true
Blog TruSTAR Announces New MITRE ATT&CK Framework Feature

TruSTAR Announces New MITRE ATT&CK Framework Feature

MITRE-ATTCK_DarkMode2

ABOUT MITRE ATT&CK on TruSTAR

Today we are excited to bring the power of the MITRE ATT&CK Framework to TruSTAR. The ATT&CK threat model is a real-time knowledge base of adversary behaviors observed in the wild, which can be extremely useful for detection, prioritization, and analysis of security incidents. 

This new integration with MITRE advances TruSTAR’s mission of Intelligence Management, which helps you operationalize the intelligence you capture throughout investigations and automatically normalize and enrich it between tools.

This MITRE ATT&CK release makes it easier to track adversarial behavior on reports and indicators submitted to TruSTAR and is available to all users of TruSTAR.

What Can I do with ATT&CK?

TruSTAR users can now automatically extract Mitre ATT&CK techniques and tactics from Premium Intelligence sources, helping users categorize reports and indicators. 

With this feature TruSTAR users can now:

  1. Prioritize Reports & Resolve Cases: TruSTAR automatically correlates all alerts, cases, and indicators that share ATT&CK TTPs. This will help analysts quickly uncover overlaps in adversarial behavior, threat actors, and malware, and respond with fuller context.
  2. Move Up the Pyramid of Pain: By linking IPs, malware hashes, and other observables with ATT&CK TTPs, analysts can make more informed decisions rather than just blocking and tackling on individual data points. You can also map ATT&CK TTPs with resolved cases to create a library of cases organized by ATT&CK methods.
  3. Assess Intelligence Sources: Mapping the MITRE ATT&CK Framework to Premium Intelligence sources helps analysts evaluate the extent of TTP coverage. Understanding where you are over-indexed or under-indexed can help evaluate your intel investments and how they map against your operational controls.  
How do I use MITRE ATT&CK Framework in TruSTAR?

To use this feature in TruSTAR, first you must add MITRE ATT&CK TTPs as tags. You can add MITRE tags to reports as well as individual indicators. If any of the sources you have subscribed to have ATT&CK TTPs in their feeds, we will automatically extract and correlate them. 

MITRE-ATTCK_menu

To manually tag reports and indicators with ATT&CK TTPs go to the reports panel in the Constellation view. 

Click on the ➕button next to MITRE ATT&CK and the full list of Tactics and Techniques will appear. Click the SAVE CHANGES button to apply the tags to the report or indicator.

Once ATT&CK TTPs have been mapped to reports and indicators, they will be available for use through our search and filter capabilities, as well as our graph visualizations. For example, you can now easily find all IP addresses that have been observed using the Defense Evasion tactic.

Screen Shot 2019-11-13 at 9.29.41 AM

With the adoption of the MITRE ATT&CK Framework in the TruSTAR platform, we aim to advance the use of adversarial behavior in the analyst investigation process. We will be adding enhancements to this feature over the next few months. 

Get Started

Visit our Knowledge Base for more technical details about this feature.

We look forward to hearing your feedback!

How to Get the Most out of Your Community Plus Toolkit TruSTAR is the Intelligence Management Platform that powers some of the largest ISAC/ISAO threat intelligence exchanges in North America.  Read More
Announcing TruSTAR Phishing Triage & New Intelligence Scoring Capabilities Today TruSTAR has launched Phishing Triage, a new suite of features designed to automatically ingest, extract, normalize, prioritize, and take action ... Read More
COVID-19 Intelligence Briefing: What Happens Next? TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding ... Read More
COVID-19 Intelligence Briefing: What Makes You Vulnerable? TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding ... Read More