Help Net Security: Inside MITRE ATT&CK v17

Updated biannually, ATT&CK v17 introduces significant enhancements across its frameworks, including industrial control systems and mobile.

One of the most notable updates in ATT&CK v17 is the addition of VMware ESXi as a standalone platform. ESXi, a hypervisor widely used by enterprise organizations for on-premises virtualization, has seen a surge in threat-actor activity.

“There’s a rule that adversaries tend to go wherever you’re not looking,” said Pennington. “Adversaries have taken a space that’s not monitored so much by a lot of organizations and started to colonize.”

As the largest and most widely used cyber framework, ATT&CK for Enterprise continues to evolve. “In this release, we added over 140 new analytics to techniques, hopefully making it so defenders have something a little bit easier to work with,” added Pennington.  

Since its addition to ATT&CK in 2018, Linux has remained a critical area of focus. While reporting on Linux threats remains limited, the team is actively seeking community feedback to ensure the framework reflects the latest adversary behaviors targeting Linux systems.  

“Linux is a very challenging space for us. We added it to ATT&CK back in 2018, but it continues to not see a lot of reporting,” said Pennington. “We added some new techniques, like bind mounts, to talk about Linux extended attributes, override process arguments, and system control. We are finally seeing the adversary activity necessary for us to add it to ATT&CK.”

The team also expressed gratitude to the community for their contributions, which played a pivotal role in shaping this release. “Thank you to everybody that contributed to help us out with this release. We’re really looking forward to seeing what people think of it,” said Pennington.