Thursday, March 12, 2020

2020 ATT&CK Roadmap

2020 ATT&CK Roadmap

Taking a look back at 2019 and presenting a 2020 roadmap for ATT&CK

Written by Blake Strom and Amy Robertson

We started 2019 with a bold series of goals, and with the help of the MITRE ATT&CK® community and hard work from our team, we've accomplished many of those and more.

With your input, we developed and published the Impact tactic to address integrity and availability attacks against enterprise systems. We reworked how mitigations are represented in ATT&CK to make the information easier to use. The (ongoing) Sightings pilot was launched to collect contributions on raw sightings of ATT&CK techniques, and we kicked-off the second round of ATT&CK Evaluations with a new actor and a new approach leveraging contributions. The "Getting Started with ATT&CK" series was unveiled, and we're looking forward to sharing more use cases in the coming months. We released ATT&CK for Cloud, a needed expansion to ATT&CK that wouldn't have been possible without significant community contributions. Our work on restructuring ATT&CK with the sub-techniques continued through feedback from the community, and we're targeting a release in the upcoming months. You told us that ATT&CKcon 2.0 was a success, and the Threat Report ATT&CK Mapper (TRAM) enjoyed a beta release. Finally, we started an ATT&CK training series which kicked off with the release of our ATT&CK for Cyber Threat Intelligence (CTI) training.

To our ATT&CK community, we're grateful for your passion, support and involvement and we're excited about a new decade of collaboration. Our team has been working towards some significant adjustments to ATT&CK in 2020, including a few new additions and several modifications that have been percolating for a while. We look forward to connecting with you as we forge ahead with our 2020 Roadmap.

Members of the ATT&CK Team at ATT&CKcon 2.0

Restructuring, Refinement and Revamping

We have a lot planned for Enterprise ATT&CK in 2020. We'll be restructuring the framework with sub-techniques, revamping ATT&CK's data sources, and refining Mobile, PRE-ATT&CK, Cloud, and ICS. We'll also be publishing a new extension of ATT&CK to cover behavior against network devices such as routers. Throughout all these updates and adjustments, we welcome your feedback. Our goal is to ensure that ATT&CK continues to be a valuable resource, and if an adjustment undermines usability, or if there are ways to enhance your overall experience, we want to know.

The sub-techniques journey is nearly complete — we're targeting a soft launch in March and you can read about the latest details here. We've been working to minimize the impact of the associated realignment and have addressed many of the concerns that you raised. To simplify the transition, we're refining a crosswalk from old technique IDs to new ones, or mapping newly broken out sub-techniques to higher level techniques.

The sub-techniques will be published on a companion site alongside the main ATT&CK site, clearly charting out the changes. This companion site will give everyone a few months to preview and process the full scope of the changes before we finalize that version and make it official. The old site will then be added to the previous versions for reference. Once we release the new ATT&CK framework with sub-techniques, we welcome your feedback on the good, the bad, and the needs-adjustments.

We're also nearly finished revamping the data sources used for Enterprise techniques and we're excited about the enhancements. Data sources are one of the most critical aspects of ATT&CK, and we'll be sharing some additional details in the coming weeks about our new methodology to define sources. The details won't be ready to be included in the sub-technique update, but we will be posting the new data sources definitions and details to GitHub to get them out faster. The updated data sources model will be implemented into the site after the sub-techniques are published.

On the ATT&CK for Cloud front, we've been working towards refining it into sub-techniques and getting new contributors on board to help us expand. ATT&CK for Cloud was built around nearly 100% community contributions for techniques, and we'll continue to leverage this expertise to add enhance the model. Our goal is to jump back into expanding Cloud with new techniques after sub-techniques is released and publish the second set of techniques in the fall.

The adversary behavior model for Network Infrastructure Devices is being developed with routers, switches, and firewalls in mind. We've been leveraging open source reporting and have coordinated closely with industry. The Network research will ultimately impact the current ATT&CK structure with a new platform, but we are developing it with sub-techniques in mind. We're targeting an initial release of our research in the fall and will use the contributor process you're already familiar with to keep it updated.

We're still working to improve consistency and integration between PRE-ATT&CK, Mobile ATT&CK, and Enterprise ATT&CK and are moving towards an eventual "One ATT&CK" model. This will include refining ATT&CK based on the changing threat landscape for enterprise systems focusing on Windows, Mac, and Linux. The technical content in PRE-ATT&CK will be brought up to the same level of ATT&CK for Enterprise and will be integrated into ATT&CK with two new tactics. Our goal with this revamp is to better prepare users to identify who to defend against and the applicable defensive options. The team will continue to refine the Mobile ATT&CK model focusing on Android and iOS, with the addition of sub-techniques and upgraded data sources. We plan to assess merging the Mobile and Enterprise ATT&CK models later in the year.

