DefensiveFrameworkFrameworkOfffensive

Campaigns to be Introduced to MITRE ATT&CK V12

Primary Articles Published by Matt Malona

In ATT&CK 2022 roadmap, at ATT&CKCon 3.0, and most recently on the SANS Threat Analysis Rundown, we’ve discussed incorporating campaigns into ATT&CK, but their release is soon approaching! Beginning with the release of ATT&CK v12 on October 25, you will be able to use the Campaigns structure for all of your ATT&CK use cases and will have access to Mitre initial collection of Campaigns. We’d like to take this opportunity to walk you through Mitre vision for Campaigns, give you a tour of its components, and go over Mitre longer-term Campaigns plans before the release.

The Campaigns’ Goals

For the purposes of ATT&CK, we refer to a collection of intrusion activities carried out over a predetermined period of time with similar targets and goals as “Campaigns.”

The fact that an activity may or may not be connected to a specific threat actor is a crucial component of campaigns.

Mitre goal with Campaigns is to give users another perspective on how malicious cyber operations have developed. ATT&CK’s threat actor activity currently includes a wide range of actions that, over time, can help paint a complete picture of the adversary. However, as adversaries advance, their TTPs frequently alter. By providing some structure with Campaigns, we hope to help you gather more useful information and context to help you prioritise your defence. Campaigns will give you the ability to spot trends, keep tabs on significant technique changes among different actors, and keep track of the introduction of new capabilities (or exploited vulnerabilities).

Additionally, you’ll be able to see which techniques threat actors continue to use regardless of the campaign’s targets or objective.

Campaigns will also help us distinguish between overlapping operations that have the same name and complex intrusion activity that involves multiple threats (like Ransomware-as-a-Service operations). We’ll also be converting some of the ATT&CK Groups to Campaigns as part of the new structure. This will apply to Groups (like G0101/Frankenstein and G0014/Night Dragon) that fit Mitre description of a Campaign but only have one activity cluster.

We’ll be including a small number of Campaigns into the v12 release, keeping with Mitre tradition of carefully integrating structural components in ATT&CK.

This initial collection of Campaigns will include unattributed Campaigns, a selected number of Campaigns connected to active Groups, and former Group entries that are more appropriately categorised as Campaigns.

Elements of a campaign

In the v12 release, a new “Campaigns” button will be added to the main page tool bar for easy access. We structured Campaigns to visually align with Groups and Software pages.

Figure 1: An illustration of the “Campaigns” button on the new ATT&CK toolbar.

Figure 1: An illustration of the “Campaigns” button on the new ATT&CK toolbar.

A Campaigns table with the ID number, Name, and descriptions of the activities will be present on the Campaigns homepage. The left column’s list of available campaigns emphasises those that have recently been added or converted.

As we previously discussed, we added some flexibility by allowing a Campaign to be simply referenced by Mitre own identifier (for example, C0014) if it doesn’t already come with a name. This overcomes the restriction we currently face with Groups.

Figure 2 shows a draught campaign table with the unnamed activity C0014 as a reference.

Each Campaign entry will contain a description of the intrusion activity, along with any information that makes this Campaign particularly noteworthy, as well as specifics like known targeted countries and sectors, where available.

Figure 3: For all of the Trekkies out there, a draught campaign page!

How to most effectively capture the time period associated with a Campaign is something we have been paying close attention to. Users can see how a Campaign was scoped by using the “First Seen” and “Last Seen” fields in the information box, along with the corresponding reference citations. We’ll add language to the effect that intrusion activity was considered to be ongoing at the time of report publication in the Campaign description (for example, “As of September 2022 security researchers assessed this activity was ongoing”) and update subsequent versions of ATT&CK Campaign entries accordingly.

Figure 4 shows a sample Campaigns information box with citations and a time frame field.

We’ve created a “Techniques Used” table to record actor procedure examples observed during a Campaign, with a few notable differences from Groups and Software.

  1. To assist ATT&CK users in identifying relevant detection and mitigation opportunities, we will provide as much detail as reporting permits regarding specific commands or actions taken by the actors. For Group and Software pages, where there is a tendency to accumulate a variety of reporting examples over time, this concept has proven to be more difficult to implement, leading to more generic procedure example language.
  2. To distinguish Mitre campaign procedure examples from those already found on a group page, we’ll start each one with the name of the campaign or its associated ID number.

When a Campaign is linked to a Group, we understand that the benefit of this may not be immediately obvious while viewing a Campaign page, but it does allow the procedure examples to stand out on their own (and, hopefully, allows for smoother integration in the future if an unattributed Campaign is later attributed to a Group).

Figure 5: Based on a fictitious campaign, separate procedure examples as seen from a group page. The second line is specifically about the associated Campaign, while the top line is an example of an existing procedure for T1566.001 for a Group

.

