Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/30/2021
03:05 PM
50%
50%

MITRE Adds MacOS, More Data Types to ATT&CK Framework

Version 9 of the popular threat matrix will improve support for a variety of platforms, including cloud infrastructure.

Nonprofit research organization MITRE has released the latest version of its ATT&CK framework, adding support for threat information affecting Apple's MacOS and containers, while also allowing more data sources and relationships. 

The release is one of two updates to the popular framework due out this year, with another planned for October. The two most major changes are better support for both the MacOS and containers and the adoption of more flexible ways of specifying the necessary data to describe each threat technique. The release includes 16 new groups, 67 new pieces of software, and updates to 36 other groups and 51 software entries, according to MITRE.

Related Content:

Academia Adopts Mitre ATT&CK Framework

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Ghost Town Security: What Threats Lurk in Abandoned Offices?

The goal is to make the framework more functional, based on specific feedback from its community of users, says Adam Pennington, ATT&CK lead at MITRE.

"People look at ATT&CK as a way to map out and plan their defenses," he says. "We are seeing it used as a way for people to either start from a specific area — such as an adversary that they are worried about or some subset of an attack, and take a look at what their stance is in relation to each of those behaviors — or perhaps as a way to plan out behavioral analytics."

In a blog published Thursday, the research organization stated that the update is designed to better connect offensive techniques with potential defensive actions. The intent is to tag every technique in the ATT&CK framework with "defensive-focused fields [and] properties as a way to help defenders detect and respond to attacks.

The company had described the improvements in its road map for 2021, published in March. The organization stated there would be no major structural adjustments; instead, MITRE plans to make improvements across the framework. 

"Our chief focus will be on enhancing and enriching content across the ATT&CK platforms and technical domains," MITRE stated in its road map. "We'll be making incremental updates to core concepts, such as Software and Groups, and working towards a more structured contributions process, while maintaining a biannual release tempo, scheduled for April and October."

A major initiative in the latest version is to allow better data to be collected on specific threat descriptions included in the ATT&CK framework. The idea is to tell defenders specifically what data they need to collect to best detect attackers and determine which techniques they are using. MITRE reviewed all the different data sources and components and remapped them where necessary.

"The material that people see today is not going to undergo another drastic change. We are just going to be adding more context behind it," Pennington says. "It's about getting a better idea of — with their various collection mechanisms, SIEMs, sensors, whatever — what do they need to be looking for to understand an adversary's behavior."

The ATT&CK framework now also includes more MacOS-specific threats and mappings, he says. Techniques and data specific to Linux-based systems will arrive with the next update in October. 

"We spend a lot of time on Windows, as do adversaries," Pennington says. "For Linux, we hear a lot going on with containers, but we don't see a ton of detail in what is going on. The same with Mac. We hear from people there is a lot of activity going on, and we are beginning to incorporate that into ATT&CK."

MITRE has also brought together the threats, techniques, and data sources for cloud platforms into consolidated groups, such as the infrastructure-as-a-service (IaaS) platform as part of the broader Cloud Service Providers category. In addition, software-as-a-service (SaaS) offerings Office 365 and Google Workspace are not included, so defenders can map adversary behaviors.

The company continues to make modifications based on feedback. In October, the company will release more support for mobile threats and defenses, as well as update the approach to threats that affect industrial control systems.

In the future, ATT&CK will also incorporate container technologies. MITRE has already released ATT&CK for Containers matrix and will be incorporating feedback for future releases, the organization says.

Editor's note: This article was updated to correct an error regarding when Linux will be explicitly supported in the ATT&CK framework. Linux support is planned for October.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-38095
PUBLISHED: 2021-08-05
The REST API in Planview Spigit 4.5.3 allows remote unauthenticated attackers to query sensitive user accounts data, as demonstrated by an api/v1/users/1 request.
CVE-2021-32598
PUBLISHED: 2021-08-05
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting...
CVE-2021-32603
PUBLISHED: 2021-08-05
A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafte...
CVE-2021-3539
PUBLISHED: 2021-08-04
EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.
CVE-2021-36801
PUBLISHED: 2021-08-04
Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. This issue was fixed in version 2.1.13 of the product.