ATT&CK v13 released, now offers ICS asset refactoring, analytics pseudocode, mobile data sources

MITRE announced Tuesday release of its ATT&CK v13 which will provide analytics pseudocode, mobile-specific data sources, key website updates, ICS asset refactoring, and more cloud and Linux coverage. The biggest changes in ATT&CK v13 are the addition of detailed detection guidance to some Techniques in ATT&CK for Enterprise, mobile data sources, and two new types of changelogs to help identify more precisely what has changed in ATT&CK.

“This release features a new defensive ‘easy button’, with the addition of CAR pseudocode to a number of our data components,” Amy L. Robertson, cyber operations lead at MITRE, wrote in a Medium post. “These pseudocode analytics add more context on what you should find and collect, by describing at a high level the steps involved in detecting certain types of behaviors. You can use these analytics as a blueprint for your custom detections, leaving you with more time to spend on the defensive activities of your choice.”

Moving forward, Robertson outlined that MITRE will be revamping Mitigations and improving defenses tactic-by-tactic, by incorporating analytics from CAR and dynamic research into the data components falling under a given tactic. The ATT&CK v13 for Enterprise contains 14 tactics, 196 techniques, 411 sub-techniques, 138 groups, 22 campaigns, and 740 pieces of software.

As it outlined in its February Roadmap, “we’re working toward enhanced tools for lower-resourced defenders, improving ATT&CK’s website usability, enhancing ICS and Mobile parity with Enterprise, and evolving overall content and structure this year,” Robinson wrote.

Robinson confirmed that an initial search with the enhanced version will be in the five-second range, with following queries resolving near instantaneously. “We’ll continue to adjust this important feature and appreciate all of you who stayed with us through the search bar trials. Let us know if you spot any new corner cases!”

Another significant addition to this release is a machine-readable changelog, Robinson said. “You’ll now be able to access and parse through the changelog, quickly identifying and integrating the updates. For more details check out the changelog.json format details in our GitHub. Our release notes format has also been improved, now documenting New, Major Version Changes, Minor Version Changes, and Patches for each of Techniques, Mitigations, Data Sources, Data Components, Software, Groups, and Campaigns. If you’re wondering what ‘Patches’ are, it’s what we’re calling changes so minor (e.g., typos, URL fixes, grammar) no version update was necessary,” she added.

She also pointed out that MITRE does not “expect quite as much celebration for our ATT&CK Navigator updates, but new updates coming with ATT&CK v13 enable you to further customize your layer colors, scoring, image orientation and preset image sizing.”

The ICS matrix features new techniques, a freshly cross-mapped campaign, and updates to Assets (the functional components of the systems in the ICS domain), according to Robinson. “Our Assets refactoring effort seeks to align how different industries describe assets, in order to better map device functionality to core dependencies and associate the Assets to the relevant techniques.” 

She added that through this effort “we’ve also been working to address gaps from underreported industries. We’ll continue to collaborate with the ICS community to better build out and describe assets and create these mappings. Our goal is to include Assets in the metadata box on technique pages to help inform defenders about a device’s susceptibility to techniques.”

Moving across to the mobile front, Robinson wrote that users will be able to access Mobile-specific Data Sources! “Mobile has joined the filter list along with Enterprise and ICS, enabling you to toggle between the data sources for your chosen domain(s). In addition to the new Mobile-specific sources, the cross-domain mappings with Enterprise are now more accessible. The Mobile-specific and cross-mapped sources are also listed on the individual Data Source pages,” she added.

Over the next few months, “we’ll continue to add to our Mobile data sources, as well as architecting structured detections,” she added.

Robinson said that the Campaigns game is going strong, with v13 showcasing a blend of recent cyber intrusions and those previously captured in a Group page. “A couple of our more contemporary entries include APT41’s compromise of U.S. state government networks (C0017), and an AvosLocker ransomware-as-a-service operation (C0018). Some of the older activity previously featured in Groups, include APT29’s Operation Ghost and the SolarWinds compromise.” 

She added that ‘the star of this release, and one we’re particularly excited about,’ is the cross-domain Campaign entry, the 2016 Ukraine operation by Sandworm Team. “Over the next several months, we’ll continue to focus on criminal group operations and expanding on the hybrid Campaigns that traverse domains,” Robinson added.

MITRE also assessed known gaps in the Execution and Lateral Movement tactics of the Cloud matrix and built out additions to address some of the disparities. “These changes feature contributions from an ongoing partnership with the Cloud community to better represent behaviors in and against cloud technologies, as well as reflecting how organizations are using Cloud in their operations.”

Robinson confirmed that in the coming months, we’ll continue to expand coverage in these not-so-easy-to-capture cloud-related tactics, as well as evaluating where to develop more Exfiltration coverage. “Our end goal this year is to ensure that everyone can more effectively utilize ATT&CK for Cloud,” she added.

MITRE’s Linux team has spent the last few months going through contributions, coordinating with contributors, and navigating through open-source reporting for in-the-wild adversary behaviors. “This release includes updated and new Linux-only (sub)techniques that will enhance the Linux defender’s toolset. We’ll continue building out Linux coverage in ATT&CK, as well as gaining a better understanding of the adversaries operating in this space,” the post added. 

In conclusion, Robinson wrote that “we know you’re still trying to catch your breath from all the v13 adjustments, but we’re still sprinting for v14! October’s release will feature upgraded coverage across domains, renovated mitigations, new cross-domain mappings, more pseudocodes, and Mobile structured detections,” she added.

Last October, MITRE announced its ATT&CK v12 featuring the Campaigns in ATT&CK, Detections in ATT&CK for ICS, and updates (additions, changes to, and deprecations of) to the Enterprise, Mobile, and ICS knowledge bases, across techniques, software, mitigations, APT groups, data sources and/or components. The latest version is now live. The ATT&CK v12 release introduced the Campaign data structure to ATT&CK and an initially limited set of Campaigns. 

At the ongoing RSA 2023 conference, MITRE released its MITRE Caldera for OT tool that allows security teams to run automated adversary emulation exercises targeted against OT (operational technology) environments. Built on the MITRE ATT&CK for ICS framework, MITRE Caldera for OT emulates the attack path and attacker capabilities that are defined either through ATT&CK for ICS or other custom-built plug-ins, enabling organizations to assess their cyber risk analysis and adversarial emulation tools to secure critical infrastructure environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.