Attack Flow — Make Threat-Informed Decisions Based on Steps in a Cyber-Attack
Written by Ross Weisman, Mark E. Haase, and Ingrid Skoog
The initial Attack Flow release saw enthusiastic reception from the community, but there was further work to be done. The Center for Threat-Informed Defense (Center) combined public feedback (from GitHub, LinkedIn, conferences, and direct e-mail), the perspectives of Center participants, and our own experience building attack flows on real incidents to create a new major update to Attack Flow. We’re excited to share the details with you!
Working with Center Participants including Analysis & Resilience Center for Systemic Risk, Inc., Anomali, Inc., AttackIQ, Inc., Citigroup Technology, Inc., CrowdStrike, Inc., Cyber Threat Alliance, Inc., Fortinet, Inc., Fujitsu, Global Cyber Alliance, HCA — Information Technology & Services, Inc., IBM Corporation, and JPMorgan Chase Bank N.A., we identified a core set of use cases to drive our development. We then built on our initial work to enable defenders to better describe, display, and distribute sequences of adversary behavior, empowering cross-functional teamwork, maximizing defensive capacity and efficiency.
We want to share with you what’s new in Attack Flow, how you can get started using it, and highlight what’s next. As always, your feedback is a cornerstone of what we do — so if you have thoughts about this latest release of Attack Flow, please let us know!
What’s new?
Models, Tools, Examples, and Documentation
- A huge update to the Attack Flow Builder, making it easier to use — including the features you’d expect from a graphic editor, now hosted online alongside overhauled documentation to provide a gentler ramp up to newcomers.
- A new set of visualizations including the ability to overlay a flow on the ATT&CK matrix.
- A corpus of examples that we used to guide development of the standard but are also useful for learning about Attack Flow and even for studying some well-known cyber incidents.
- An update to the schema that migrates to using STIX 2.1, a language for expressing cyber threat and observable information, and incorporates 6 months of community feedback.
Schema Updates
Attack Flow is still a machine-readable representation of a sequence of adversary behaviors, but we’ve revamped our schema and constructed Attack Flow as a STIX 2.1 extension, to include the following STIX Domain Objects:
- Attack Flow — the attack flow overall, can be a reference from other STIX objects
- Attack Action — the execution of a particular technique, i.e., a discrete unit of adversary behavior
- Attack Asset — any object that is the subject or target of an action, can be technical or non-technical, actions typically either modify or depend upon the state of an asset
- Attack Operator — joins multiple attack paths together using Boolean logic
- Attack Condition — a possible condition, outcome, or state that could occur, can be used to split flows based on success or failure of an action, or to further describe an action’s results
You can review the full specification here.
A note about namespaces and OWL/RDF
We anticipate the OASIS CTI TC to develop a translation to OWL/RDF through JSON-LD in the near future. Attack Flow is expected to be compatible with their ontology but will require alignment of our schema with their ontology — we already have an approach outlined in our documentation.
What does it look like now?
Below is an example we shared previously of an attack flow, built from our analysis of a public intrusion described at this link, constructed with the new Attack Flow Builder:
Just like before, while we’re using ATT&CK techniques for the actions, any action schema (such as VERIS) could be used instead. The same goes for assets.
We’ve included (and upgraded) support for GraphViz and mermaid graphs and included a brand new ATT&CK Navigator Overlay support.
How do I use Attack Flow?
Good news! Our new documentation is complete with a getting started guide, as well as new examples and illustrations. We’ve also tripled the size of the example corpus, so you’ll have plenty of example flows to get you started.
What’s next for Attack Flow?
We envision Attack Flow facilitating communication and collaboration among cyber defenders and between defenders and senior leadership — from the purple team executing an adversary emulation exercise to the CISO briefing the C-Suite. Beyond enabling communication and collaboration, Attack Flow creates an opportunity to collect and analyze sets of flows. That analysis opens the door to predictive intelligence — what are we likely to see next based on prior experience?
Community adoption is paramount to enable these outcomes. Stay tuned for additional blogs on using Attack Flow to support critical use cases, demo videos, webinars, and new content on the Attack Flow website as we expand the example corpus.
We’ve got some ideas we’re kicking around, but we want to hear from you! Check out some of the areas we are working on below to get some of your own ideas flowing.
Tooling
We want to continue to enhance Attack Flow’s user experience, and that starts with the builder. Comment on this post, make a Pull Request on Git, or drop us a line to let us know how we can build a better builder.
Flow Library
We’ve tripled the size of the corpus, but we’re planning to expand even further. In the coming weeks, we’ll be adding flows for our ATT&CK Evaluations adversary emulation scenarios and will of course continue our collaboration with you — offering assistance completing or validating the flows that you build.
How do I get involved?
If you want to get involved, start by reviewing our examples, data model, and tooling on GitHub. Please send us feedback! If you have thoughts about what should — or shouldn’t — be included in the schema, let us know. Common representations are only as valuable as the community contributing to it, so your input is important.
You can contact us at ctid@mitre-engenuity.org
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2022 MITRE Engenuity. Approved for Public Release. Document number CT0056.