Understanding the Connection: Cybersecurity Events and MITRE ATT&CK®

Written by Tiffany Bergeron and Lex Crumpton.

Cyber defenders need information to identify and understand cyber incidents occurring in their environment. Various tools and services are available to collect system or network information, but it is not always clear how to use those tools to provide visibility into specific threats and adversarial behaviors occurring in their environment. To meet this need, the Center for Threat-Informed Defense (Center) created Sensor Mappings to ATT&CK (SMAP), a project to assist security operations teams and security leaders in understanding which tools and capabilities can help provide visibility into real-world adversary tactics, techniques, and procedures (TTPs) they care about.

In partnership with Center Participants including Anomali, Booz Allen Hamilton, Citigroup, CrowdStrike, Inc., Global Cyber Alliance, HCA — Information Technology & Services, Inc., IBM Security, JPMorgan Chase Bank, N.A., Lloyds Banking Group plc, Siemens AG, and Verizon Business, we developed a methodology and specific mappings to connect logs, sensors, and events that collect security-relevant information with the conceptual data sources linked to adversary TTPs represented in MITRE ATT&CK®.

Data sources are a critical component of defensive cyber operations, and through these mappings, defenders can determine which sensors can provide visibility into their environment and adversary TTPs they care about. The mapping between sensor events and ATT&CK data sources allows cyber defenders to understand tool coverage of adversary behaviors, identify and fill defensive gaps, and find potential threats.

Background

ATT&CK Data Source and Data Component objects bridge offensive actions with potential defensive countermeasures. Data Sources refer to the data being collected to show adversary activity, while Data Components provide context of how to analyze that data to potentially identify specific behaviors (detections).

Prior research into building on ATT&CK Data Objects has been undertaken by The Open Source Security Events Metadata (OSSEM) project and the Center’s Atomic Data Sources project. OSSEM is a community-led project created by Roberto and Jose Rodriguez that provides security context telemetry of behaviors occurring in an environment and metadata describing relationships between security events and ATT&CK TTPs. Atomic Data Sources developed data source objects and context to help describe activity within a network and provided a proof-of-concept approach to mapping ATT&CK Data Sources to sensors.

The Center and our participants continue to explore opportunities to expand on ATT&CK Data Sources and enable users to make the connection between adversary behaviors and underlying capabilities to help discover them. SMAP builds on ATT&CK Data Sources by mapping concrete events to these conceptual data sources. Guidance has been developed and published to document a repeatable approach taken to create the mappings, as well as how to use them. This information can help defenders identify relevant security data to collect in their specific environment and for specific threats.

Making the Connection

SMAP mappings to ATT&CK Data Sources include events collected by Host Sensors, which gather data from endpoints in the environment (e.g., Windows, Linux)​, and by Network Sensors, which gather data from network communications, typically outbound connections​. The specific sensors mapped under SMAP are:

• Sysmon: Windows system service activity monitoring and collection
• Windows Event Log: Windows system event records (security-relevant events)
• Auditd: Linux system auditing package
• CloudTrail: Amazon Web Services (AWS) auditing package
• OSQuery: Windows, MacOS, Linux operating system monitoring and logging
• ZEEK: Network security monitoring platform

The SMAP collection of resources can assist defenders performing essential capabilities, such as (1) understanding visibility into adversary behaviors given their current set of tools, (2) filling defensive gaps by determining additional tools and capabilities to use, and (3) finding potential threats by identifying which tools to use and which security data to collect for specific TTPs.

1. Understand Current Visibility

What is my coverage for known adversary TTPs given my current tools?

Use SMAP to understand which adversary behaviors you have visibility into given the current set of tools in use in your environment.

Example of Understanding Current Visibility

2. Fill Defensive Gaps

If I were to add Tool X, how does that coverage change?

Use SMAP to determine tools and capabilities to acquire or enable to fill gaps.

Example of Filling Defensive Gaps

3. Find Potential Threats

I’m concerned about a recent threat report. Can I see it if it were to happen in my environment and where do I look?

Use SMAP to identify which tools and capabilities to use and which security data to collect to help find adversary behaviors.

Example of Finding Potential Threats

STIX Representation and Mapping Tools

This project also provides a suite of tools and resources for customization. To make the mapping between sensors and ATT&CK easily accessible to the cyber threat intel capabilities and teams that use STIX, we created a STIX 2 representation of the mappings. By representing sensor events as STIX Attack Patterns, we were able to create STIX Relationships to represent the association between logs, sensors, and other security capabilities and ATT&CK.

A set of Python tools support data manipulation, including the creation of new mappings and the customization of existing mappings. A command line interface (CLI) tool is available for validation of mapping file syntax, ensuring conformity to the data format specification and accurate references of ATT&CK (sub-)techniques. The CLI tool also supports the ATT&CK Navigator visualizations from mapping files, providing layers depicting the sensors and events that are mapped to data objects linked to specific (sub-)techniques.

Get Involved

The SMAP mappings and project documentation, including the mapping methodology and usage information, are available on GitHub. We encourage you to review these resources, use them, and share your feedback.

The provided resources include the step-by-step methodology and tools needed to build collections tailored to specific needs. You can build proprietary collections to use within your organization, or you can share your collections to benefit the community.

We welcome your comments and contributions to continue to advance mapping sensor security events to ATT&CK adversary behaviors. Please see the guidance for contributors if you are interested in contributing. You are also welcome to submit issues for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2023 MITRE Engenuity. Approved for Public Release. Document number CT00089.