The ATT&CK repository is a constantly updated knowledge base of behaviors observed most frequently in the wild, which can be extremely useful for detection, prioritization and analysis of security incidents. But resource strapped teams can find it challenging to leverage the full power of the ATT&CK knowledge base in their mission critical workflows. Our release today is focused on making it easier to overlay adversarial behavior and context on reports and indicators in TruSTAR.
What can I do with ATT&CK?
As part of TruSTAR’s suite of intelligence management capabilities we now allow you to associate MITRE ATT&CK techniques and tactics. With this feature TruSTAR users can now:
- Accelerate Prioritization & Resolution: We will now automatically correlate all alerts, cases and indicators that share ATT&CK TTP’s. This will help analysts quickly uncover linkages in adversarial behavior, actors, malwares and IoC and prioritize their response actions.
- Move Up the Pyramid of Pain: By linking IP’s, malware hashes and other observables with ATT&CK TTP’s analysts can take more holistic action rather than just blocking and tackling on individual data points. You can also map ATT&CK TTP’s with resolved cases and create a library of cases organized by ATT&CK.
- Assess Operational Controls: By using data available from TTP trends computed from their premium intel sources and submissions to TrusTAR, users can be more empirically driven in assessing gaps in operational controls and make appropriate adjustments to increase coverage of their attack surface.
Mitre ATT&CK Framework in TruSTAR
You can take the following actions to enrich and categorize your reports and indicators with the ATT&CK knowledge base.
Creating MITRE ATT&CK Tags for Reports
You can tag your internal reports with MITRE ATT&CK tactics or techniques by selecting the MITRE ATT&CK tab under the tags section on the reports view page.
Selecting the MITRE ATT&CK tab will allow users to select the tactics or techniques to associate to the report. Users can select multiple tactics or techniques to associate to each report.
MITRE ATT&CK tags will show in the tags section of the report after you save changes. All MITRE tags are preceded by "mitre/" to help differentiate it from other report tags
Creating MITRE Tags for IOCs
Similar to the tagging of reports users can assign MITRE ATT&CK tags to IOC's. Users can search or chose IOC's on the graph to assign MITRE ATT&CK tags.
Filtering MITRE Tags
In the reports and IOC's list panel you can filter by MITRE ATT&CK tags to view only reports and indicators associated with a MITRE ATT&CK tag.
We will be making continual updates to our MITRE ATT&CK capability and we welcome questions and feedback on improvements. Please don’t hesitate to send us a quick note here.