This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Threat Content mapping with MITRE ATT&CK™

PrakharPandey
Employee
Employee
‎2019-09-19 10:44 AM

Introduction to MITRE ATT&CK™

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™.

This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified.

To read more about how ATT&CK™ is helpful in resolving challenges and validate our defenses, please check this article.

Some Techniques are mapped to multiple Tactics. There are total 244 unique Techniques which results in 314 Non-unique Techniques distributed over 12 Tactics.

 

attack_techniques_distribution.PNG

RSA Threat Content Mapping with MITRE ATT&CK™

RSA has mainly three kinds of Threat Content: a. Application Rules, b. ESA Rules and c. LUA Parsers.These content types can be classified further as per the 'Medium' of each piece of content. Medium depends upon the source of the meta that particular content piece is using. For example: An application rule if using meta populated by packet data then its Medium will be packet. We can search LIVE content using Medium criteria:

 

medium.PNG

 

We will try to measure how much ATT&CK™ matrix is covered by RSA Threat Content. Essentially mapping each piece of threat content to one or multiple ATT&CK™ techniques it detects. This mapping needs to be saved in a file and in case of ATT&CK™ the file type will be JSON. For example: In case of application rules, there will be mapping JSON files for each of the following:

  • Mapping of only RSA Application Rules with Medium = log
  • Mapping of only RSA Application Rules with Medium = packet
  • Mapping of only RSA Application Rules with Medium = endpoint
  • Mapping of only RSA Application Rules with Medium = log AND packet
  • Mapping of all RSA Application Rules (Without considering Medium)

The same pattern will follow for ESA Rules and LUA Parsers depending upon Medium value.

This JSON is graphically viewable through ATT&CK™ Navigator web GUI tool which is described later in this post with the process of observing the GUI.

 

a. Application Rules - The Rule Library contains all the Application Rules and we can map these rules or detection capabilities to the tactics/techniques of ATT&CK™ matrix. The mapping shows how many Tactics/Techniques are detected by RSA NetWitness Application Rules. We have generated JSON files for application rules which can be viewed in Navigator. This JSON can be downloaded from attached archive in this blog post. Following are the mappings for RSA Application Rules:

 

Content TypeMediumLocation of JSON in attached archive
RSA Application RuleslogRSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\Medium_log
RSA Application RulespacketRSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\Medium_packet
RSA Application RulesendpointRSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\Medium_endpoint
RSA Application RulesAll Rules(Without considering Medium)RSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\All_RSA_Application_Rules

 

Following is the plot which reflects number of techniques detected by all RSA Application Rules with respect to ATT&CK™:

 

rsa_app_rules_attack_mapping.PNG

b. ESA Rules - ESA is one of the defense systems that is used to generate alerts. ESA Rules provide real-time, complex event processing of log, packet, and endpoint meta across sessions. ESA Rules can identify threats and risks by recognizing adversarial Tactics, Techniques and Procedures (TTPs). We have generated JSON files for ESA rules which can be viewed in Navigator. This JSON can be downloaded from attached archive in this blog post. Following are the mappings for RSA ESA Rules:

 

Content TypeMediumLocation of JSON in attached archive
RSA ESA RuleslogRSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\Medium_log
RSA ESA RulespacketRSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\Medium_packet
RSA ESA Ruleslog AND packetRSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\Medium_log_AND_packet
RSA ESA RulesAll Rules(Without considering Medium)

RSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\All_RSA_ESA_Rules

 

Following is the plot which reflects number of techniques detected by all RSA ESA Rules with respect to ATT&CK™:

 

rsa_esa_rules_attack_mapping.PNG

c. LUA Parsers - Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session. Every packet parser is able to extract meta from every session. One of these packet parsers are LUA Parsers which can be customized by customers. We have generated JSON files for LUA Parsers which can be viewed in Navigator. This JSON can be downloaded from attached archive in this blog post. Following are the mappings for RSA LUA Parsers:

 

Content TypeMediumLocation of JSON in attached archive
RSA LUA ParserspacketRSA_Threat_Content_ATTACK_JSON_Mapping\Lua_Parsers\Medium_packet
RSA LUA ParsersAll LUA Parsers(Without considering Medium)RSA_Threat_Content_ATTACK_JSON_Mapping\Lua_Parsers\All_RSA_Lua_Parsers

Note: The above two JSONs will be same as for LUA Parsers the only Medium is packet.

 

Following is the plot which reflects number of techniques detected by all RSA LUA Parsers with respect to ATT&CK™:

 

rsa_lua_parsers_attack_mapping.PNG

 

d. Complete RSA Threat Content (Application Rules + ESA Rules + Lua Parsers) - We have combined all three type of contents and created a combined JSON file for ATT&CK™ Navigator and can be downloaded from this blog post.

 

Content TypeMediumLocation of JSON in attached archive
RSA Threat ContentAll RSA Threat ContentRSA_Threat_Content_ATTACK_JSON_Mapping\All_RSA_Threat_Content

 

Following is the plot which reflects number of techniques detected by all three threat content types combined with respect to ATT&CK™ coverage :

complete_rsa_threat_content_attack_mapping.PNG

Although these statistics are bound to change with time as new content is added or updated. We can update ATT&CK™ coverage periodically which will help us to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

 

In above sections, we have talked about using JSON files (attached with blog post) in ATT&CK™ Navigator . In next section, we will discuss how to use and observe the JSON files.

 

Introduction to MITRE ATT&CK™ Navigator

ATT&CK™ Navigator is a tool openly available through GitHub which uses the STIX 2.0 content to provide a layered visualization of ATT&CK™ model.

