MITRE 2023 Roadmap to focus on targeted growth and integration, while improving ATT&CK’s current platforms

MITRE, a non-profit organization, released its 2023 ATT&CK roadmap on Tuesday, with key efforts planned for the year ahead ranging from ICS (industrial control systems) assets to more Linux and ATT&CKcon 4.0. In 2023, the focus will be on targeted growth and integration. The agency will work on maintaining framework stability as it builds out content and structure, while expanding and increasing the scope of some of ATT&CK’s current platforms.

“We’ll be looking for places where we can add defensive ‘easy buttons’ to ATT&CK and other ways we can improve for lower-resourced defenders,” Amy L. Robertson, cyber operations lead at MITRE, wrote in a Medium post. “Relatedly, we’ll also be working to enhance the usability, accessibility, and functionality of the ATT&CK website and Navigator. These updates and more will be mainly centered on our April and October releases,” she added.

Robertson said that in 2022, MITRE matured, expanded, deconflicted, and renovated the knowledge base, persevering through challenges to meet the year’s goals. “Some of our most notable efforts including unveiling Enterprise structured detections, publishing Mobile sub-techniques, introducing ICS detections, transitioning ATT&CK for ICS, to the mothership (aka attack[dot]mitre[dot]org), launching Campaigns, and hosting ATT&CKcon 3.0,” she added.

She also said that 2023 will be ICS’s first full year on the ATT&CK site, and “we’ll be making additions across the matrix, including more cross-domain mappings (e.g., ICS + Enterprise). We’ll be sharing more details about this and our approach to leveraging ATT&CK for holistic ICS defense in an upcoming blog post.”

Over the next several months, Robertson said that MITRE will be focusing on addressing overlaps and integration with other domains, primarily between Enterprise and ICS, although Mobile could be included, and revamping ICS Assets. “This effort will focus on evaluating Assets in various industries, identifying their interrelations, and determining how they fit into the ATT&CK structure.”

Robertson pointed out that when MITRE added explicit pairing of detections to data sources in ATT&CK v11, “it was intended to let you identify the inputs you need to collect (Data Sources), combined with how to analyze that data to identify a given Technique (detection).” 

She added that “we’ll be leveling up this year, exploring and including in ATT&CK more specifics on what you as defenders can be collecting related to detections and how. This quest will result in a more directly usable guidance for defenders, as well as a more in-depth look at data collection, analyzation, and identification of a given technique.”

MITRE will also be assessing ATT&CK mitigations for gaps and potential improvements this year. “We converted mitigations into objects in v5 to increase their usability, and our goal has always been to continue to evolve and improve that knowledge base. Over the next several months, we’ll be researching new preventions and crafting out additional ways to prevent a given technique from succeeding,” Robertson wrote.

On Campaigns, Robertson said that MITRE does not typically highlight all the updates it will be making to ATT&CK Techniques, Software, or Groups, but as the newest object on the block, “we figured you might be curious about our plans for Campaigns this year. Over the next few months, we’ll be extracting significant Campaigns from several APT groups in ATT&CK and adding them to the knowledge base. Closer to October, we’ll pivot to building out campaigns conducted by criminal groups, including ransomware operations,” she added.

MITRE also released Mobile sub-techniques last summer, and will continue expanding on those, as well as building out contributions, and collaborating on enhancing multi-domain techniques. 

“Mobile-specific Data Source objects are another goal this year, and they’ll mirror the concept of Data Source objects that Enterprise and ICS currently leverage, informing a more detailed and defined data collection strategy,” Robertson wrote. “The Mobile Data Sources will eventually be featured on both the overall Data Sources list as well as the individual Data Source pages. For October, we plan on charting out structured detections, to enable you to enhance your Mobile detections approach.”

Robertson added that a core focus for the domain overall is bolstering collaboration with the mobile security community. “Along with the rest of ATT&CK, Mobile’s matrix is mostly crowdsourced, and we rely on the deep expertise from the mobile community to validate our content and help us to mature this knowledge base,” she added.

When it came to Linux, Roberson said that MITRE made significant progress in updating the macOS platform last year, and will continue evolving that content, officially transitioning the spotlight to Linux for 2023. She said that the April release will feature Linux contributions that focus on modifications to parent technique scope, including new sub-techniques and updated procedures.

For the October 2023 release, “we’re targeting an expanded representation of Linux within ATT&CK. We’re looking to not only better account for activity within on-premise Linux servers, but some of the broader Linux-based (and not always x86) spaces adversaries have been abusing,” according to Robertson. “This will be a substantial effort given how under-reported Linux activity is, and the Linux security community’s input is essential for us to improve this platform. We’re working to build out opportunities to connect both online and offline and would like to hear how you’d like to collaborate.”

Since initially releasing ATT&CK for Cloud in October 2019, MITRE has continually worked to expand and refine how these platforms fit within the broader ATT&CK for Enterprise. Cloud introduces many new challenges for defenders, and potential opportunities to rethink how we describe adversary behaviors. “Throughout 2023, we will work to adapt these definitions with the goal of helping everyone (cloud expert or not) better understand and utilize ATT&CK for Cloud,” Robertson added.

The agency will host ATT&CKcon 4.0 in-person and virtually from Oct. 24–25, 2023 in McLean, Virginia. 

MITRE announced in October its ATT&CK v12 featuring the Campaigns in ATT&CK, Detections in ATT&CK for ICS, and updates (additions, changes to, and deprecations of) to the Enterprise, Mobile, and ICS knowledge bases, across techniques, software, mitigations, APT groups, data sources and/or components. The latest version is now live. The ATT&CK v12 release introduced the Campaign data structure to ATT&CK and an initially limited set of Campaigns. ATT&CK’s Campaigns are defined as a grouping of intrusion activity conducted over a specific period with common targets and objectives.

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the Homeland Security Systems Engineering and Development Institute (HSSEDI), updated the Best Practices for MITRE ATT&CK Mapping. The new version covers common analytical biases, mapping mistakes, and specific MITRE ATT&CK for ICS, and changes made to the framework since CISA initially published the best practices in June 2021.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.