Strengthening the Connection: VERIS and MITRE ATT&CK®

Published in

MITRE-Engenuity

6 min readApr 6, 2023

Written by Tiffany Bergeron and Ingrid Skoog

To fully understand and document cybersecurity incidents requires two types of information: information about the organization, assets, and data targeted (the “who”, “what”, and “why”), as well as specifics on the tradecraft that the adversaries used to achieve their objectives (the “when” and “how”). Without the former, descriptions of incidents often lack important information that roughly translates into the “so what” — the true impact of the event. Without the latter, breach reports lack sufficient information to allow others to protect themselves from the threat.

To meet those needs, the Center for Threat-Informed Defense (Center) completed an R&D project in August 2021 to allow people to better connect the who, what, and why captured in the Vocabulary for Event Recording and Incident Sharing (VERIS) with the when and how described in MITRE ATT&CK®.

Building upon our original project, we have expanded the translation between VERIS and ATT&CK to increase the community’s ability to pivot between incidents coded in VERIS and adversary behaviors described in ATT&CK. The project update was completed with the support of Center members, including SIEMENS AG and Verizon Business Services. We want to share with you what’s new with the VERIS ATT&CK translation and how you can get started using it.

Background

VERIS provides a common language for describing security incidents in a structured and repeatable manner. VERIS provides a standard, high-level incident representation and allows for the analysis of data across a variety of incidents. It is used, among other things, to generate the Verizon Data Breach Investigation Report (DBIR).

ATT&CK provides a common taxonomy for describing detailed adversary behavioral tactics and techniques. The ATT&CK knowledge base is a curated repository of adversary tactics, techniques, and procedures (TTPs) based on publicly available reporting and real-world observations.

So, while VERIS is comprehensive in describing most aspects of cybersecurity incidents, it is focused on the high-level description of an incident. Conversely, while ATT&CK describes adversary behavior in granular detail, it does not attempt to describe incidents or their overall impact. The Center’s VERIS ATT&CK translation empowers defenders to efficiently tie adversary TTPs to their real-world impact by connecting ATT&CK-based threat intel to VERIS-based incident reports.

Expanding the Translation

The mapping between VERIS and ATT&CK has been updated and expanded, strengthening the connection of the “business language” of VERIS with the “technical language” of ATT&CK. This project update builds upon the foundation of incidents coded in VERIS being enhanced with granular ATT&CK data, and vice versa. The update and expansion of the mapping repository:

Updates for the VERIS Community schema 1.3.7 from 1.3.5,
Updates for ATT&CK for Enterprise v12.1 from v9.0,
Revisits unmapped VERIS Vectors and Varieties,
Expands VERIS Attribute axis mappings,
Maps VERIS Actors and ATT&CK Group TTPs,
Maps VERIS values to ATT&CK for Mobile, and
Maps VERIS values to ATT&CK for ICS.

The example below shows the bidirectional mapping of the VERIS Action.Hacking.Vector.Desktop sharing software to a more granular set of ATT&CK techniques. This granular description of an adversary’s behavior allows users to better understand how to detect and mitigate the threat.

In addition, expanded mapping and usage documentation has been developed to further demonstrate how the translation can be used to describe and communicate information about security incidents. Updated use cases and new scenario examples are provided to illustrate ways for defenders to efficiently tie adversary TTPs and their real-world impact by connecting ATT&CK-based threat intel with VERIS-based incident reports, and vice versa. Defenders performing essential capabilities can use the VERIS/ATT&CK mapping to support a variety of use cases, such as:

1. As an Incident Responder, I want to ensure I have a complete picture of an active security incident.

Use the mappings to take the observed adversary behaviors as described in ATT&CK to then code the incident in VERIS to begin to build out the incident demographics and metadata.

2. As a Chief Information Security Officer or Information System Security Officer (CISO or ISSO), I need to align defensive posture with the real-world threats targeting my industry.

Investigate adversary ATT&CK TTPS used for a specific VERIS Variety or Vector or by a particular threat group of interest with financial and/or espionage motives.

3. As a Security Operations Center (SOC) Analyst, I need sufficient visibility into threats launched against my organization.

Use the VERIS mappings for identified adversary techniques used to identify areas to look for additional indicators, such as Action.Malware.Vector.Software update and Action.Hacking.Variety.Abuse of functionality.

4. As a Security Engineer, I want to mitigate entire classes of adversarial behavior.

Build in defense-in-depth as mitigations for specific adversary TTPs, using the mappings identify areas to focus on, such as Action.Malware.Variety.Exploit misconfig and Action.Hacking.Variety.Backdoor.

STIX Representation and Mapping Tools

To make the mapping between VERIS and ATT&CK easily accessible to the cyber threat intel capabilities and teams that use STIX, we created a STIX 2 representation of the mappings. By representing VERIS Actions and Attributes as STIX Attack Patterns we were able to create STIX Relationships to represent the association between VERIS and ATT&CK.

A set of Python tools support data manipulation, including the creation of new mappings and the customization of existing mappings. A command line interface (CLI) tool is available for validation of mapping file syntax, ensuring conformity to the data format specification and accurate references of ATT&CK (sub-)techniques. The CLI tool also supports the production of the ATT&CK Navigator layers and Markdown Summary visualizations from mapping files.

Users can refine and extend the mappings for their needs and locally rebuild the full set of supporting artifacts using the scripts in this repository. If you are simply ingesting the data from this repository, you likely will not need to install or run any of the provided scripts.

Get involved

The mapping between VERIS and ATT&CK allows cyber defenders to create a richer picture of cyber incidents, including the threat actor, technical behavior, assets targeted, and impact. These improvements can be used to develop better predictions and insights into how we might be attacked in the future by better understanding how and why we were attacked in the past.

The translation between VERIS and ATT&CK is available on GitHub along with the expanded methodology and usage documentation. Updated Python scripts are also available for manipulating and generating different representations of the mappings. We encourage you to review the mappings, use them, and tell us what you think.

This project also provides the methodology and tools needed to build collections tailored to any need. You can build proprietary collections to use within your organization, or you can share your collections to benefit the community.

We welcome your feedback and contributions to continue to advance ATT&CK Integration with VERIS. Please see the guidance for contributors if are you interested in contributing. You are also welcome to submit issues for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.