Attack Flow 2.1 Update
Written by Mark E. Haase and Michael Carenzo.
We released Attack Flow 2.0 almost one year ago. That major update to Attack Flow improved the project on every front, from tools to data schemas to documentation. Since making that release, we’ve been excited to see the global threat-informed defense community embrace our project. We have talked to hundreds of people about Attack Flow at a variety of conference venues (RSA, FIRST, Purple Hats, Blackhat, etc.) and we have seen public threat intelligence incorporate Attack Flow, e.g., in Fortinet’s WINTAPIX report. (And, in a first, a humorous lightning talk at FIRST Montreal discussed professional networking and ice breaking with Attack Flow, featuring TTPs such as “conversation interrupt” and “sticker injection”, i.e., applying a Hello Kitty sticker to a colleague’s conference lanyard.)
It has been a gratifying and rewarding year for growing Attack Flow’s mindshare. Since our goal continues to be increasing awareness of Attack Flow, we are pleased to announce its latest update. This release focuses on enhancing usability, lowering the barrier to entry, and facilitating adoption of the project across the industry. Importantly, this release does not change the underlying data format. Existing v2 flows continue to work in our Attack Flow Builder tool and throughout the rest of the Attack Flow ecosystem. This post highlights some of the most important and requested improvements contained in 2.1.
Splash Screen
You will notice the first improvement right away when you open Attack Flow Builder: a new splash screen.
The first 30 seconds of a user’s experience is critical: it’s a short window during which we can capture and hold their interest. If our users get frustrated or simply lost during this initial interaction, they may give up on the project altogether. The splash screen improves engagement with its prominent and accessible set of choices for getting started, including links to find example flows and a tutorial for using the builder.
No More Lost Work
The most requested feature by Attack Flow users has been a way to avoid losing unsaved work, for example when you accidentally close the browser window, hit the back button, etc. We know that it is very frustrating to accidentally lose hard work, as we have felt the pain in our own work.
In the 2.1 release, you can recover unsaved changes. Under File → Open Recovered Files it lists all flows that you edited but didn’t save. You can jump right back into that flow without missing a step!
Autocomplete TTPs
The second most requested feature has been to autocomplete tactic and technique IDs. While ATT&CK Powered Suit is useful for determining tactic and technique IDs, we want to make the Attack Flow Builder experience as seamless and efficient as possible.
To use the autocomplete feature, first select the Tactic ID or Technique ID field. Then start typing the object name or ID. You will be presented with a list of matches to choose from. Even better, when you select a match from autocomplete, Attack Flow Builder will also fill in the name field. This is a major time saver when building flows and reduces errors due to manual entry. (You can still use non-ATT&CK TTPs in the builder tool, but they will not be available for autocompletion.)
Autocomplete also fills in “Tactic Ref” or “Technique Ref”, which are STIX identifiers that are useful for machine-to-machine communication, but not very user-friendly. By letting autocomplete handle these STIX IDs, we get the best of both worlds: user-friendly and machine-readable.
Search Within Flow
One of the best reasons to use Attack Flow is because it allows you to organize information about adversary behavior into a unified, visual representation. This approach scales well, enabling us to build flows that capture sophisticated and complex behavior, such as the NotPetya malware.
The NotPetya flow includes over 20 distinct adversary actions and numerous branches to describe how the malware implements its privilege escalation and lateral movement behavior. Attack Flow captures both the overall structure of the attack as well as the fine details.
Attack Flow 2.1 improves navigation of very large flows with a new search feature. You can search by any identifier or keyword and quickly find the matching objects in the flow. Plus the extremely fast graphics renderer takes you to the matching item in real time and you can review the results individually.
Feedback
This release also includes a bunch of under-the-hood improvements: improving the validation system, adding a command line tool for publishing flows, adding keyboard shortcuts for MacOS users, and more. Our focus remains on improving user experience and growing mindshare.
We encourage you to go try out the latest version right now.
As we close the book on Attack Flow 2.1 and look forward to 2.2, we want to hear from you. Are you using Attack Flow? If so, how can we improve your productivity and optimize Attack Flow for your use cases? If you are not using Attack Flow yet, what are barriers to entry could we bring down? Let us know at ctid@mitre-engenuity.org or leave feedback on our GitHub repository.
About the Authors
Mark Haase is the Chief Engineer for the Center for Threat-Informed Defense. Mark has a dual background in software engineering and red teaming, with a professional focus on the intersection of cybersecurity and machine learning.
Michael Carenzo is the lead software engineer for Attack Flow. He also develops solutions for MITRE’s government sponsors, drawing upon his expertise in parallel and distributed computing and large-scale data visualization.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0077
