Attack Patterns
Attack patterns are a borrowed concept from STIX. The STIX definition captures much of the use cases for Cisco XDR Threat Intelligence: "Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets".
Attack Pattern Taxonomies
MITRE offers two primary Attack Pattern taxonomies:
- Common Attack Pattern Enumeration and Classification (CAPEC)
- Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK)
RE&CT and OWASP provide additional less structured frameworks that may become relevant in the future.
Attack Pattern Field Summary
Required Fields
- description - A description of object, which may be detailed.
- id - Globally unique URI identifying this object.
- schema_version - CTIM schema version for this entity.
- short_description - A single line, short summary of the object.
- title - A short title for this object, used as primary display and reference value.
- type - A string "attack-pattern".
Notable Optional Fields
- external_ids - A collection of IDs including MITRE ATT&CK reference IDs (TAXXXX for tactic, TXXXX for technique, TXXXX.XXX for sub technique).
- external_references - A collection of external references, including external_ids with source information.
Attack Pattern Abstraction Levels
A "level of abstraction" is an overloaded term in information systems. For the Attack Pattern entity, abstraction level refers to a CAPEC codified classification system used roughly to characterize the behavior of an attack in the description of an Attack Pattern.
Generally, the following table can help when reasoning about abstraction levels within the CTIM Attack Pattern vocabulary:
| Behavior Descriptor | MITRE ATT&CK | MITRE CAPEC |
|---|---|---|
| WHY | Tactic | Category |
| HOW | Technique | Meta |
| DETAILED HOW | Sub technique | Standard or Detailed |
Attack Pattern Example
{
"description":"The adversary is trying to get into your network.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.",
"abstraction_level":"category",
"schema_version":"1.1.0",
"type":"attack-pattern",
"source":"Modeling Threat Intelligence in CTIM Tutorial",
"external_ids":[
"ctim-tutorial-attack-pattern-ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca",
"ATT&CK-TA0001"
],
"short_description":"Initial Access",
"title":"Initial Access",
"external_references":[
{
"source_name":"mitre-attack",
"url":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
"external_id":"TA0001"
}
],
"source_uri":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
"id":"transient:ctim-tutorial-attack-pattern-5be8e308-f326-456a-9645-fecb8803a19a",
"tlp":"green",
"kill_chain_phases":[
{
"kill_chain_name":"mitre-attack",
"phase_name":"initial-access"
},
{
"kill_chain_name":"lockheed-martin-cyber-kill-chain",
"phase_name":"exploitation"
}
],
"timestamp":"2019-07-19T17:41:41.425Z"
}