ATT & CK framework provides insight into real-world threats
MITER ATT & CK is commonly used to describe and categorize how malicious actors perform reconnaissance, initial access, persistence, lateral movement, exfiltration, and many other tactics. Malicious events are categorized by one or more specific techniques which are grouped into high level tactics. Currently, ATT & CK tactics and techniques are divided into corporate, mobile and industrial control systems (you can read more about using MITER ATT & CK in this blog). All techniques are grouped by tactic and can be identified by their identifiers.
MITER ATT & CK tactics and techniques are increasingly becoming a standard that helps Blue and Red teams. From an offensive point of view, the framework creates a precise model of the behavior of a specific attacker and the possibility of emulating it. From a defensive perspective, analysts can use MITER ATT & CK to structure and share threat intelligence. It is also possible to create analyzes to establish trends in attack techniques of malicious actors.
The importance of standard formats
Information sharing helps to expand intelligence about everyone’s cyber threats. The more information we share, the more information we can aggregate and can anticipate and respond to attacks faster and more effectively. An important requirement for sharing threat intelligence is to rely on standard formats to facilitate data contribution and ingestion.
Structured Threat Information eXpression (STIX ™) is a serialization language and format used to represent and exchange cyber threat information in a consistent and efficient manner. As this white paper notes, STIX also offers a way to share a wide range of information, including:
- Cyberobservables (e.g. a registry key is created, network traffic occurs to specific IP addresses, email from a specific address is observed, etc.)
- Adversary Tactics, Techniques & Procedures (TTP) (including attack patterns, malware, exploits, kill chains, tools, infrastructure, victim targeting, etc.)
- Exploit targets (e.g. vulnerabilities and weaknesses)
- Action plans (e.g. incident response or vulnerability / weakness remedies)
- Cyber attack campaigns
- Cyber threat actors
MITER ATT & CK tactics and techniques represent adversary behaviors at different levels of abstraction. As we mentioned before, STIX indicators are commonly used to represent exactly this kind of information in a structured way, because such ATT & CK can easily be expressed in STIX.
Differences between STIX 1 and STIX 2
In the first version of STIX, indicators were expressed in XML syntax. One of the biggest changes between version 1 and version 2 is the switch from XML format to JSON format, which allows for a lighter syntax that is easier to parse and therefore preferred for development.
Version 2 comes with two validation tools: the STIX validator checks if the JSON content conforms to the specification, while the model validator checks that the model syntax is correct.
Another cool new feature is STIX visualization: as a large JSON may not be easy to read, the visualization tool is provided to visually display the JSON file as a graph with nodes and edges representing the objects of STIX domain and STIX relationship objects.
The image below (created using this tool) shows the graphic of APT1 based on STIX v2.1 here. It shows indicators, tools, attack patterns and other valuable information about APT1, a sophisticated threat actor possibly sponsored by the Chinese government (read more details in Mandiant’s APT1 report).