MITRE ATT&CK Resources for Threat Intelligence and Hunting

MITRE ATT&CK has been widely used for threat intelligence, threat detection and hunting, risk mitigation, and security product development.

The MITRE ATT&CK framework includes matrix for enterprise, ICS, and Mobile, etc. The matrices are organized and divided initially by $14$ tactics used by adversaries. Then each tactics list a number of techniques and sub-techniques.

The $14$ tactics are: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control (C2), Exfiltration, and Impact.

In this post, I will list important resources related to the ATT&CK framework.

1. ATT&CK Matrices is the official knowledge base of adverasial Tactics, Techniques, and Procedures (TTPs).
2. Threat Intelligence Repository on GitHub contains the ATT&CK and CAPEC datasets expressed in STIX 2.0. Here, Structured Threat Information Expression (STIX) is a language that is used for sharing and exchanging threat intelligence information.
3. A python module named mitreattack-python is available for using python-based tools for working with ATT&CK. You can also locate it on this GitHub Repository.
4. Another python module named pyattck can be used to interact with the ATT&CK framework. Interestingly, this module can pull latest data from the following locations:
   • enterprise_attck_json=”https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_enterprise_attck_v1.json”
   • pre_attck_json=”https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_pre_attck_v1.json”
   • mobile_attck_json=”https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_mobile_attck_v1.json”
   • ics_attck_json=”https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_ics_attck_v1.json”
   • nist_controls_json=”https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_nist_controls_v1.json”
   • generated_nist_json=”https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json”
5. Python scripts and utilities for working with ATT&CK, are available on this attack-scripts repository.
6. Another Python module attackcti provides options for classes and functions from cti-python-stix2 and cti-taxii-client libraries.
7. Awesome Resources
   • Awesome Mitre ATT&CK framework
   • Awesome Threat Detection and Hunting
   • Awesome Threat Intelligence
   • Awesome IOCs, IOC stands for Indicator of Compromise
8. The Mitre Visualizer on Github provides visualization of the ATT&CK TTPs.
9. The Threat Hunter Playbook shares detection logics and resources for detection-based developments. The objective is to help running detection logic against security datasets locally or remotely through BinderHub. Details are available on the Official Site.
10. A Info-Sec writer named Roberto Rodriguez on Medium.com has good number of blog posts related to ATT&CK for threat hunting. You can follow his writings and work procedurs.
11. Talking about medium.com, you can follow a particular channel named Open Threat Research for more posts related to ATT&CK.
12. A new framework named DeTT&CT has been developed to detect tactics, techniques; and combat threats.
13. A knowledge graph of security countermeasures, named D3FEND is developed for providing guidelined to the organizations about hardening, detection, isolation, deception, and eviction. D3FEND can be called the defender’s version of ATT&CK knowledge base.

So far, these are the most important resources I have found so far. I will keep updating the list of resources.

The awesome repositories are pretty good place to start since these curated lists present all varieties of resources available out there.

That’s all for today. Until next time, cheers! 😎