Using the Synapse-Mitre-Attack Power-Up to Ask Questions of the MITRE ATT&CK Framework
by savage | 2023-07-12
Ask most threat intelligence analysts and you’ll likely find that they have at least heard of the MITRE ATT&CK® framework. MITRE first developed the ubiquitous ATT&CK framework in 2013, intending for ATT&CK to serve as a "knowledge base of adversary tactics and techniques based on real-world observations". In addition to cataloging tactics and techniques identified in Enterprise, ICS, and Mobile environments, ATT&CK also lists software and groups linked to intrusion activity, as well as mitigation strategies. Today, organizations often reference the framework when reporting on threat activity or sharing new research. Here we’ll show how we can use the Synapse-Mitre-Attack Power-Up to import and map references to ATT&CK elements.
What is the Synapse-Mitre-Attack Power-Up?
Synapse-Mitre-Attack is a publicly available Synapse Power-Up that analysts can use to retrieve the current Enterprise, ICS, and Mobile matrices from MITRE's public Github repository and represent them within Synapse. Analysts can then link ATT&CK elements to other nodes, as well as to tags, providing the ability to ask questions of the framework and related data.
Representing and Querying the MITRE ATT&CK® Matrix and Elements Within Synapse
mitre.attack.sync command to import and model the ATT&CK-cataloged tactics, techniques, mitigations, software, and groups in your Synapse instance. This will give you the ability to view and navigate the ATT&CK matrices without needing to leave Synapse. The Power-Up will specify the associated matrix (Enterprise, Mobile, or ICS) for tactics, techniques, and mitigation nodes, and will also capture the page URLs for each. Therefore, if you need to reference the web page itself you can do so by clicking the link in the
:url property and selecting the "open" option.
Having the MITRE ATT&CK® framework represented within Synapse means that you can run queries to answer questions such as:
How can I use Text Search query mode to look-up the ATT&CK group equivalent to "BackdoorDiplomacy"?
How can I use Text Search query mode to look-up the ATT&CK software equivalent to "Gazer" malware?
How can I use Storm mode to view all threat groups ATT&CK tracks?
What other names does ATT&CK associate with APT40?
it:mitre:attack:group:names*[~=apt40] -> ou:name
What techniques does ATT&CK associate with the Sofacy group? (Answer: a lot....)
it:mitre:attack:group:names*[~=sofacy] -> it:mitre:attack:technique
What software does ATT&CK associate with exfiltrating data over bluetooth?
it:mitre:attack:technique:name~=Bluetooth -> it:mitre:attack:software
What other techniques does ATT&CK associate with that software?
it:mitre:attack:technique:name~=Bluetooth -> it:mitre:attack:software -> it:mitre:attack:technique
What mitigation strategies does ATT&CK recommend to address exfiltrating data over bluetooth?
it:mitre:attack:technique:name~=Bluetooth -> it:mitre:attack:mitigation
Pivoting from ATT&CK Elements to Query Other Nodes in Synapse
We can also create and pivot across light edges to answer questions about references to ATT&CK elements. Two other Synapse-Mitre-Attack commands,
mitre.attack.enrich, will identify references to ATT&CK elements in node properties and create light edges between those nodes and the ATT&CK elements that they reference. The
mitre.attack.scrape command will scrape existing ATT&CK elements from any specified form and property, while
mitre.attack.enrich will scrape ATT&CK elements from
inet:web:post:text properties. As analysts, we can use these commands to do things like map references from reports modeled as
media:news nodes to an ATT&CK element noted in the
:summary properties, or map an
it:app:yara:rule node (as an example) to an ATT&CK element contained in the node’s
:text property, or any text we specify.
The Synapse-Mitre-Attack Power-Up also includes the
mitre.attack.scrapefile command, which acts as a custom fileparser capable of parsing out ATT&CK strings from a
file:bytes node and linking the modeled references back to the node. For Synapse Enterprise users, installing the Synapse-Mitre-Attack Power-Up will automatically add the ability to scrape ATT&CK references to the Spotlight Tool.
These commands give us the ability to ask questions like:
Have we modeled any reports from ESET mentioning activity that involves exfiltrating data to cloud storage?
it:mitre:attack:technique:name="Exfiltration to Cloud Storage" <(refs)-media:news +:publisher:name=eset
Have we modeled any YARA rules that reference abusing Microsoft Connection Manager Profile Installer (CMSTP.exe)?
Translating ATT&CK Elements into Synapse's Risk Data Model
Analysts can use the Synapse-Mitre-Attack Power-Up’s
mitre.attack.translate command to "translate" the ATT&CK-identified groups, software, and techniques into
ou:technique nodes. Below, we use the
mitre.attack.translate command to translate five
it:mitre:attack:group nodes into corresponding
it:mitre:attack:group | limit 5 | mitre.attack.translate --yield
Translating the ATT&CK group, software, and technique elements integrates the ATT&CK elements into the
ou:* aspects of the Synapse data model. This lets us include ATT&CK elements in our results when we run queries to answer questions such as:
What threat clusters do we know of that correspond to the name "Lazarus"?
Note that we can use the Vertex Threat Intel Workflow for this query, as seen below: