MITRE ATT&CK is a powerful, opensource framework, communicating adversary, attack, and threat data across coding platforms. It’s an asset to any security organization that can incorporate the information and tools provided by MITRE into projects, software, systems, or processes. When asked How does ATT&CK help my organization? we keep coming back to these key themes:
- It allows effective communication, via a shared lexicon
- It enables strategic, operational, and tactical decision making
- It fuels an intel-driven and threat-informed approach to security operations
MITRE provides several development tools, uses open protocols, and exposes significant amounts of data for our use. ATT&CK has earned its place as a first-class model in much of the software we create, as well as many of the services we provide at Ascent.
Why use MITRE ATT&CK?
Introduced in 2013, MITRE ATT&CK has become a standard threat-modeling language in cybersecurity. It’s part of most cybersecurity platforms with a threat component and is often the de facto method to communicate about these threats. The data is deterministic, open, and available in multiple formats for easy consumption. Because of its wide integration, it effectively bridges different systems together. For example, Ascent developers use MITRE to channel data from our SOC’s cyber threat intelligence (CTI) feed to our detection library, identifying and prioritizing threats.
1. It’s deterministic
MITRE releases versions of the framework with a central repository as the source of truth. Gathering and querying this data is a deterministic process. If we ask for version 10 of an object, we get the same data every time. This makes developing against a dataset much more straightforward. Because the data is versioned, we can also use standard API development practices to build against specific versions of the framework, handle changes more appropriately, and incorporate these concepts into our own development processes.
2. It’s open
The ATT&CK framework and data are released under an open license structure granting the community “royalty-free license to use ATT&CK for research, development, and commercial purposes.” The data, and many of the tool sources, are available in GitHub. MITRE allows open servers to consume the data via API calls in standard formats.
3. It’s structured
Unstructured data can be cumbersome to work with. When developers communicate with a widely agreed upon language, they can more easily normalize disparate data sets into something more manageable. For example, the threat actor commonly known as “APT 29” is also referenced as “Cozy Bear,” “Group 100,” and “Cloaked Ursa,” just to name a few. Add in options for case, spaces, dashes, and other formats, and matching threat information based purely on name classification can be challenging. ATT&CK normalizes APT 29 by creating a unique object with a unique ID able to be cross referenced while still using the Name field as appropriate.
Frameworks and protocols
While you can easily browse to the MITRE ATT&CK website and click around in the interface, the real benefit comes from consuming ATT&CK data. This is available in a few different formats.
If you love spreadsheets, you are in luck! MITRE provides all its ATT&CK data in .xlsx format for use inside of your favorite spreadsheet application. It also provides Python modules which can convert from STIX into .xlsx format.
The TAXII protocol is designed to exchange threat data over common (HTTPS) channels via a REST API. It defines services and channels which can be used to build a robust architecture providing and consuming CTI information. The data TAXII gathers can feel a bit overwhelming, but numerous Python librariesmake the exchange processes and parsing much simpler.
While TAXII provides the mechanisms to exchange information, STIX is the format of the information. It is a language or protocol used to communicate CTI. (In this case, STIX primarily communicates threat detail). Viewed through a process lens, developers make a request to a TAXII server and eventually he or she will receive a response back in a STIX format. Again, STIX data can feel a bit overwhelming, but as usual, there are Python libraries for that!
If you’ve interacted with a REST API, you recognize JSON formatted data. MITRE provides all its ATT&CK data (and previous versions) in JSON format located in its GitHub repository.
Alright, now that you understand the types of data available and how to pull them, let’s tackle the makings of a combined external-internal CTI feed.
1. TAXII servers
MITRE provides a real life TAXII server you can query: https://cti-taxii.mitre.org/taxii/. Request data, query, filter, and otherwise consume whatever parts of the ATT&CK framework you choose all from this single server.
2. Raw Data
MITRE also provides a JSON dump of ATT&CK in its GitHub repository: https://github.com/mitre-attack/attack-stix-data. Simply choose the version you want and grab it. After importing the JSON into your script, you have the entire ATT&CK collection at your disposal. This is especially helpful when you want to “cache” the data locally and avoid expensive HTTP requests for multiple actions on a dataset.
So, now you know which type of data to pull and where to find it. But how should you choose which method to consume it? Threats are not static. They evolve over time, and our understanding of them evolves as well.
Since 2013, MITRE has released 11 major revisions (at the time of writing) and even more minor revisions. These revisions combine new tactics, techniques, relationships, software, groups, and details. To avoid incorporating conflicts and missing data into the development, ensure the version you recognize the version you pull. As an example, if you browse to the “attack-stix-data” repo (https://github.com/mitre-attack/attack-stix-data/tree/master/enterprise-attack), each of the versions is segmented into separate JSON files.
Existing tools and platforms
Because the MITRE organization is committed to open-source resources, its developers release a lot of their code openly. You can self-host the website, Navigator, and even Workbench.
1. MITRE ATT&CK website
When most people think of ATT&CK, the MITRE ATT&CK web data interface is probably what they envision. The ATT&CK website is static, generated using Pelican, a Python static site generator. This makes it super simple to self-host using any static site hosting tool you’d like.
2. ATT&CK Navigator
ATT&CK Navigator is probably the second most recognized interface in the ATT&CK space. It’s an awesome way to visualize the entire domain of techniques or a subset of your choosing.
Navigator works with the concept of layers, which is a JSON object defining a selection of techniques with some additional metadata. Using a JSON layer, Navigator displays this metadata in a matrix-type format which can be customized with colors, scores, and other details of the users’ choosing.
If you create advanced layers, (and perhaps pull real-time technique data from your detection sources, combining them into a defensive coverage layer), then these layer artifacts are sensitive and important to protect. Because the processing is done entirely on the client site, the application can be self-hosted, and the layer itself can be externally loaded, allowing for sufficient opportunities to protect access to the layer file. (For example, provisioned user roles accessing a data storage bucket containing sensitive layers).
3. MITRE ATT&CK Python
MITRE provides a Python module for working with ATT&CK content. Its tools work with and generate Navigator layers, parse and interact with STIX data, and convert data into Excel formats, among other capabilities.
4. ATT&CK Workbench
ATT&CK Workbench is a suite of tools allowing you to control and extend ATT&CK inside your own organization. It maintains a collection of ATT&CK data which can be customized, shared, and displayed using a custom web interface.
The frontend is another static web interface which connects to a backend REST API built on Node.js using a MongoDB database. MITRE provides deployment scripts using Docker, but each service can easily be run independently. For example, Ascent deploys the full stack using Azure managed services like Azure Static Web App, Azure App Services, and an Azure VM.
Because the backend is a REST API, you can interface with it easily with external scripts or software. This allows you to consume ATT&CK in yet another format.
Explore MITRE development
If you are motivated to dive deeper into the development how-to, please join Brad Palm, Director for Product Research, and Brian Greunke, Director for Engineering and Cybersecurity Strategy, at the Texas Cyber Summit on September 24, 2022. We will lead a three hour workshop, outlining examples and process building.
Want to learn more but without all the code? Ascent offers a free MITRE ATT&CK MasterClass where Brad Palm covers the business use case for incorporating ATT&CK into your risk discussions. Reach out to MITRE@meetascent.com for more information or to schedule a MasterClass for your organization.
Ascent is a world-class cybersecurity organization driven to save the world from cybercrime. We interpret ATT&CK data and incorporate it into our own risk-based, intel-driven, threat-informed approach to cybersecurity. Interested in partnering with our experts? Visit our website to learn more.