In the same vein, we're moving forward with our research and refinement of ATT&CK for ICS techniques. ATT&CK for ICS is a community-driven project, and we'll maintain this close collaboration with stakeholders to hone the knowledge base. All the technique adjustments and releases will be based on your input and any new threat reporting on incidents. The separate ATT&CK for ICS wiki that was published in January 2020 will allow the ICS knowledge base to mature separately from the rest of ATT&CK, allowing for more rapid updates. We also plan on evaluating if merging ATT&CK for ICS with the main ATT&CK knowledge base makes sense towards the end of the year, including translating the information into STIX and integrating it into the main ATT&CK website and tools like the ATT&CK Navigator. We'd appreciate your involvement on this approach, and we look forward to hearing about what you think as we move forward.

Mapping, Developing, and Sightings

On the mapping automation front, we're moving full speed ahead. The Threat Report ATT&CK Mapper (TRAM) was beta released in December, and we'll continue developing it this year. TRAM is currently a functional prototype and we plan on improving the interface, adding some new features, and enhancing overall functionality throughout the year. Some of our targeted updates include the ability to ingest additional file types, more output formats, and supporting multiple users simultaneously. As we add and update these features, we'll announce the changes and keep our public repository current. We're looking forward to hearing about your experience with TRAM as we move towards more feature implementations.

TRAM's Workflow

Our team has also been working to map ATT&CK to NIST 800.53 v4. Mapping ATT&CK to common control frameworks will better support efforts to identify controls that mitigate relevant threats, and identify capability gaps. We'll be collaborating with CIS on their current model that maps CIS controls to ATT&CK to expand the mappings into other frameworks. We hope to share more details on the model and where it'll be featured soon. Our current prototype for NIST 800.53 will be published to the ATT&CK GitHub and we'd like your involvement in maintaining and updating it. Our goal is to provide a flexible mapping structure that evolves with the environment, and is user-friendly. If you've already started a mapping, or have some ideas about what types of mappings would be most valuable, reach out and let us know.

Cyber Analytics Repository (CAR) will be updated this year with new analytics. We'll be developing analytics internally, working through external contributions, and adding implementations for new and existing analytics. We'll also be updating how we capture ATT&CK coverage for better accuracy and compatibility with sub-techniques. We're planning updates to CAR sensors to better reflect the current product landscape, and data model revisions showcasing modern sensor data, which will directly support the creation of analytics against the data. We're also hoping to update the CAR Exploration Tool (CARET) to improve UI, usability, and to take advantage of the other structural changes to ATT&CK.

We launched our ATT&CK Sightings pilot in 2019 to empower defenders globally by providing them with continuous information about what ATT&CK techniques adversaries are using and how they're using them. The Sightings program will do this by collecting anonymous contributions of observations of ATT&CK techniques in the wild from numerous, diverse sources and then publishing insights based on that data.

The pilot is ongoing, and we've set a deadline of April 30 to get commitments and pilot data sets from the initial cohort of contributors. We're actively working with contributors to overcome barriers and provide value back. This program is community-driven and can't be successful without your help. You can read our recent Sightings update for more information about how you can contribute and what's next for the Sightings pilot.

Finally, ATT&CK Evaluations will be conducting a new round under a new format emulating the Carbanak and FIN7 groups. MITRE-Engenuity will assume the reins moving forward, and continue to advance ATT&CK Evaluations. You can find more details about the Carbanak+FIN7 Evaluation here.

We will be hosting a new type of event May 18–20 to bring US government organizations together to discuss how they use ATT&CK and how they've overcome challenges. The call for presentations is open through March and you can find out more here.

We also know there's a lot of interest in the next ATT&CKcon. We're working through initial planning right now and we'll have more details to share in April.

ATT&CKing the Next Decade

The future of ATT&CK depends on community engagement as much as it does where adversaries go next. ATT&CK's success hinges on our partnership with the community and our collective ability to innovate and share knowledge. With you, as the community, serving as advisors, collaborators and champions, ATT&CK will be more impactful than ever.

We'll continue to leverage your input at every stage, including how to evolve ATT&CK. We're excited about how ATT&CK will advance in 2020, but we're even more energized by where we see ATT&CK going in the next few years.

©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–00696–24.

2020 ATT&CK Roadmap was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

1 comment: