MITRE ATT&CK v12 comes with Campaigns, Detections, updates for enterprises, mobiles, ICS frameworks
Not-for-profit organization MITRE announced Tuesday its ATT&CK v12 featuring the Campaigns in ATT&CK, Detections in ATT&CK for ICS, and updates (additions, changes to, and deprecations of) to the Enterprise, Mobile, and ICS knowledge bases, across techniques, software, mitigations, APT groups, data sources and/or components. The latest version is now live.
The ATT&CK v12 release introduces the Campaign data structure to ATT&CK and an initially limited set of Campaigns. ATT&CK’s Campaigns are defined as a grouping of intrusion activity conducted over a specific period with common targets and objectives. A key aspect of Campaigns is that the activity may or may not be linked to a specific threat actor.
Specifics on how Campaigns are implemented in ATT&CK’s enterprise, ICS, and mobile STIX representations are described in ATT&CK’s STIX 2.0 Data Model and STIX 2.1 Data Model. Several existing Groups were identified as more closely matching the Campaign than the Group definition and were converted to Campaigns. Additionally, MITRE renamed the Enterprise Technique ‘Indicator Removal on Host’ to Indicator Removal (T1070) and rescoped it to better account for adversary behavior in cloud environments.
“For our purposes in ATT&CK, we use ‘Campaigns’ to describe a grouping of intrusion activity conducted over a specific period of time with common targets and objectives. A key aspect of Campaigns is that the activity may or may not be linked to a specific threat actor,” wrote Matt Malone in a Medium post for MITRE ATT&CK, earlier this month, covering the ATT&CK v12 release.
Malone adds, “our vision for Campaigns is to provide users with another way to view the evolution of malicious cyber operations. Threat actor activity in ATT&CK currently encompasses a broad set of behaviors that can inform a holistic picture of the adversary over time. But as adversaries evolve, their TTPs often change, and by introducing some structure with Campaigns, we hope to allow you to glean more actionable intelligence and context to inform your defense prioritization.”
“Campaigns will enable you to identify trends, track significant changes in techniques used by various actors, and monitor the introduction of new capabilities (or exploited vulnerabilities),” Malone points out. “You’ll also be able to identify continued threat actor reliance on certain techniques regardless of the campaign objective and/or targets.”
MITRE will be incorporating a limited number of Campaigns into the ATT&CK v12 release. “This initial collection of Campaigns will feature former Group entries that are more accurately categorized as Campaigns, a curated number of Campaigns linked to existing Groups, as well as unattributed Campaigns,” Malone said.
With the addition of Campaigns to ATT&CK, the ATT&CK Data Model has expanded to encompass these changes, with no changes to objects that previously existed in ATT&CK. Software written to read earlier versions of ATT&CK should continue to work, albeit missing data that only appears in Campaigns.
Matching the model introduced to ATT&CK for Enterprise in ATT&CK v11, ATT&CK for ICS detections describe ways of detecting various ICS techniques and are each tied to specific Data Sources and Data Components, described in MITRE ATT&CK v11 release blog post.
The new detections leverage traditional host and network-based collection and ICS-specific sources such as asset and operational databases. Additionally, as there are overlaps between the Enterprise and ICS ATT&CK domains, ICS detections include references to Enterprise techniques where the additional context may assist defenders.
Furthermore, the new version of ATT&CK for Enterprise contains 14 tactics, 193 techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software.
MITRE added three new STIX Relationships that connect Campaigns to the rest of the ecosystem. Campaigns can optionally be attributed to a Group, use Software, or use Techniques. The STIX Relationship objects have no special modifications from the STIX standard and connect Campaigns to those previously existing objects.
“At a glance, this seems straightforward enough, but there are some things to be aware of if you are parsing ATT&CK v12 STIX going forward,” Malone said. “When gathering data about Groups that have Campaigns attributed to them, it’s a bit more complex to parse out all the Techniques and Software that are used by the Group. For Campaigns associated with a Group, we won’t be creating relationships between techniques and Software in that Campaign and the Group, if you would like to view the inclusive list, you’ll need to combine technique sets and Software usage,” he adds.
Malone said that MITRE would continue modifying and building out Campaigns, with the eventual goal of revisiting major Group pages in ATT&CK and reconstructing earlier Campaigns to reflect how these actors have evolved. “We’ll also shift focus from one-off or unattributed Campaigns to more complex Campaigns attributed to some of the more populated Group entries, such as the SolarWinds intrusion and G0016/APT29,” he adds.
In the future, Malone expects Campaigns will also serve a key role in tying together the various ATT&CK matrices — Enterprise (Cloud, Containers, macOS, and Linux), Mobile, and ICS, to document further how adversaries pivot across these domains using a variety of techniques to accomplish their objectives.
Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released the latest version of its Risk and Vulnerability Assessments (RVAs) conducted in the Fiscal Year 2021. The analysis and infographic detailing the findings from the 112 assessments carried out across the federal civilian executive branch (FCEB), critical infrastructure (CI), and state, local, tribal, and territorial (SLTT) stakeholders. The analysis and the infographic map hacker behavior to the MITRE ATT&CK framework.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
