Getting Started with ATT&CK: Threat Intelligence
Since we started our Medium blog last year, we’ve shared quite a few posts with you about topics like ATT&CKcon 2018, our plans for 2019, and a cool visualization for our roadmaps — we hope you’ve found those helpful. As we’ve talked to you, though, we’ve realized that it would help for us to take a step back and focus on a question many of you have: how do I get started using ATT&CK?
With that in mind, we’re staring a new mini-series of blog posts aimed at answering that question for four key use cases: threat intelligence, detection and analytics, adversary emulation and red teaming, and assessment and engineering. If you haven’t seen it, we reorganized our website to share content based on these use cases, and our hope is these blog posts will add to those resources.
ATT&CK can be useful for any organization who wants to move toward a threat-informed defense, so we want to share ideas for how to start regardless of how sophisticated your team is. We’ll break each of these posts into different levels:
- Level 1 for those just starting out who may not have many resources,
- Level 2 for those who are mid-level teams starting to mature, and
- Level 3 for those with more advanced cybersecurity teams and resources.
Today we’re kicking off this series by talking about threat intelligence because it’s the best use case (just kidding, rest of my team! 😉). Last summer, I gave a high-level overview of how you can use ATT&CK to advance cyber threat intelligence, and in this post I’ll build upon that and share practical advice for getting started.
Cyber threat intelligence is all about knowing what your adversaries do and using that information to improve decision-making. For an organization with just a couple analysts who wants to start using ATT&CK for threat intelligence, one way you can start is by taking a single group you care about and looking at their behaviors as structured in ATT&CK. You might choose a group from those we’ve mapped on our website based on who they’ve previously targeted. Alternatively, many threat intelligence subscription providers also map to ATT&CK, so you could use their information as a reference.
Example: If you were a pharmaceutical company, you could search in our Search bar or on our Groups page to identify that APT19 is one group that has targeted your sector.
From there, you can bring up that group’s page to look at the techniques they’ve used (based solely on open source reporting that we’ve mapped) so you can learn more about them. If you need more info on the technique because you’re not familiar with it, no problem — it’s right there on the ATT&CK website. You could repeat this for each of the Software samples that we’ve mapped the group using, which we track separately on the ATT&CK website.
Example: One technique used by APT19 is Registry Run Keys/Startup Folder.
So how do we make this information actionable, which is the whole point of threat intelligence? Let’s share it with our defenders since this is a group who has targeted our sector and we want to defend against them. As you do this, you can check out the ATT&CK website for some ideas to get you started with Detection and Mitigation of techniques.
Example: Let your defenders know about the specific Registry run key APT19 has used. However, they might change that and use a different run key. If you look at the Detection advice for the technique, you see a recommendation is to monitor the Registry for new run keys that you don’t expect to see in your environment. This would be a great conversation to have with your defenders.
In summary, an easy way to start using ATT&CK for threat intelligence is to look at a single adversary group you care about. Identifying some behaviors they’ve used helps you inform your defenders about how they can try to detect that group.
If you have a team of threat analysts who are regularly reviewing information about adversaries, a next-level action you can take is to map intelligence to ATT&CK yourself rather than using what others have already mapped. If you have a report about an incident your organization has worked, this can be a great internal source to map to ATT&CK, or you could use an external report like a blog post. To ease into this, you can just start with a single report.
Example: Here is a snippet from a FireEye report that’s been mapped to ATT&CK. (https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html)
We realize it can be intimidating to try to map to ATT&CK when you don’t know all of the hundreds of techniques. Here’s a process you could follow to help with this.
- Understand ATT&CK — Familiarize yourself with the overall structure of ATT&CK: tactics (the adversary’s technical goals), techniques (how those goals are achieved), and procedures (specific implementations of techniques). Take a look at our Getting Started page and Philosophy Paper.
- Find the behavior — Think about the adversary’s action in a broader way than just the atomic indicator (like an IP address) they used. For example, the malware in the above report “establishes a SOCKS5 connection.” The act of establishing a connection is a behavior the adversary took.
