MITRE ATT&CK v14 introduces detection enhancements, ICS assets, mobile structured detections

MITRE, a non-profit organization, released Tuesday ATT&CK v14 to include enhanced detection guidance for many techniques, expanded scope on Enterprise and Mobile, ICS (industrial control systems) assets, and mobile structured detections.

“In ATT&CK v13, we started adding ‘detection notes’ and pseudocode analytics from CAR (Cyber Analytics Repository) directly into some detections. In v14, we’ve dramatically expanded the number of techniques with a new easy button and added a new source of analytics,” Amy L. Robertson, wrote in a Medium post. “One focus of this release was Lateral Movement, which now features over 75 BZAR-based analytics! BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) is a subset of CAR analytics that enable defenders to detect and analyze network traffic for signs of ATT&CK-based adversary behavior.” 

She added that moving forward MITRE plans to continue working across tactics to enhance detection approaches.

The latest version of MITRE ATT&CK contains 760 pieces of software, 143 groups, and 24 campaigns. Broken out by domain – Enterprise: 201 techniques, 424 sub-techniques, 141 groups, 648 pieces of software, 23 campaigns, 43 mitigations, and 109 data sources; Mobile – 72 techniques, 42 sub-techniques, 8 groups, 108 pieces of software, 1 campaign, 12 mitigations, and 15 data sources; and ICS – 81 techniques, 13 groups, 21 pieces of software, 52 mitigations, 3 campaigns, 14 assets, and 34 data sources.

Robertson explained that MITRE ATT&CK v14 also enables enhanced relationships between detections, data sources, and mitigations. “Improving techniques is a collaborative and iterative process, and we work with the community to identify new procedures and enhance data sources and mitigations. This release includes updated technique alignments to data sources and mitigations, better reflecting the most effective defensive measures for the impacted techniques.”

She revealed that v14 features 14 inaugural assets, representing the primary functional components of the systems associated with the ICS domain. “These Asset pages include in-depth definitions, meticulous mappings to techniques, and a list of related Assets. Our primary goals for Assets are to provide a common language for inter-sector communication, and to empower underrepresented sectors to leverage ATT&CK mappings, fostering meaningful communication about risks and threats,” she added.

“The Assets refactoring process involved an in-depth review of relevant CTI, researching and refining the resulting definitions based on industry standards, and analyzing how the device features map to ATT&CK Techniques,” the post added. “We look forward to leveraging the deep insights from our industry partners as we continue refining and expanding Assets.”

With Enterprise increasing its scope a bit, Mobile has also expanded its coverage to include Phishing, which encompasses phishing attempts through vectors including SMS messaging (smishing), Quick Response (QR) codes (quishing), and phone calls (vishing), Robertson wrote. 

“Mobile Phishing features a new mitigation (M1058: Antivirus/Antimalware), to enhance anti-virus and malware defenses,” according to the post. “Also introduced with this release, Mobile structured detections. This allows you to explicitly see the required inputs (Data Sources) for each detection, along with how to analyze the data to identify a specific Technique (detection). Structured detections are part of the ongoing endeavor to bring Mobile to parity with Enterprise.”

MITRE also refined the navigation bar of the ATT&CK website, streamlining its structure and content to enhance the user experience and overall ease of navigation. Robertson detailed that “Over time, our navigation bar accumulated a lot of ‘stuff’, and we hope this update strikes a balance between necessary links and user needs. The updated navigation bar features a single dynamic menu display, with access to secondary links (most previously featured on the primary bar) in associated dropdown menus.”

Last month, MITRE announced that its MITRE Caldera team has announced the release of Caldera for OT, a collection of Caldera plugins that provide support for common industrial protocols. These initial Caldera for OT (operational technology) extensions were developed in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a federally funded research and development center that is managed and operated by MITRE for the U.S. Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) to increase the resiliency of critical infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.