MITRE ATT&CK v10 comes with new techniques, groups, software for enterprises, ICS frameworks

Not-for-profit organization MITRE announced ATT&CK v10 with updates in techniques, groups, and software for the enterprises, mobile devices, and ICS (industrial control system) frameworks. The biggest change is the addition of a new set of data source and data component objects in enterprise ATT&CK, which compliments the ATT&CK data source name changes released in ATT&CK v9.

“The v10 release includes the next episode in our data sources saga, as well as new content and our usual enhancements to (sub-)Techniques, Groups, and Software across Enterprise, Mobile and ICS,” wrote Amy L. Robertson in a Medium post for MITRE ATT&CK. “Our updated content in ATT&CK v10 aggregates this information about data sources, while structuring them as the new ATT&CK data source objects (somewhat similar to how Mitigations are reflected),” she added.

MITRE works with federal, state and local governments, as well as industry and academia, to bring ideas into existence in various areas, including artificial intelligence, intuitive data science, cyber threat sharing, and cyber resilience. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

ICS has been focusing on feature equity with enterprises, including updating data sources, adding and refining techniques, revamping assets, and charting out detection plans. “We’re also making some key changes to facilitate hunting in ICS environments. As we noted in the 2021 Roadmap, v10 also includes cross-domain mappings of Enterprise techniques to software that were previously only represented in the ICS Matrix, including Stuxnet, Industroyer, and several others,” Robertson wrote in the post.

The fact that adversaries don’t respect theoretical boundaries is something MITRE has consistently emphasized and thinks is crucial to feature enterprise-centric mappings for more comprehensive coverage of all the behaviors exhibited by the software.

Robertson also wrote that “With Stuxnet and Industroyer specifically, both malware operated within OT/ICS networks, but the two incidents displayed techniques that are also well researched and represented within the Enterprise matrix. Based on this, we created Enterprise entries for the ICS-focused software to provide network defenders with a view of software behavior spanning both matrices. We also expect the cross-domain mappings to enable you to leverage the knowledge bases together more effectively.”

For data sources, MITRE ATT&CK v10 is aligning with Enterprise ATT&CK in updating data source names. ICS’s current release reflects Enterprise’s v9 data sources update, with the new name format and content featured in GitHub. These data sources will be linked to YAML files that provide more detail, including what the data sources are and how they should be used. The ATT&CK v10 for Enterprise contains 14 tactics, 188 techniques, 379 sub-techniques, 129 groups, and 638 software pieces.

The data source object features the name of the data source as well as key details and metadata, including an ID, a definition, where it can be collected (collection layer), what platform(s) it can be found on, and the data components highlighting relevant values/properties that comprise the data source, the Medium post said.

Data components in ATT&CK v10 analyze each highlight mappings to the various (sub-)techniques that may be detected with that particular data, the Medium post said. On individual (sub-)techniques, data sources and components have been relocated from the metadata box at the top of the page to be collocated with detection content. These data sources are available for all platforms of Enterprise ATT&CK, including our newest additions that cover open-source intelligence (OSINT)-related data sources mapped to PRE platform techniques, it added.

The updated structures are also visible in ATT&CK’s STIX representation, with both the data sources and the data components captured as custom STIX objects, according to the Medium post. Users will be able to see the relationships between those objects, with the data sources featuring one or more data components, each of which detects one or more techniques.

For future releases, MITRE plans on mapping the more granular assets to techniques to enable organizations to track how these behaviors can affect a technique, or what assets these behaviors are associated with. On the detection front, MITRE is working behind the scenes to add detections to each technique, and this will be reflected in future releases, and it expects detections to really help out in hunt and continuous monitoring.

“Also in 2022, we’re preparing to integrate onto the same development platform as Enterprise, the ATT&CK Workbench, and join the rest of the domains on the ATT&CK website (attack.mitre.org),” according to Robinson.

Earlier this month, MITRE set up the Cyber Infrastructure Protection Innovation Center and Clinical Insights Innovation Cell to strengthen its ability to better focus on cybersecurity threats to critical infrastructure, and on new approaches to public health challenges. The two entities will operate as a part of MITRE Labs. In June, the National Security Agency (NSA) announced that the MITRE project has released the D3FEND framework, funded by the agency.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.