, Linux, and Mac
  • PRE-ATT&CK, which contains platform-neutral content for pre-exploit phases of the lifecycle
  • Mobile ATT&CK, which contains pre-and post-exploit content for iOS and Android

That division can make it difficult to understand how all the knowledge bases overlap. For example, if you're wondering how an adversary might test capabilities in preparation for an attack on a company's iOS devices, is that in PRE-ATT&CK or Mobile ATT&CK?

To help with this, we're planning to restructure ATT&CK so that it's just that: ATT&CK. There will be one knowledge base, accessible from one website. That doesn't mean you can't still see and work with the traditional matrices: those divisions were created because they make sense, and they'll still be available. The new structure will contain an ability to filter by platform (e.g., showing just Mac techniques) as well as by general phase of the lifecycle (pre-exploit, exploit, and post-exploit, or what we're currently calling prepare, launch, and act).

Enhancing Content for Launch and Compromise – Spring 2018

We're also planning to enhance the content for the launch and compromise tactics, which are currently contained in PRE-ATT&CK. PRE-ATT&CK content tends to be platform neutral and describes activities that are often less technical, so PRE-ATT&CK techniques contain less technical detail than Enterprise ATT&CK techniques. For most of PRE-ATT&CK this makes sense, but as the launch and compromise tactics have been populated and used, we and others have noticed that they describe activities that are technical and are often targeted at specific platforms. In other words, they describe content that is more similar to Enterprise ATT&CK than PRE-ATT&CK.

The content for these tactics, which currently exists in PRE-ATT&CK with the corresponding level of detail, will be migrated and reformulated to look more like Enterprise ATT&CK. The set of techniques will be expanded to provide more extensive coverage of the differences between the technical approaches, and each technique itself will have the amount of detail you're used to in Enterprise ATT&CK. That should provide the preferred technical depth for those focusing on how adversaries launch attacks and compromise systems.

Digging Deeper with Sub-techniques – Summer 2018

If you've spent a lot of time looking at ATT&CK, you might have noticed that some of the techniques describe a wide variety of behaviors. The current level of abstraction is useful because it provides a digestible summary, but we've found that digging one layer deeper might make sense in some cases. For example, the Credential Dumping technique (T1003) describes multiple ways that adversaries can access legitimate user credentials. On Windows end user systems, for example, tools such as Mimikatz can be used to extract plaintext passwords stored by the Local Security Authority. The DCSync mechanism can be used directly against the Domain Controller, rather than the end user system, to acquire hashes that can then be used to generate tickets for use in Pass the Ticket. Still other mechanisms exist to obtain credentials from Linux and MacOS systems or from web and other applications. Having separate techniques for each mechanism would create an explosion of techniques describing very similar things, but combining them all into one (the current approach) can hide differences in detection, mitigation or red-team procedures. By adding sub-techniques for each of those mechanisms, those techniques such as Credential Dumping that need the extra level of detail can have it without greatly increasing the size of the model.

We also don't want to overcomplicate things. Many people might not need or want that level of detail, and that's OK. The main matrix will stay the same, at the current level of abstraction, and it's perfectly fine to continue using ATT&CK that way. We'll make sure the knowledge is structured so that you still get everything you need even if you don't go to the sub-technique level of detail. Also, we need you to keep us honest. If we ever start to talk about sub-sub-techniques, give us a good kick to knock us back to our senses.

Making ATT&CK Easier Through Tooling and APIs – Ongoing Throughout 2018

We've seen a lot of awesome, creative usage of ATT&CK in tooling, whether it's an Excel spreadsheet or some libraries on Github. We want to make it easier for you all, so we're working on some foundational changes to how ATT&CK is published. First, we'll be moving away from Mediawiki towards a platform based on Unfetter. That will allow us to continue to publish the static web pages, but instead of having the mediawiki API (I know how bad it is, I've used it) we’ll move to one based on STIX/TAXII 2.0. We'll be publishing some libraries on Github ourselves (sneak peek below) to make that easier, and will of course also have a transition plan so that the Mediawiki API doesn't get pulled out from under anyone.

With that foundational infrastructure, we're also working on a new interface—the ATT&CK Navigator. The Navigator is a simple interface to construct "layers": basically, just colored scores and other annotations on the ATT&CK matrix. You could create layers to display coverage of your analytics, the capabilities provided by a suite of tools, to describe a red-team plan, or to highlight the tactics used most frequently by some threat actor. You could also do crazy things that we haven't thought of—we wanted to keep it open and flexible to let people use it how they want, not how we want them to. The ATT&CK Navigator will be published both on MITRE's website and as reusable open-source code. We're working our hardest to release this code as soon as possible.

Sharing ATT&CK with the World

We hope that you think MITRE has done a good job managing ATT&CK. Certainly we appreciate all the compliments, references, and feedback. At the same time, we don't have all the experts. There are smart people everywhere, and we think they should be managing ATT&CK, even if they don't work at MITRE. So, we're going to create a governance structure around ATT&CK that's convened by MITRE, but with invited participants from across industry. Those experts will get together to decide what should change in ATT&CK and what shouldn't. We'll keep it conservative: ATT&CK is pretty good right now, so changes to existing content will require a lot of agreement. New content needs to remain agile, should it be somewhat easy to add. We don't intend MITRE to have any special veto and, in fact, we explicitly don't want one and would argue against it.

Richard Struse, our Chief Strategist for Cyber Threat Intelligence, will be talking more about this governance structure in the coming months.

This is a lot of change, but it's all based on your feedback and how we see ATT&CK being used today. If you think something doesn't make sense, you have concerns, you have ideas to make it better, or you just want to say that you agree with what we're doing, please send us an e-mail or message on Twitter.