Blog TruSTAR Announces New MITRE ATT&CK Framework Feature

TruSTAR Announces New MITRE ATT&CK Framework Feature



Today we are excited to bring the power of the MITRE ATT&CK Framework to TruSTAR. The ATT&CK threat model is a real-time knowledge base of adversary behaviors observed in the wild, which can be extremely useful for detection, prioritization, and analysis of security incidents. 

This new integration with MITRE advances TruSTAR’s mission of Intelligence Management, which helps you operationalize the intelligence you capture throughout investigations and automatically normalize and enrich it between tools.

This MITRE ATT&CK release makes it easier to track adversarial behavior on reports and indicators submitted to TruSTAR and is available to all users of TruSTAR.

What Can I do with ATT&CK?

TruSTAR users can now automatically extract Mitre ATT&CK techniques and tactics from Premium Intelligence sources, helping users categorize reports and indicators. 

With this feature TruSTAR users can now:

  1. Prioritize Reports & Resolve Cases: TruSTAR automatically correlates all alerts, cases, and indicators that share ATT&CK TTPs. This will help analysts quickly uncover overlaps in adversarial behavior, threat actors, and malware, and respond with fuller context.
  2. Move Up the Pyramid of Pain: By linking IPs, malware hashes, and other observables with ATT&CK TTPs, analysts can make more informed decisions rather than just blocking and tackling on individual data points. You can also map ATT&CK TTPs with resolved cases to create a library of cases organized by ATT&CK methods.
  3. Assess Intelligence Sources: Mapping the MITRE ATT&CK Framework to Premium Intelligence sources helps analysts evaluate the extent of TTP coverage. Understanding where you are over-indexed or under-indexed can help evaluate your intel investments and how they map against your operational controls.  
How do I use MITRE ATT&CK Framework in TruSTAR?

To use this feature in TruSTAR, first you must add MITRE ATT&CK TTPs as tags. You can add MITRE tags to reports as well as individual indicators. If any of the sources you have subscribed to have ATT&CK TTPs in their feeds, we will automatically extract and correlate them. 


To manually tag reports and indicators with ATT&CK TTPs go to the reports panel in the Constellation view. 

Click on the ➕button next to MITRE ATT&CK and the full list of Tactics and Techniques will appear. Click the SAVE CHANGES button to apply the tags to the report or indicator.

Once ATT&CK TTPs have been mapped to reports and indicators, they will be available for use through our search and filter capabilities, as well as our graph visualizations. For example, you can now easily find all IP addresses that have been observed using the Defense Evasion tactic.

Screen Shot 2019-11-13 at 9.29.41 AM

With the adoption of the MITRE ATT&CK Framework in the TruSTAR platform, we aim to advance the use of adversarial behavior in the analyst investigation process. We will be adding enhancements to this feature over the next few months. 

Get Started

Visit our Knowledge Base for more technical details about this feature.

We look forward to hearing your feedback!

COVID-19 Impact & Community Response The following blog post details the security impact COVID-19 has on enterprise security teams. To learn more about TruSTAR and IBM’s Community effort ... Read More
Improved Submission Workflow on TruSTAR Improved Submission Workflow on TruSTAR One of TruSTAR’s key differentiators is the ability to extract and normalize indicators from structured or ... Read More
New Context Panel Helps Analysts Prioritize Reports Faster Using Trusted Intelligence Sources Introducing the New Context Panel Reducing friction in the analyst workflow is central to how we evolve our product. Today TruSTAR has released a new ... Read More