ATT&CKing 2019

It’s been about a year since we wrote about what was coming for ATT&CK in 2018…and what a year it’s been. We started from the ground up by making some big changes to ATT&CK itself, including developing a new tactic to capture how adversaries achieve Initial Access. We launched a new technical infrastructure, including a redesigned website and STIX/TAXII-based JSON API. We published the ATT&CK Navigator to help you visualize and explore ATT&CK, relaunched CAR to help you detect ATT&CK techniques, and conducted our first round of ATT&CK Evaluations to drive ATT&CK adoption and implementation by both vendors and end-users. We also launched this blog, with some great posts on threat intelligence mapping, finding related ATT&CK techniques, and how to interpret ATT&CK Evaluation detections. I think I speak for the team when I say our high point was meeting so many of you in person at our first ATT&CKcon.

2018 ATT&CK Changes

So, what will 2019 bring?

Structural and Content Changes

First, we’re planning some major changes to ATT&CK itself, including some holdovers from 2018. We promised you sub-techniques and heard at ATT&CKcon again that they’re critically important — it turns out they’re also hard to get right! We want to make sure that it’s done well, so we’re taking some more time and hope to have an initial proposal out over the next few months. We’re also still working to improve consistency and integration between PRE-ATT&CK, Mobile ATT&CK, and Enterprise ATT&CK. A lot of progress has been made to consolidate threat group entries and make sure fields align, but later this year we’re planning a major refactor of the content in PRE-ATT&CK to better align with the ATT&CK philosophy.

There’s even more planned for 2019, though. Mitigations in Enterprise ATT&CK will be completely restructured to work how they do in Mobile ATT&CK, with individual mitigation pages that will help you identify common mitigations across techniques. The addition of a class of techniques to cover integrity and availability attacks will make it much easier to capture the behaviors of things like ransomware, denial of service, and destructive enterprise attacks that aren’t aimed at data exfiltration. We’re thinking of grouping these under a single tactic, currently named “Impact.” Let us know if you have any alternate suggestions for the name or how to organize it.

As you can tell, that’s an ambitious set of content changes. We’re hoping though that some major investment now will position ATT&CK to cover a broad set of attacks, at a consistent level of detail, across the kill chain, and for most major IT platforms (Windows, Linux, macOS, iOS, and Android).

Evaluations

ATT&CK Evaluation Results

The biggest stretch goal for the team last year was the completion of the initial round of ATT&CK Evaluations. It took a lot of long nights and great cooperation from the vendors, but the results are incredibly detailed and (hopefully you agree) very useful. The team will build on that success in 2019, and is prepping for the next round of evals leveraging a new adversary emulation plan based on APT29. The evaluations will also take a more community driven approach, starting with a call for contributions, to ensure they are accurately modeling today’s threat. The team is also continuing to explore ways of improving the usability of the results.

Analytics

CAR’s fresh new look

With the relaunch of CAR at the end of 2018 we also reinvigorated a focus on developing analytic detections for ATT&CK techniques. That will continue in 2019, as MITRE looks to publish an update to modernize the CAR data model add a few new analytics we’ve been working on, and (hint hint) accept contributions of analytics from others.

Thank you

2018 saw an incredible amount of support from the community. Most notably, about 70% of the new content in ATT&CK was contributed by folks like yourselves. Your contributions keep ATT&CK going, so please keep it up.

Beyond contributions to ATT&CK itself, we saw some incredible presentations at ATT&CKcon, new open source work, and entire libraries of analytics and hunting guides referencing ATT&CK. We saw new threat intel mappings natively in ATT&CK, and even structured threat intelligence in ATT&CK and STIX. The MISP team and others spearheaded the launch of one of the first user-driven ATT&CK communities. You should all know that the MITRE team is humbled every day by how much people care and are willing to help make ATT&CK what it is.

Of course, that means we need your help to keep it up. As you probably guessed, ATT&CKcon 2019 is on, at a date to be announced but sometime in the fall. So put on your CFP thinking caps, your CTI mapping pants, and your purple team jerseys to help us make 2019 even bigger than 2018.

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 18–03730–5.