Sub-techniques are coming… soon!
We know everyone’s been waiting for an update, so here it is. The ATT&CK Team has been working hard implementing sub-techniques since ATT&CKcon, but sub-techniques aren’t quite ready yet. I can now say that we’re planning a late March 2020 soft launch of ATT&CK with sub-techniques. Most of the details about the post-release timeline and the substantive changes we’ll be launching were covered in the previous sub-technique post. There are more details in the previous post but in case you haven’t seen them before, sub-techniques are essentially just specific techniques. They’re an enhancement to ATT&CK that is aimed at fixing the unevenness across the knowledge base because some techniques are broad in definition, and some specific.
We’d like to take this opportunity to share updates and some adjustments we’ve made to sub-techniques based on your feedback. We’ll also go into more detail about our approach for categorization and a data sources overhaul (in progress!).
Credential Access and Lateral Movement Preview
The biggest update for this post is the preview of two additional tactics with sub-techniques!
There’s quite a bit that’s different from the existing tactics. A few concepts were combined, like with Credentials from Password Stores and Third-Party Deployment/Management Software. Credential Dumping was renamed to OS Credential Dumping and broken out into sub-techniques. Kerberos also got some much needed attention with its own Credential Access technique.
Visualization and Navigation Update
The original side expanding layout for sub-techniques wasn’t as popular as expected, so we added a feature to the site where you can choose the layout you want, side expanding or flat, which expands beneath the technique. Check them out!
Side layout example:
Flat layout example:
This functionality will also be present in the ATT&CK Navigator. We realize these changes aren’t going to be perfect for visualization, because no matter how you break it out, there’s just a lot to ATT&CK these days. We hope options and selective expansion will enable people to focus on parts of ATT&CK much better than before.
We’ve also made quite a few changes to how we represent information in each technique page to accommodate sub-technique information. Below is an example of how the new Pre-OS Boot technique looks. You can see we’ve added a table that can be expanded to show each sub-technique and their associated IDs.
Next is an example of a sub-technique page. You’ll notice they’re very similar to technique pages, with the same sub-technique table that allows for easier navigation across that technique.
There are a few points to note about the information in techniques and sub-techniques. First, we assign procedure examples from existing techniques to the most appropriate entry. We will assign it to a sub-technique if there’s enough information available to determine which sub-technique it maps to. If there isn’t enough information, then we leave it mapped to a technique. Techniques will not inherit procedure examples from their sub-techniques within the website. Conversely, a technique’s Mitigations and defensive information will be inherited from its sub-techniques.
We received a lot of comments, suggestions, and concerns after the first sub-technique blog post and at ATT&CKcon last year. In the previous post, we previewed the draft techniques and sub-techniques for the Persistence and Privilege Escalation tactics. Even though we weren’t able to respond with individual responses to every suggestion, we heard all of your feedback and we’d like to share what we did with it.
We asked in the first post whether we’re going about sub-techniques the right way and if people think the changes are necessary. The response was an overwhelming “yes” to both. You thought sub-techniques are a vital change for ATT&CK that will help you tremendously. This was awesome to hear! Quoting one of the participants from the ATT&CKcon sub-technique Birds of a Feather session “Sub-techniques will literally save my life.”
Some of you sent us new breakout ideas or ways of categorizing sub-techniques that we hadn’t thought of for the Persistence and Privilege Escalation previews. We took these concepts into consideration and will be using some of the information to make categorization better before the initial release.
One point of concern was the use of “(escalation possible)” in some of the technique names. We originally used this term to ensure some sub-techniques were strictly assigned to the right tactic(s). We also used it to avoid potential ATT&CK-breaking one-to-many relationships between sub-techniques and techniques. For example, even though there are multiple ways to schedule a task or job on a system (set something to run at a specific time), only a couple of sub-techniques under scheduled task could be used for privilege escalation in addition to persistence.
This wasn’t a great approach and, based on the feedback and conversations we had at ATT&CKcon, we came to a better solution. We heard that it doesn’t really matter if sub-techniques don’t exactly align to the right tactic as long as the overall behavior is consistent and the sub-technique notes what tactic it can be used for. As an example, we put all the Scheduled Task/Job sub-techniques together under one technique and cross-listed it in Persistence and Privilege Escalation. We’ll note within the sub-techniques for Scheduled Task and Cron that they can be used for privilege escalation. The benefits of this approach are a much more simplified structure, and techniques that are easier to understand and non-duplicative.
The first draft Persistence and Privilege Escalation tactics had several techniques without any sub-techniques listed. Some readers told us they thought techniques should always have sub-techniques. Organizationally, this structural consistency makes sense. In practice, however, it’s difficult to implement. While we’re capturing more detail for the techniques that need it, we aren’t going to force sub-techniques if they aren’t applicable. There may be areas where we didn’t think of something, so we always welcome your suggestions. Some of you also shared that sub-techniques should be OS specific, and largely we agree that will be important. It’s not always possible though, especially when it comes to network communications-based techniques since all operating systems in ATT&CK can use the network.
Following our in-depth sub-techniques post last August, many of you asked if sub-techniques are the same as procedures.
No, procedures and sub-techniques are not the same. A procedure is a specific implementation (action) of techniques (behaviors) or sub-techniques (also behaviors) by an adversary. Procedures may include several behaviors in how they are performed. For example, an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim is a procedure implementation containing several (sub)techniques covering the PowerShell, Process Injection, and Credential Dumping against LSASS behaviors. Ultimately, both techniques and sub-techniques are still just categories of behaviors.
Many of you suggested this is as an opportunity to redo how data sources are represented in ATT&CK. We’re on the same page and are working on a new representation for data sources. It will consolidate some similar concepts like Process Monitoring and Process Command-line Parameters, as well as providing a deeper level of detail into what defines a data source. The data sources revamp won’t be integrated into sub-techniques yet, but we’ll be posting more information soon them soon.
We’re confident that the next iteration of ATT&CK will make significant progress toward addressing several of its challenges. The community’s feedback has been integral in validating our way forward and giving us additional direction for improving sub-techniques. We greatly appreciate all your help!
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–00696–23.