ATT&CK™ Navigator stores information in JSON files and each JSON file is a layer containing multiple techniques which can be opened on Navigator web interface. The JSON contains content in STIX 2.0 format which can be fetched from a TAXII 2.0 server of your own choice. For example, we can fetch ATT&CK™ content from MITRE's TAXII 2.0 server through APIs.

The techniques in this visualization can be:

  • Highlighted with color coding.
  • Added with a numerical score to signal severity/frequency of the technique.
  • Added with a comment to describe that occurrence of technique or any other meaningful information.

These layers can be exported in SVG and excel format.

 

How to View a JSON in ATT&CK™ Navigator?

  1. Open MITRE’s ATT&CK™ Navigator web application. (https://mitre-attack.github.io/attack-navigator/enterprise/).
  2. In Navigator, open a New Tab through clicking '+' button.

    point2.png
  3. Then click on 'Open Existing Layer' and then 'Upload from Local' which will let you choose a JSON file from your local machine (or, the one attached later in this blog).

    point3.png

  4. After uploading JSON file the layer will be opened in Navigator and will look like this:

    point4.png

 

        This visualization highlights the techniques covered in the JSON file with color and comments.

 

    5. While hovering mouse over each colored technique you can see three things:

  • Technique ID: Unique IDs of each technique as per ATT&CK™ framework.
  • Score:  Threat score given to each technique.
  • Comment: We can write anything related in comment to put things in perspective. In this case, we have commented pipes (‘||’) delimited names of content/rules/parsers which cover that technique. For example, if you have opened application rule JSON then comments will contain pipes delimited name of those application rules which detect hovered technique.

comment_screen.PNG

 


Other blog posts written before regarding Threat Content coverage of ATT&CK™ can be found here and here.

RSA_Threat_Content_ATTACK_JSON_Mapping.zip
RSA_Threat_Content_ATTACK_JSON_Mapping.zip
10 Comments
JohnWu1
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2019-09-19 04:36 PM
‎2019-09-19 04:36 PM

Hi, Prakhar Pandey ,

This is really cool stuff! Thank you for doing this! 

One question: are the latest ESA and endpoint json files posted in this link supersedes the ESA and endpoint json files you posted in your earlier posts for ESA (8/31/2018) and endpoint (3/29/2019)?

Please keep the content updated as you can and inform us when you do, thank you again for the wonderful stuff!

RSA PS John Wu

PrakharPandey
Employee
Employee
‎2019-09-19 04:45 PM
‎2019-09-19 04:45 PM

Thanks for reading. I am glad you liked this.

 

Yes, JSONs attached in this post will supersede provided in earlier blog posts.

 

Surely we will keep this updated and notify as well.

 

Regards,

Prakhar

0 Likes
JonathanScher
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2019-09-23 01:57 PM
‎2019-09-23 01:57 PM

The only available Feed Types are CSV or XML (in STIX format). Are there plans for transforming this content as a Feed?

 

Thank you!

0 Likes
PrakharPandey
Employee
Employee
‎2019-09-25 04:32 PM
‎2019-09-25 04:32 PM

Hi Jonathan,

There is an 'Investigation' Feed which maps Tactics to 'inv.category' generated meta key and Techniques to 'inv.context for every piece of RSA Application rules and LUA Parsers.

 

Thanks and Regards,

Prakhar

0 Likes
JonathanScher
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2019-09-25 04:51 PM
‎2019-09-25 04:51 PM

Hi Prakhar Pandey,

 

The last updated timestamp of the Investigation RSA Feed within RSA Live is "2019-04-10 1:07 PM".

In addition, the last modified timestamp of the "Investigation Feed" Document (Investigation Feed) is " Aug 1, 2019 8:56 AM"

 

Neither of which make mention of mapping Threat Content to Mitre ATT&CK Tactics and Techniques.

 

Do you know when the Investigation Feed will be updated with this mapping?

 

Thank you,

Jon

0 Likes
AngeOAmbemou
Occasional Contributor
Occasional Contributor
‎2019-10-08 11:02 PM
‎2019-10-08 11:02 PM

Hi Prakhar Pandey,

 

Thanks for this blog 

 

Have you any detail about add of UEBA (Logs, Endpoints, Packets) to map  Mitre ATT&CK Tactics and Techniques ?

Ange

0 Likes
PrakharPandey
Employee
Employee
‎2019-10-09 12:13 PM
‎2019-10-09 12:13 PM

Hi Jonathan Scher‌,


Apologies for the delay. Investigation Feed in LIVE has been updated. The Feed will additionally carry ATT&CK™ Tactics in inv.category Investigation Model Meta Key and ATT&CK™ Techniques in inv.context meta key.

 

The document will be updated soon with same information.

 

Please let me know if you need more information regarding this.

 

Thanks and regards,

Prakhar

0 Likes
PrakharPandey
Employee
Employee
‎2019-10-09 12:21 PM
‎2019-10-09 12:21 PM

Hi Ange Olivier Ambemou‌,

 

I am glad you liked this blog post.

 

We are in the process of mapping UEBA to ATT&CK™ and will keep you updated with the progress.

 

Thanks and Regards,

Prakhar

TarikBoudjemaa
Contributor
Contributor
‎2020-09-07 04:49 PM
‎2020-09-07 04:49 PM

Hi Prakhar Pandey      

is there any way to extract (or dump) Techniques in inv.context  and Tactics in inv.category  from the investigation feed ?

 

regards

Tarik

0 Likes
mkotoom
New Contributor
New Contributor
‎2024-05-09 07:33 AM
‎2024-05-09 07:33 AM

Dears,

 

the https://mitre-attack.github.io/attack-navigator/v2/enterprise/ isnt working for the json file .

 

i tried to use the https://mitre-attack.github.io/attack-navigator/ link but the file is outdated see below

mkotoom_0-1715254400570.png

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.