What does this mean for software and groups?

With regard to Campaigns, we’ve made two significant changes to the Group and Software pages.

As stated earlier, methods and related procedure examples mapped to a Campaign with a Group attribute will transfer to the Group page for that Campaign. Additionally, we’ll keep assigning Software pages to examples of specific Campaign procedures.

In order to make it simple for ATT&CK users to access Campaign ID numbers, Names (when applicable), and the Campaign description, we added a Campaigns table to the related Group and Software pages.

The Group and Software pages’ visual appearance won’t change, and we’ll keep updating them separately to include a comprehensive list of all observed techniques. For ATT&CK users who want to concentrate on all techniques used regardless of time or target, we want to preserve the functionality of ATT&CK Navigator Layers in that regard.

Intro to the Campaign STIX Object.

The ATT&CK Data Model, which is described in Mitre Usage document, has been updated to reflect the addition of Campaigns to ATT&CK. With the new additions of the Campaign object type and the Relationships connected to Campaigns, the diagram below illustrates how all the moving parts interact with one another. It’s important to note that the objects that were already present in ATT&CK are unchanged. Software that reads earlier iterations of ATT&CK should continue to function, albeit with some missing information that is specific to campaigns.

Figure 6 Campaign STIX relationships in

We’d like to introduce you to the star of the show, the STIX Campaign object, now that you’ve seen Mitre data model.

It utilises the same STIX extensions that are present in the ATT&CK Data Model, such as x mitre version. Here is a breakdown of how ATT&CK uses each field that is particular to the Campaign object, in addition to those previously described fields:

STIX standard fields:

·       type: Complies with the requirements of STIX

·        name: The designation given to the Campaign. This field will contain an ATT&CK identifier of the form CXXXX if no name is provided. 

·        description: complies with the STIX specification

·        aliases: Used to store names of related campaigns.

·        first_seen (timestamp): When this Campaign was first seen, as indicated by the timestamp first seen. This field is only used by ATT&CK at the month/year level of granularity. When displaying information about the ATT&CK Campaign, parsers should ignore the day and time components of this timestamp field.

·        last_seen (timestamp): The most recent time this Campaign was viewed or mentioned was last seen (timestamp). This field is only used by ATT&CK at the month/year level of granularity. When displaying information about the ATT&CK Campaign, parsers should ignore the day and time components of this timestamp field.

  • objective: Not employed by ATT&CK

Extensions to the STIX Specification

·        x mitre first seen citation (string): A single or a list of citations for the first time the Campaign was made public, in the format “(Citation:),” where the source name is one of the external references.

·        x mitre last seen citation (string): A single or multiple citations for the most recent mention of the Campaign in the form “(Citation:),” where “(Citation:” appears as one of the source names of one of the external references.

As previously mentioned, we have additionally added three new STIX Relationships that link Campaigns to the rest of the ecosystem. These Relationships are that Campaigns may, at their discretion, be attributed to Groups, use Software, or use Techniques. The STIX Relationship objects themselves do not differ in any special ways from the STIX standard; they merely link Campaigns to those earlier objects. This appears simple enough at first glance, but there are a few things to be aware of moving forward if you plan to parse ATT&CK v12 STIX.

The process of separating out all the Techniques and Software used by a Group when collecting data about Groups with Campaigns associated with them is a little more difficult. We won’t be establishing connections between the techniques and software used in a Campaign and the Group for those Campaigns; instead, if you want to see an inclusive list, you’ll need to combine technique sets and Software usage.

Combining Technique Sets: You must combine the set of Techniques directly used by the Group with the set of Techniques used by all of their associated Campaigns in order to obtain a complete Group Technique view.

Figure 7. Example of Group Technique STIX Inheritance in

Mapping Software Object Usage: You will need to identify the Groups, the Group-Attributed Campaigns, and the Unattributed Campaigns using the Software and combine them to get the full picture of how the Software is being used.

Refer to the Relationships Microlibrary section of the GitHub Usage document for additional technical information on how to handle retrieving all Techniques or Software that a Group uses starting with the v12 release and how it differs from the v11 and earlier releases.

What to Expect Moving ahead

With the ultimate goal of revisiting a significant Group page in ATT&CK and reconstructing earlier Campaigns to reflect how these actors have changed over time, we’ll keep modifying and expanding on them.

We’ll also shift Mitre attention away from isolated or unattributed Campaigns and toward more intricate Campaigns linked to some of the Group entries with higher population, like the SolarWinds intrusion and G0016/APT29.

The various ATT&CK matrices — Enterprise (Cloud, Containers, macOS, and Linux), Mobile, and ICS — will also be tied together in a significant way by campaigns in order to further document how adversaries pivot between these domains while utilising a variety of methods to achieve their goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.