Using the Synapse-Mitre-Attack Power-Up to Ask Questions of the MITRE ATT&CK Framework

by savage | 2023-07-12

Ask most threat intelligence analysts and you’ll likely find that they have at least heard of the MITRE ATT&CK® framework. MITRE first developed the ubiquitous ATT&CK framework in 2013, intending for ATT&CK to serve as a "knowledge base of adversary tactics and techniques based on real-world observations". In addition to cataloging tactics and techniques identified in Enterprise, ICS, and Mobile environments, ATT&CK also lists software and groups linked to intrusion activity, as well as mitigation strategies. Today, organizations often reference the framework when reporting on threat activity or sharing new research. Here we’ll show how we can use the Synapse-Mitre-Attack Power-Up to import and map references to ATT&CK elements.

What is the Synapse-Mitre-Attack Power-Up?

Synapse-Mitre-Attack is a publicly available Synapse Power-Up that analysts can use to retrieve the current Enterprise, ICS, and Mobile matrices from MITRE's public Github repository and represent them within Synapse. Analysts can then link ATT&CK elements to other nodes, as well as to tags, providing the ability to ask questions of the framework and related data.

Representing and Querying the MITRE ATT&CK® Matrix and Elements Within Synapse

Run the mitre.attack.sync command to import and model the ATT&CK-cataloged tactics, techniques, mitigations, software, and groups in your Synapse instance. This will give you the ability to view and navigate the ATT&CK matrices without needing to leave Synapse. The Power-Up will specify the associated matrix (Enterprise, Mobile, or ICS) for tactics, techniques, and mitigation nodes, and will also capture the page URLs for each. Therefore, if you need to reference the web page itself you can do so by clicking the link in the :url property and selecting the "open" option.

Having the MITRE ATT&CK® framework represented within Synapse means that you can run queries to answer questions such as:

How can I use Text Search query mode to look-up the ATT&CK group equivalent to "BackdoorDiplomacy"?

_images/group1.gif

How can I use Text Search query mode to look-up the ATT&CK software equivalent to "Gazer" malware?

_images/gazer4.gif

How can I use Storm mode to view all threat groups ATT&CK tracks?

it:mitre:attack:group
_images/groups.gif

What other names does ATT&CK associate with APT40?

it:mitre:attack:group:names*[~=apt40] -> ou:name
_images/apt40.webp

What techniques does ATT&CK associate with the Sofacy group? (Answer: a lot....)

it:mitre:attack:group:names*[~=sofacy] -> it:mitre:attack:technique
_images/techniques_1.gif

What software does ATT&CK associate with exfiltrating data over bluetooth?

it:mitre:attack:technique:name~=Bluetooth -> it:mitre:attack:software
_images/bluetooth1.webp

What other techniques does ATT&CK associate with that software?

it:mitre:attack:technique:name~=Bluetooth -> it:mitre:attack:software -> it:mitre:attack:technique
_images/bluetooth2.webp

What mitigation strategies does ATT&CK recommend to address exfiltrating data over bluetooth?

it:mitre:attack:technique:name~=Bluetooth -> it:mitre:attack:mitigation
_images/mitigation.webp

Pivoting from ATT&CK Elements to Query Other Nodes in Synapse

We can also create and pivot across light edges to answer questions about references to ATT&CK elements. Two other Synapse-Mitre-Attack commands, mitre.attack.scrape and mitre.attack.enrich, will identify references to ATT&CK elements in node properties and create light edges between those nodes and the ATT&CK elements that they reference. The mitre.attack.scrape command will scrape existing ATT&CK elements from any specified form and property, while mitre.attack.enrich will scrape ATT&CK elements from media:news:summary and inet:web:post:text properties. As analysts, we can use these commands to do things like map references from reports modeled as media:news nodes to an ATT&CK element noted in the :title or :summary properties, or map an it:app:yara:rule node (as an example) to an ATT&CK element contained in the node’s :text property, or any text we specify.

The Synapse-Mitre-Attack Power-Up also includes the mitre.attack.scrapefile command, which acts as a custom fileparser capable of parsing out ATT&CK strings from a file:bytes node and linking the modeled references back to the node. For Synapse Enterprise users, installing the Synapse-Mitre-Attack Power-Up will automatically add the ability to scrape ATT&CK references to the Spotlight Tool.

These commands give us the ability to ask questions like:

Have we modeled any reports from ESET mentioning activity that involves exfiltrating data to cloud storage?

it:mitre:attack:technique:name="Exfiltration to Cloud Storage" <(refs)-media:news +:publisher:name=eset
_images/medianews.webp

Have we modeled any YARA rules that reference abusing Microsoft Connection Manager Profile Installer (CMSTP.exe)?

it:mitre:attack:technique:name=CMSTP <(refs)-it:app:yara:rule
_images/yararule.webp

Translating ATT&CK Elements into Synapse's Risk Data Model

Analysts can use the Synapse-Mitre-Attack Power-Up’s mitre.attack.translate command to "translate" the ATT&CK-identified groups, software, and techniques into risk:threat, risk:tool:software, and ou:technique nodes. Below, we use the mitre.attack.translate command to translate five it:mitre:attack:group nodes into corresponding risk:threat nodes:

it:mitre:attack:group | limit 5 | mitre.attack.translate --yield
_images/translate_group3.gif

Translating the ATT&CK group, software, and technique elements integrates the ATT&CK elements into the risk:* and ou:* aspects of the Synapse data model. This lets us include ATT&CK elements in our results when we run queries to answer questions such as:

What threat clusters do we know of that correspond to the name "Lazarus"?

Note that we can use the Vertex Threat Intel Workflow for this query, as seen below:

_images/lazarus.gif