It would be really awesome to map out the most common techniques used by threat actors and prioritize those for detection, right? It would also be really awesome to know what our defense-in-depth capability looks like for the enterprise compared against threat actor techniques. Woah, slam those together and you start to get a picture of true threat-informed defense. I actually proposed something exactly like this in my SANS Research Paper, “ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis”. Academic papers aren’t the funnest things to read, so here’s the TL;DR version.

Activity Heat Map Overlaid onto Notional Inc.’s Defense-in-Depth Map (zoomed section for clarity)

Here are the top techniques found in the 50 reports that I processed for my research paper. I plan to continue to catalog threat reporting and possibly put out an annual Top Ten list. More on the research approach below…

Top “Ten” Reported Techniques

The Concept:

Basically, my research aimed to process a bunch of threat reporting and catalog them using the MITRE ATT&CK framework to identify trends, build a prioritized list of techniques for defenders, and identify any other cool analytics I could pull out of the dataset. I used this structured approach:

C ollect — publicly available threat reporting that discusses specific threat activity

ollect — publicly available threat reporting that discusses specific threat activity C atalog — threat reporting into Airtable using the ATT&CK techniques as multi-select values

atalog — threat reporting into Airtable using the ATT&CK techniques as multi-select values A ssess — the trends in the ATT&CK techniques observed across the body of reporting

ssess — the trends in the ATT&CK techniques observed across the body of reporting Act — by informing resource management prioritization

The Academic Thesis:

By leveraging the MITRE Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework as a quantitative data model, analysts can bridge the gap between strategic, operational, and tactical intelligence while advising their leadership on how to prioritize computer network defense, incident response, and threat hunting efforts to maximize resources while addressing priority threats.

The WHY:

Organizations have limited resources and a world of threats to assess and prioritize. Without effective threat management prioritization, organizations:

Cannot protect against the most likely threat vectors and actors

Cannot implement an informed defense-in-depth (DiD) strategy

So how do we definitively answer questions like:

What are the latest threat actor techniques?

What logs should we collect?

What hunts should we prioritize?

The HOW:

For my database, I ended up using the free version of AirTable and it was super easy to set up. Here is the database structure I used. As noted in the final section of this post, future-me would just put all techniques into a single dropdown column to make searching for them faster.

Database Field Structure

So I read a bunch of reports, inputted them into this database, and cataloged them using the ATT&CK techniques I was able to translate out of the text. So a threat report says something like “System Enumeration” and that can translate to “System Information Discovery” (T1082). The below image shows how I extracted the techniques from the NCCIC report TA17–117A into the ATT&CK Tracker.

ATT&CK Extraction from TA17–117A into the ATT&CK Tracker (NCCIC, 2017)

I repeated that process across 50 different reports and various source types to populate my ATT&CK Tracker, which is shown below. AirTable makes it really easy to go from the spreadsheet view to an input form view by simply click on the first cell in the record. As an MS Access addict, I have to say I love AirTable a bit more for its simplicity.

Airtable Form and Table views

Now’s a good point in the article to toss out a HUGE SHOUT OUT to the analysts and vendors that are including ATT&CK tables at the bottom of their reports. I started referring to these tables as the “executive summary for threat analysts” since they give you a very clear picture of what happened in an attack. For example, FireEye used ATT&CK in their Triton blog in 2019. (Miller, Brubaker, Zafra, & Caban, 2019). In highly dynamic environments, such as a SOC, the immediacy of this threat data in a table is instantly applicable to threat analysis procedures.

FireEye used ATT&CK in their Triton blog (Miller, Brubaker, Zafra, & Caban, 2019)

And FireEye isn’t the only vendor doing awesome stuff with ATT&CK and threat reports. The good folks at ESET map MITRE ATT&CK techniques to specific IOCs in their reports too. See their Winnti Group report for a specific example. One of my favorite MITRE ATT&CK tools for threat actor and campaign tracking is the Unit 42 Playbook Viewer. My only complaint is that they don’t source any of their analysis and IOCs on these pages.