Beta Mobile Sub-Techniques, Structured Detections, and ICS Join the Band as ATT&CK Upgrades to Version 11

619

The most recent ATT&CK release is now available, and this time They have upgraded to version 11! There shouldn’t be any major surprises if you’ve been following their roadmap, but they wanted to take this opportunity to go over their most recent updates. A beta version of the sub-techniques for ATT&CK for Mobile and ATT&CK for ICS on attack.mitre.org are included in the v11 set list, along with regular updates/additions across Techniques, Software, and Groups.

Enterprise Structured Detections with ATT&CK
The transformation of various actionable ATT&CK fields into managed objects has been a recurring theme over the past few years.

To improve the value and usability of mitigations, they turned them into objects in ATT&CK version 5; as a result, you can now identify mitigation and pivot to different techniques it might be able to prevent. Many of you have taken advantage of this feature to map ATT&CK to various control/risk frameworks. For the v10 release, they previously transformed data sources into objects, opening up similar pivoting and analysis possibilities.

The detections in Enterprise ATT&CK that were previously free text detections featured in Techniques have been improved and combined into descriptions that are connected to Data Sources in today’s v11 release.

However, this makes the paring explicit. Typically, they have attempted to match the detection text on a Technique to its Data Sources. You can now see for each detection what information you must gather as inputs (Data Sources) and how to analyze that data to determine a specific Technique (detection). Here is an illustration of how Data Sources and Detections for Steal or Forge Kerberos Tickets have changed (T1558).

Data sources and detections for Steal or Forge Kerberos Tickets in ATT&CK v10 (T1558)

For each Technique listed for a Data Component in ATT&CK v11, data sources and detections for Steal or Forge Kerberos Tickets (T1558) Detections will now be included on the Data Source pages.

These new detections, like everything else in ATT&CK, are also reflected in their STIX as a component of the “detects” relationship that was added in their most recent ATT&CK release in its “description” field. Check out their STIX usage document for more details on ATT&CK’s STIX representation, including the data source objects and relationships added in ATT&CK v10.

Beta Mobile Sub-Techniques
In 2020, they expanded ATT&CK for Enterprise to include Sub-Techniques. Since then, they have been well received and have helped us with some growth problems in their largest matrix. Now that this improvement has been made, they’re bringing it to ATT&CK for Mobile as a beta release, as ATT&CK’s Mobile Lead Jason Ajmo recently discussed in the ATT&CK Blog.

The Sub-Techniques beta is now available on the main ATT&CK website, and the most recent, stable Mobile content is available at https://attack.mitre.org/versions/v10/matrices/mobile/. This summer, they intend to publish the final version of ATT&CK for Mobile with Sub-Techniques after giving the community enough time to review the material, get ready, and send us any comments at attack@mitre.org. Up until then, the v10 pre-Sub-Techniques version of ATT&CK for Mobile will continue to be the primary representation on STIX.

How do I transition to the ATT&CK for Mobile beta using sub-techniques?
To support sub-techniques, you must first support a few changes to the structure of the Mobile ATT&CK technique.

The structural changes and the moving process are the same whether you’re using ATT&CK for Enterprise with sub-techniques already or have switched over. They’ve expanded Mobile technique IDs to identify corresponding sub-techniques, just like with ATT&CK for Enterprise: T[technique]. [sub-technique]. They’ve added “x mitre is subtechnique = true” to “attack-pattern” objects that represent sub-techniques in Mobile’s STIX representation of ATT&CK as well as “subtechnique-of” relationships between techniques and sub-techniques. Their STIX documentation already includes information on both. This link will take you to a STIX representation of ATT&CK that also contains the v11 Mobile Beta.

Next, if you want to get a head start, remap your content to this beta release from a previous iteration of Mobile ATT&CK.

They’re offering a translation table, or “crosswalk,” from previous release Mobile technique IDs to beta ones to aid in the transition, similar to how they did when they released Sub-Techniques for ATT&CK for Enterprise. What happened to each technique in the beta release is displayed in the JSON file. The structure underneath shows what, if anything, changed with the v11 beta release, while the top-level technique ID represents each technique from the v10 release.

Thanks to the community’s excellent feedback, they were able to identify four major categories of changes:

Still Technique
turned into a sub-technique
A New Technique or Multiple New Techniques
Deprecated
The “change-type” field in the JSON contains representations of each of these change types. It is easier to implement some of these changes than others.

They acknowledge this, and in the steps that follow, they include advice on how to switch from their previous release to ATT&CK with sub-techniques by taking into account the four different types of changes.

Step 1: First, automate the simple remapping techniques.
You can substitute the new technique ID for the old technique ID when the change type is “Remains Technique,” “Became a Sub-Technique,” or “One or More Techniques Became New Technique.”

It’s also important to check the “explanation” in the JSON because technique names may have changed or tactics may have been deleted in some cases.

Still Technique

The first thing that can be easily remapped is the methods that aren’t altering and don’t require remapping.

Anything marked “Remains Technique” is still a technique with the same technique ID as in the example above, which is T1398.

turned into a sub-technique

The technique to sub-technique transitions, marked “Became a Sub-Technique,” comes next in the “easy to remap category.” These methods were changed to become a part of another method. Modify System Partition (T1400) in this instance changed to Hijack Execution Flow: System Runtime API Hijacking (T1625.001).

A few techniques have been combined with others, as a final point.

