You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A tactic is a column in one or more ATT&CK matrices. It describes the tactical "goal" an adversary might want to achieve by carrying out the techniques under that tactics.
Tactics are not necessarily specific to any given matrix or platform. Some tactics are shared, some are not.
Data model
Title
Description
ID
Proposals
As STIX
{
"type": "x-attack-tactic-meta",
"id": "x-attack-tactic-meta--8746b0b4-7304-4edb-90dc-7264301c15a1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-12T08:17:00.000Z",
"modified": "2017-12-12T08:17:00.000Z",
"name": "Persistence",
"external_references": [
{
"source_name": "mitre-attack",
"source_id": "TACTIC-0001",
"url": "https://attack.mitre.org/wiki/Persistence""description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence onthat system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss ofcredentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.","domain" : "mitre-attack"
}
As Config File
The configuration file would include both matrix and tactic information, and could look like the current navigator config file, here.
A matrix is a view the ATT&CK techniques, organized under tactics, and scoped to a particular set of tactics and platforms. There are three matrices:
ATT&CK for Enterprise matrix shows the tactics in the "act" phase (compromise and beyond) for the Windows, Linux, and Mac platforms.
ATT&CK for Mobile matrix shows the tactics in the "act" phase (compromise and beyond) for the iOS and Android platforms, as well as some tactics in the "prepare" phase that are specific to mobile.
The PRE-ATT&CK matrix shows the tactics in the "prepare" phase for all tactics
Data model
Title
Description
Ordered list of tactics to include
Set of platforms to include techniques for (if a technique has a platform in this list, it is included). Note that for PRE-ATT&CK this is effectively all platforms, which includes no platform.
Note: The Mobile ATT&CK matrix is currently represented as three sub-matrices. This write-up does not address or support that
Related Data
Tactics
Tactics will be represented as STIX Custom Objects and will be given IDs.
Techniques
Techniques are represented as STIX Attack Patterns. For the purpose of inclusion in a matrix, the kill_chain_phases.phase_name (tactic name) and x_mitre_platforms list (for the platforms).
Considerations
Currently, all ATT&CK content is shared via STIX/TAXII. Does that mean matrices should as well?
Furthermore, for those that are using the TAXII server to get the ATT&CK content, will it be problematic for them to update their content based on changes to the TAXII server as well as an ATT&CK configuration file?
Are we overcomplicating things for people by forcing content into STIX when it doesn't fit?
How easy is it to take the matrix representation and use it to render a matrix?
How easy is it to adapt the configuration to other types of matrices?
How easy is it for the ATT&CK Editor + publish_attack to create and maintain STIX objects for tactics and matrices?
Proposals
Proposal 1: STIX Custom Objects
Each matrix is a STIX custom object. As an example:
{
"type": "x-mitre-attack-matrix",
"id": "x-mitre-attack-matrix--3368697c-75c4-4b90-88f3-e844fde61fb7",
"created": "2018-06-14T13:32:02.072Z",
"modified": "2018-06-14T13:32:02.072Z",
"name": "ATT&CK for Enterprise",
"description": "ATT&CK for Enterprise is an adversary behavior model that describes the actions an adversary may take to compromise and operate within an enterprise network.",
"tactics": [
"initial-access",
"execution",
"persistence",
"privilege-escalation",
"defense-evation",
"credential-access",
"discovery",
"lateral-movement",
"collection",
"exfiltration",
"command-and-control"
],
"platforms": [
"Windows",
"Linux",
"macOS"
]
}
There would be three of these custom objects (for now).
For ease of explanation (and because I don't know what the IDs will be) the tactic list above just uses the names. They could easily use IDs instead, though.
Proposal 2: ATT&CK Configuration File
There's an overall configuration file describing ATT&CK more generally. The file contains a list of matrices that describe the same information that would be in the STIX custom objects.
Note that if this approach were taken, it could also be used to describe the tactics themselves (rather than using STIX custom objects).
{
matrices: [
{
"name": "ATT&CK for Enterprise",
"description": "ATT&CK for Enterprise is an adversary behavior model that describes the actions an adversary may take to compromise and operate within an enterprise network.",
"tactics": [
"initial-access",
"execution",
"persistence",
"privilege-escalation",
"defense-evation",
"credential-access",
"discovery",
"lateral-movement",
"collection",
"exfiltration",
"command-and-control"
],
"platforms": [
"Windows",
"Linux",
"macOS"
]
},
{ ... },
{ ... }
]
}
As above, the tactic list could use IDs rather than names.