- Research the behavior — If you’re not familiar with the behavior, you may need to do more research. In our example, a little research would show that SOCKS5 is a Layer 5 (session layer) protocol.
- Translate the behavior into a tactic — Consider the adversary’s technical goal for that behavior and choose a tactic that fits. The good news is there are only 12 tactics to choose from in Enterprise ATT&CK. For the SOCKS5 connection example, establishing a connection to later communicate would fall under the Command and Control tactic.
- Figure out what technique applies to the behavior — This can be a little tricky, but with your analysis skills and the ATT&CK website examples it’s doable. If you search our website for SOCKS, the technique Standard Non-Application Layer Protocol (T1095) pops up, and looking at the technique description, you’ll find this could be where our behavior fits.
- Compare your results to other analysts — Of course, you might have a different interpretation of a behavior than another analyst. This is normal and it happens all the time on the ATT&CK team! I’d highly recommend comparing your ATT&CK mapping of information to another analyst’s and discussing any differences.
For those CTI teams who have a couple analysts, mapping information to ATT&CK yourself can be a good way to ensure you’re getting the most relevant information to meet your organization’s requirements. From there, you can pass the ATT&CK-mapped adversary information to your defenders to inform their defenses, as we discussed above.
If your CTI team is advanced, you can start to map more information to ATT&CK, and then use that information to prioritize how you defend. Taking the above process, you can map both internal and external information to ATT&CK, including incident response data, reports from OSINT or threat intel subscriptions, real-time alerts, and your organization’s historic information.
Once you’ve mapped this data, you can do some cool things to compare groups and prioritize commonly used techniques. For example, take this matrix view from the ATT&CK Navigator that I previously shared with techniques we’ve mapped on the ATT&CK website. Techniques used only by APT3 are highlighted in blue; the ones used only by APT29 are highlighted in yellow, and the ones used by both APT3 and APT29 are highlighted in green. (All based solely on publicly-available information that we’ve mapped, which is only a subset of what those groups have done.)
You should substitute the groups and techniques you care about based on your organization’s top threats. To help you make your own Navigator layers like I’ve done above, here is a step-by-step guide on the steps you can take to produce the above matrix, as well as a video walkthrough that also provides an overview of Navigator functionality.
We can then aggregate the information to determine which techniques are commonly used, which can help defenders know what to prioritize. This lets us prioritize techniques and share with defenders what they should focus on detecting and mitigating. In our above matrix, if APT3 and APT29 were two groups an organization considered to be high threats to them, the techniques in green may be the highest priority to determine how to mitigate and detect. If our defenders have given the CTI team the requirement to help figure out where they should prioritize resources for defense, we can share this information with them as a place for them to start.
If our defenders have already done an assessment of what they can detect (which we’ll cover in future posts), you can overlay that information onto what you know about your threats. This is an excellent place to focus your resources since you know groups you care about have used those techniques and you can’t detect them!
You can continue adding in the techniques you’ve observed adversaries doing based on the data you have and develop a “heat map” of frequently used techniques. Brian Beyer and I spoke at the SANS CTI Summit about how we came up with different “top 20” techniques based on MITRE-curated and Red Canary-curated data sets, and your team could follow this same process to create your own “top 20.” This process of mapping ATT&CK techniques isn’t perfect and has bias, but this information can still help you start to gain a clearer picture of what adversaries are doing. (You can read more on biases and limitations in this slide deck, and we hope to share additional thoughts soon.)
For an advanced team seeking to use ATT&CK for CTI, mapping various sources to ATT&CK can help you build a deep understanding of adversary behavior to help prioritize and inform defense in your organization.
In our first post in the Getting Started series, we’ve walked you through three different levels for how you can get started with ATT&CK and threat intelligence depending on your team’s resources. In future posts, we’ll dive into how you can get started with other use cases, including detection and analytics, adversary emulation and red teaming, and assessment and engineering.
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19–01159–7.