A New Technique or Multiple New Techniques

A new technique was developed to cover the scope and content of one or earlier techniques for techniques with the label “One or More Techniques Became New Technique.

For instance, Adversary-in-the-Middle was created by combining Network Traffic Capture or Redirection (T1410) with a few other techniques (T1638).

Any item represented by the previous ATT&CK technique ID that needs to be changed should be transferred to the new technique or sub-technique ID. The ATT&CK STIX objects represent this kind of change as an object that has been revoked and has left behind a pointer to the source of the revocation. That indicates that T1400 was nullified by T1625.001 in this instance.

All of these situations can be solved by simply taking the top-level key and replacing it with the nested “id” key.

Step 2: Examine the outdated methods to determine what changed.
There will be some manual labor involved here. Techniques that have been deprecated are more complicated.

Deprecated

They eliminated “Deprecated” techniques from ATT&CK without replacing them. They were deprecated because they believed they did not belong in ATT&CK or because there was no evidence of their use in the wild. For instance, Remotely Wipe Data Without Authorization (T1469) was eliminated because there was no proof that an adversary had ever used it in the wild.

Step 3: Examine the new sub-techniques for the techniques to see if the new granularity affects how you would map.

There is one more step to complete if you want to fully utilize sub-techniques. You can now use new sub-techniques for many “Remains Technique” techniques.

Application Discovery is a fantastic illustration of an existing technique that now has new sub-techniques (T1418). Its name was changed to Software Discovery, and a new sub-technique called Security Software Discovery was created to contain its content (T1418.001).

Utilizing the new sub-techniques will require some manual analysis because they add more detail. The good news is that by adding more granularity, you will be able to represent various software discovery scenarios at a finer level.

These remaps can be carried out over time because they are still accurate if you keep something mapped to Software Discovery. When you have the time and resources, you can map new material to the sub-techniques and go back to the older ones to refine them.

TL;DR: If you only complete Step 1 while mapping deprecated objects to NULL, it will still be accurate. If you follow Step 2, virtually everything you previously mapped will also be mapped to the new Mobile ATT&CK. You’ll unlock the newfound power of sub-techniques once you finish Step 3!

ICS with ATT&CK Joins attack.mitre.org

Beginning in 2020, ATT&CK for ICS was introduced on a MediaWiki website that resembled attack.mitre.org in the past. Being on a different website has allowed it to grow and develop on its own while they gradually added it to each ATT&CK resource. The ATT&CK website, which is their most visible resource, now includes ATT&CK for ICS (attack.mitre.org).

What has altered? First of all, links to ATT&CK for ICS will need to be updated since it will no longer have the nostalgic ATT&CK Wiki look and feel. Second, they combined the Groups and Software from ICS, updating descriptions to include both and adding ICS techniques to the Group and Software pages that were already on both sites.

Finally, they have integrated ATT&CK’s Data Sources and Data Components into ICS. Because ICS and Enterprise Data Sources overlap quite a bit, they added a filter that lets you view only Enterprise, only ICS, and all Data Sources and Components on both the overall Data Sources list and individual Data Source pages.

What still holds true? The content of ATT&CK for ICS is unchanged, as is the location of its STIX representation. In order to prevent breaking your deep links, they will also maintain the previous website until October 2022. On every page, there will be warnings that get progressively worse, reminding users to update their links before they eventually become deprecated.

Future content updates will only be made to attack.mitre.org, not to the MediaWiki website.

What Remains in 2022?
They recently published their 2022 roadmap and are still making progress across the framework. Campaigns will be a new object related to groups in ATT&CK that will be added in version 12. Check out the presentation slides from Matt Malone’s talk at ATT&CKcon 3.0, their most recent blog post about their roadmap, or stay tuned for more information about their implementation coming soon.

Techniques

Enterprise

New Techniques

Technique changes

Minor Technique changes

Technique revocations

Technique deprecations

  • No changes

Mobile v11.0-beta

The below changes represent the Mobile v11.0-beta release. The current production release at https://attack.mitre.org/versions/v10/matrices/mobile/ remains unchanged.

New Techniques

Technique changes

Minor Technique changes

  • No changes

Technique revocations

Technique deprecations

Software

Enterprise

New Software

Software changes

Minor Software changes

Software revocations

  • No changes

Software deprecations

  • No changes

Mobile

New Software

  • No changes

Software changes

Minor Software changes

Software revocations

  • No changes

Software deprecations

  • No changes

Groups

Enterprise

New Groups

Group changes

Minor Group changes

Group revocations

Group deprecations

  • No changes

Mobile

New Groups

  • No changes

Group changes

Minor Group changes

  • No changes

Group revocations

  • No changes

Group deprecations

  • No changes

Mitigations

Enterprise

New Mitigations

  • No changes

Mitigation changes

Minor Mitigation changes

  • No changes

Mitigation revocations

  • No changes

Mitigation deprecations

  • No changes

Mobile

New Mitigations

  • No changes

Mitigation changes

  • No changes

Minor Mitigation changes

  • No changes

Mitigation revocations

  • No changes

Mitigation deprecations

Data Sources and/or Components

Enterprise

New Data Sources and/or Components

  • No changes

Data Source and/or Component changes:

  • No changes

Minor Data Source and/or Component changes

Data Source and/or Component revocations

  • No changes

Data Source and/or Component deprecations

  • No changes

Mobile

ATT&CK for Mobile does not support data sources

Leave a comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Exit mobile version