Skip to content

Latest commit

 

History

History
309 lines (265 loc) · 12.9 KB

0018-extend-threat-group-software.md

File metadata and controls

309 lines (265 loc) · 12.9 KB
Raw

0018: Extend Threat Fieldset

  • Stage: 3 (finished)
  • Date: 2021-07-28

Currently the threat fieldset includes tactic, technique, and sub-techniques from the ATT&CK framework. ATT&CK also includes groups and software that we can easily add to the existing fieldset to include all of the ATT&CK framework. While these fields are directly referenced within the ATT&CK framework, they can also be used with other frameworks if threat.framework expands to use more than ATT&CK.

Fields

Proposed New Fields for Threat fieldset

Field Type Example Description
threat.software.id keyword S0023 The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
threat.software.name keyword CHOPSTICK The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
threat.software.alias keyword X-Agent The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
threat.software.platforms keyword Windows The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms.
threat.software.reference keyword https://attack.mitre.org/software/S0023/ The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
threat.software.type keyword Malware The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type.
threat.group.alias keyword FIN6, ITG08, Magecart Group 6, etc The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
threat.group.id keyword G0037 The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
threat.group.name keyword FIN6 The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
threat.group.reference keyword https://attack.mitre.org/groups/G0037/ The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.

Usage

These fields can be used to associate fields that already exist in the threat.* fieldset, such as tactic, technique, and sub-technique. ATT&CK has relationships built within their framework for software and groups as it relates to tactic, technique, and sub-techniques. This information will provide for a more enriched threat profile for indicators and events.

Currently, tactic, technique, and sub-techniques are also included in rules for the Detection Engine, adding software and groups would make for more contextually relevant alerts that could aid in analysis and response operations.

Existing threat fields

{
    "threat.framework": "ATT&CK",
    "threat.tactic.id": "TA0007",
    "threat.tactic.name": "Discovery",
    "threat.tactic.reference": "https://attack.mitre.org/tactics/TA0007/",
    "threat.technique.id": "T1087",
    "threat.technique.name": "Account Discovery",
    "threat.technique.reference": "https://attack.mitre.org/techniques/T1087/",
    "threat.technique.subtechnique.id": "T1087.002",
    "threat.technique.subtechnique.name": "Domain Account",
    "threat.technique.subtechnique.reference": "https://attack.mitre.org/techniques/T1087/002/"
}

New Software fields

{
    "threat.software.id": "S0023",
    "threat.software.name": "CHOPSTICK",
    "threat.software": {
      "alias": [
        "Backdoor.SofacyX",
        "SPLM",
        "Xagent",
        "X-Agent",
        "webhp"
      ]
    },
    "threat.software": {
      "platforms": [
        "Windows",
        "Linux"
      ]
    },
    "threat.software.reference": "https://attack.mitre.org/software/S0023/",
    "threat.software.type": "Malware"
}

New Group fields

{
    "threat.group": {
      "alias": [
        "FIN6",
        "Magecart Group 6",
        "SKELETON SPIDER",
        "ITG08"
      ]
    },
    "threat.group.id": "G0037",
    "threat.group.name": "FIN6",
    "threat.group.reference": "https://attack.mitre.org/groups/G0037/"
}

Source data

The data can come from MITRE ATT&CK, which includes the software and group information outlined in the RFC.

Examples are from MITRE's enterprise matrix.

Software Source Data

{
    "external_references": [
        {
            "external_id": "S0552",
            "url": "https://attack.mitre.org/software/S0552"
        }
    ],
    "name": "AdFind",
    "type": "tool",
    "x_mitre_platforms": [
        "Windows"
    ]
}
{
    "external_references": [
        {
            "external_id": "S0369",
            "url": "https://attack.mitre.org/software/S0369"
        }
    ],
    "name": "CoinTicker",
    "type": "malware",
    "x_mitre_platforms": [
        "macOS"
    ]
}
{
    "external_references": [
        {
            "external_id": "S0023",
            "url": "https://attack.mitre.org/software/S0023"
        }
    ],
    "name": "CHOPSTICK",
    "type": "malware",
    "x_mitre_platforms": [
        "Linux"
    ]
}

Group Source Data

{
    "name": "FIN6",
    "external_references": [
        {
            "url": "https://attack.mitre.org/groups/G0037",
            "external_id": "G0037"
        }
    ],
    "aliases": [
        "FIN6",
        "Magecart Group 6",
        "SKELETON SPIDER",
        "ITG08"
    ],
}
{
    "name": "Putter Panda",
    "external_references": [
        {
            "url": "https://attack.mitre.org/groups/G0024",
            "external_id": "G0024"
        }
    ],
    "aliases": [
        "APT2",
        "MSUpdater"
    ],
}
{
    "name": "Darkhotel",
    "external_references": [
        {
            "url": "https://attack.mitre.org/groups/G0012",
            "external_id": "G0012"
        }
    ],
    "aliases": [
        "DUBNIUM"
    ],
}

Scope of impact

Concerns

MITRE ATT&CK

The MITRE ATT&CK Matrix provides the material used in these examples. While ATT&CK may be the most widely known source organized in this manner, it is neither the only source of this data or the required source.

To resolve this, we adjusted the descriptions with the following (where applicable):

  • ...While not required, you can use a MITRE ATT&CK® {software,group} {field}.
    • Example: While not required, you can use a MITRE ATT&CK® software platform.
  • Recommended Values: from Expected Values:
    • Example:
    Recommended Values:
  * AWS
  * Azure
  ...

People

The following are the people that consulted on the contents of this RFC.

  • @peasead | author, subject matter expert
  • @devonakerr | sponsor
  • @dcode | subject matter expert

References

RFC Pull Requests