Attack Flow — Make Threat-Informed Decisions Based on Steps in a Cyber-Attack

Published in

MITRE-Engenuity

5 min readOct 27, 2022

Written by Ross Weisman, Mark E. Haase, and Ingrid Skoog

An abstract visual depicting shapes and arrows to represent attack flow. The shapes and arrows are layered on top of a blurred road to represent the speed with which the release can help users.

The initial Attack Flow release saw enthusiastic reception from the community, but there was further work to be done. The Center for Threat-Informed Defense (Center) combined public feedback (from GitHub, LinkedIn, conferences, and direct e-mail), the perspectives of Center participants, and our own experience building attack flows on real incidents to create a new major update to Attack Flow. We’re excited to share the details with you!

Working with Center Participants including Analysis & Resilience Center for Systemic Risk, Inc., Anomali, Inc., AttackIQ, Inc., Citigroup Technology, Inc., CrowdStrike, Inc., Cyber Threat Alliance, Inc., Fortinet, Inc., Fujitsu, Global Cyber Alliance, HCA — Information Technology & Services, Inc., IBM Corporation, and JPMorgan Chase Bank N.A., we identified a core set of use cases to drive our development. We then built on our initial work to enable defenders to better describe, display, and distribute sequences of adversary behavior, empowering cross-functional teamwork, maximizing defensive capacity and efficiency.

We want to share with you what’s new in Attack Flow, how you can get started using it, and highlight what’s next. As always, your feedback is a cornerstone of what we do — so if you have thoughts about this latest release of Attack Flow, please let us know!

What’s new?

Models, Tools, Examples, and Documentation

A huge update to the Attack Flow Builder, making it easier to use — including the features you’d expect from a graphic editor, now hosted online alongside overhauled documentation to provide a gentler ramp up to newcomers.
A new set of visualizations including the ability to overlay a flow on the ATT&CK matrix.
A corpus of examples that we used to guide development of the standard but are also useful for learning about Attack Flow and even for studying some well-known cyber incidents.
An update to the schema that migrates to using STIX 2.1, a language for expressing cyber threat and observable information, and incorporates 6 months of community feedback.

Schema Updates

Attack Flow is still a machine-readable representation of a sequence of adversary behaviors, but we’ve revamped our schema and constructed Attack Flow as a STIX 2.1 extension, to include the following STIX Domain Objects:

Attack Flow — the attack flow overall, can be a reference from other STIX objects
Attack Action — the execution of a particular technique, i.e., a discrete unit of adversary behavior
Attack Asset — any object that is the subject or target of an action, can be technical or non-technical, actions typically either modify or depend upon the state of an asset
Attack Operator — joins multiple attack paths together using Boolean logic
Attack Condition — a possible condition, outcome, or state that could occur, can be used to split flows based on success or failure of an action, or to further describe an action’s results

You can review the full specification here.

A note about namespaces and OWL/RDF

We anticipate the OASIS CTI TC to develop a translation to OWL/RDF through JSON-LD in the near future. Attack Flow is expected to be compatible with their ontology but will require alignment of our schema with their ontology — we already have an approach outlined in our documentation.

What does it look like now?

Below is an example we shared previously of an attack flow, built from our analysis of a public intrusion described at this link, constructed with the new Attack Flow Builder:

A screenshot of the new Attack Flow Builder showing the blocks of techniques and their related metadata — A screenshot of the new Attack Flow Builder

Just like before, while we’re using ATT&CK techniques for the actions, any action schema (such as VERIS) could be used instead. The same goes for assets.

We’ve included (and upgraded) support for GraphViz and mermaid graphs and included a brand new ATT&CK Navigator Overlay support.

An attack heatmap with an attack flow overlay showing the techniques included in a flow with their associated order — An ATT&CK heatmap with an attack flow overlay

How do I use Attack Flow?

Good news! Our new documentation is complete with a getting started guide, as well as new examples and illustrations. We’ve also tripled the size of the example corpus, so you’ll have plenty of example flows to get you started.

Screenshot of the Attack Flow documentation website showing how to get started with Attack Flow — Screenshot of the Attack Flow documentation

What’s next for Attack Flow?

We envision Attack Flow facilitating communication and collaboration among cyber defenders and between defenders and senior leadership — from the purple team executing an adversary emulation exercise to the CISO briefing the C-Suite. Beyond enabling communication and collaboration, Attack Flow creates an opportunity to collect and analyze sets of flows. That analysis opens the door to predictive intelligence — what are we likely to see next based on prior experience?

Community adoption is paramount to enable these outcomes. Stay tuned for additional blogs on using Attack Flow to support critical use cases, demo videos, webinars, and new content on the Attack Flow website as we expand the example corpus.

We’ve got some ideas we’re kicking around, but we want to hear from you! Check out some of the areas we are working on below to get some of your own ideas flowing.

Tooling

We want to continue to enhance Attack Flow’s user experience, and that starts with the builder. Comment on this post, make a Pull Request on Git, or drop us a line to let us know how we can build a better builder.

Flow Library

We’ve tripled the size of the corpus, but we’re planning to expand even further. In the coming weeks, we’ll be adding flows for our ATT&CK Evaluations adversary emulation scenarios and will of course continue our collaboration with you — offering assistance completing or validating the flows that you build.

How do I get involved?

If you want to get involved, start by reviewing our examples, data model, and tooling on GitHub. Please send us feedback! If you have thoughts about what should — or shouldn’t — be included in the schema, let us know. Common representations are only as valuable as the community contributing to it, so your input is important.

You can contact us at ctid@mitre-engenuity.org

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.