Connecting VERIS and MITRE ATT&CK®
Written by Jon Baker and Richard Struse.
There is a new VERIS mappings update! Check out the announcement here.
To fully understand and document cybersecurity incidents requires two types of information: information about the organization, assets, and data targeted (the “who”, “what” and “why”), as well as specifics on the tradecraft that the adversaries used to achieve their objectives (the “when” and “how”). Without the former, descriptions of incidents often lack important information that roughly translates into the “so what” — the true impact of the event. Without the latter, breach reports lack sufficient information to allow others to protect themselves from the threat.
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a common representation and data model for describing the demographics, metadata, and some technical details about cybersecurity incidents. As a standard representation, it allows for the analysis of data across a variety of incidents and is used, among other things, to generate the Verizon Data Breach Investigation Report (DBIR). The MITRE ATT&CK knowledge base is a curated repository of adversary tactics, techniques, and procedures (TTPs) based on publicly-available reporting.
While VERIS is very comprehensive in describing most aspects of cybersecurity incidents, it is focused on a high-level description of an incident as a whole. Conversely, while ATT&CK describes adversary behavior in granular detail, it does not attempt to describe incidents or their overall impact.
The Center for Threat-Informed Defense (Center) recently completed an R&D project that aims to allow people to better connect the who, what, and why captured in VERIS with the when and how described in ATT&CK. The project, supported by Center members including the Center for Internet Security, Siemens AG, and Verizon, created a mapping and translation layer between VERIS and ATT&CK that allows for the usage of ATT&CK to describe the adversary behaviors that were observed in an incident coded in VERIS. This allows for a joint analysis of the information that ATT&CK describes well (the behaviors adversaries use to attack systems) alongside the incident demographics and metadata that VERIS describes well.
A Bidirectional Relationship
To support the existing communities of VERIS and ATT&CK users, we defined a bidirectional mapping. Incident response teams that are familiar with VERIS can easily look up the ATT&CK techniques and sub-techniques that correspond to the VERIS Actions and Attributes that they are familiar with to describe adversary behaviors. Security operations teams that leverage ATT&CK can easily integrate the latest VERIS-based incident reports into their operations to ensure that their defenses are aligned with the latest threats.
STIX Representation
To make the mapping between VERIS and ATT&CK easily accessible to the cyber threat intel capabilities and teams that use STIX, we created a STIX 2 representation of the mappings. By representing VERIS Actions and Attributes as STIX Attack Patterns we were able to create STIX Relationships to represent the association between VERIS and ATT&CK.
Get Involved
The resulting mapping between VERIS and ATT&CK will allow cyber defenders to create a fuller and more detailed picture of cyber incidents, including the threat actor, technical behavior, assets targeted, and impact. While VERIS currently allows for the expression of all these aspects, ATT&CK provides a significant improvement in the level of detail, consistency of detail, and comprehensiveness in describing technical behaviors. These improvements can be used to develop better predictions and insights about how we might be attacked in the future by better understanding how and why we were attacked in the past.
The mapping between VERIS and ATT&CK are available on GitHub along with use case and methodology documentation, and python scripts for manipulating and generating different representations of the mappings. We encourage you to review the mappings, use them, and tell us what you think.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2021 MITRE Engenuity. Approved for Public Release. Document number CT0026.
