What is the ATT&CK™ Framework?

From MITRE - MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. 

Put simply, ATT&CK™ is a collection of tools, techniques, and processes used by adversaries to perform malicious activities. It is informed by threat intelligence and real-world data.

How does Red Canary use the ATT&CK™ Framework?

Red Canary uses the ATT&CK™ Framework to classify suspicious activity we observe, and as a data source to generate investigative hypotheses. We use these hypotheses to research, hunt and refine detection logic. We then map the activity we find back to ATT&CK™ techniques, which serves as a common language for communicating observed behavior.

How does Red Canary map to the ATT&CK™ Framework?

Red Canary maps to the ATT&CK™ Framework through our detector code. Each detector corresponds to a hunt idea informed by threat intelligence and it typically also matches one or more ATT&CK™ Framework techniques. This mapping process is performed by our detection engineers evaluating the description and intent of the adversary technique. Where possible, we rely on public research from the information security industry to guide this mapping process and help shape our decisions. If no public research is available, we make a best effort mapping or create a “Red Canary mapping” that does not exist in the framework. We work closely with MITRE to contribute additional techniques to the ATT&CK™ Framework.

What should I do if an ATT&CK™ mapping is incorrect or missing?

You can contribute to help ensure our ATT&CK™ Framework mappings are accurate! If you find a problem with our mappings or have concerns, contact Red Canary Support to create a support ticket. Provide as much information as possible to illustrate the problem. 

How do ATT&CK™ techniques appear when viewing a detection?

You may observe Red Canary’s mapping to the ATT&CK™ Framework within detections. Each detection includes a section devoted to “Observed Tactics”. This section lists each detector (hunt idea) that contributed to this detection and its ATT&CK™ mapping. One single detector may map to multiple tactics and techniques, so this section may become crowded depending on the number of detectors and mappings present. Our observation of a technique does not necessarily indicate that the technique is being used for every associated tactic in this particular event. This information is provided to aid analysts in their assessment of what tactics the adversary may be attempting based on the technique observed.

You can also see the ATT&CK™ Framework mappings in our weekly detector update articles here: https://help.redcanary.com/collections/671679-detector-updates 

Does the “Observed Tactics” section list every technique in the detection?

This section does not list all possible ATT&CK™ techniques that may appear within a detection. Only techniques that initially observed that led to a Red Canary detection engineer judging the endpoint activity as suspicious or malicious. A detection engineer may join additional events to a detection that may or may not have specific ATT&CK™ mappings during analysis. For example, a PowerShell script may create persistence via a technique not covered by a Red Canary detector. In these cases, the persistence technique number would not appear in the “Observed Tactics” section. In addition, not every ATT&CK™ technique is suitable for alerting behaviors. Where possible we’ve focused our attention to the most high-fidelity behaviors within the framework to achieve the best results quickly.

Does Red Canary cover every technique?

Red Canary cannot issue a detector for every technique listed in the ATT&CK™ Framework due to limitations in data collection and context requirements within organizations. Many of the techniques require data for detection that cannot be gathered by our partner sensors such as network packet captures or forensic analysis of in-memory artifacts. In addition, not every technique is equally useful for detection. We make every effort to cover as much of the framework as possible with the data we can gather with our partners to provide the best detection information to the security community. If you have ideas for additional ATT&CK™ Framework technique coverage, reach out to your Incident Handler and talk about it. 

Did this answer your question?