References - Contributing MITRE ATT&CK Data

Owned by John Hall (Unlicensed)
Last updated: Aug 13, 2020
2 min read

Overview

This page provides an overview of the guidelines for contributing MITRE ATT&CK data into the ThreatConnect Platform. This information is primarily applicable to those developing a Threat Intelligence Feed integration.

Tagging In-Platform Data

For Developer Partners, MITRE ATT&CK data should be contributed in the form of Tags within the ThreatConnect Platform. These Tags can be applied to individual Indicators or Groups based on what seems most appropriate for the data set.

Tag Format

Full MITRE ATT&CK tags should have the following format:

<mitre_attack_technique_id>[.<mitre_attack_subtechnique_id>] - <mitre_attack_technique> - <tactic_abbr> - <data_abbr> - ATT&CK

The fields above have the following definitions:

  • <mitre_attack_technique_id> is the MITRE ATT&CK Technique ID such as T1220.

  • <mitre_attack_subtechnique_id> is the MITRE ATT&CK Sub-Technique ID such as 001. This field (along with the preceding .) is optional based on available data.

  • <mitre_attack_technique> is the MITRE ATT&CK Technique Name such as “XSL Script Processing”.

  • <tactic_abbr> is the MITRE ATT&CK ID translated into a three-character abbreviation against Table 2 in this document.

  • <data_abbr> is a three-character abbreviation for the MITRE ATT&CK data model: PRE (PRE-ATT&CK) or ENT (Enterprise ATT&CK)

  • ATT&CK is static to represent MITRE ATT&CK framework

Partial Data

In the event that only partial data is available, the following rules should be applied:

  • If only the Tactic information is available, a tag of just the MITRE ATT&CK Tactic Name should be used with no other ATT&CK tags. Spaces in the Tactic Name should be replaced with the “-” character in this instance only.

  • In any other scenario than those mentioned above, not ATT&CK tags should be applied.

Example Tags

The following tags are examples of this data model in action:

  • T1220 - XSL Script Process - DEF - ENT - ATT&CK

  • T1546.011 - Event Triggered Execution - PER - ENT - ATT&CK

  • T1334 - Compromise 3rd party infrastructure to support delivery - EMI - PRE - ATT&CK

  • Command-and-Control

    • In this example, only the Tactic information is available and therefore is applied as the Tactic Name only including the “-” character replacing spaces.