ATT&CK Tags

An ATT&CK^® Tag is a system-generated Tag that represents a technique or sub-technique in the MITRE ATT&CK^® Enterprise Matrix. ATT&CK Tags are tied directly to the ATT&CK Visualizer in ThreatConnect^®, as they must be applied to a Group in order to view the Group’s techniques and sub-techniques when using the ATT&CK Visualizer while the Group is added as an analysis layer. In addition to Groups, you may also apply ATT&CK Tags to Indicators, Victims, and Workflow Cases.

If desired, System Administrators can use pre-configured rules to convert standard Tags to ATT&CK Tags based on whether they exactly or approximately match a specific ATT&CK Tag. This ensures that all users on the ThreatConnect instance use ATT&CK Tags when identifying the techniques and sub-techniques associated with a particular object.

Viewing ATT&CK Tag Details

1. On the top navigation bar, hover over Browse and select Tags. All Tags in the owners selected in the My Intel Sources selector will be displayed on the Browse screen.
2. Click Advanced at the upper-right corner of the Browse screen to initiate an advanced query. By default, Tags will be selected from the dropdown to the left of the search bar at the top of the screen.
3. Enter the following ThreatConnect Query Language (TQL) query into the search bar at the top of the screen:

   techniqueId is not null

   Note

   To filter ATT&CK Tags based on a specific technique/sub-technique ID, enter a query in the following format: techniqueId is not null and techniqueId startswith "t1055".
4. Click Searchto the right of the search bar on the Browse screen, or press the Enter key on your keyboard, to run the query. Only ATT&CK Tags will be displayed on the screen.
5. To view more details about an ATT&CK Tag, including its description and a list of objects to which it is applied, click on its entry on the Browse screen to display its Details drawer, or hover over its entry on the screen and click on one of the following icons displayed in its Summary cell to navigate to its Details screen:
   • View full details: Click this icon to open the Tag’s Details screen in the current browser tab.
   • View full details in new tab: Click this icon to open the Tag’s Details screen in a new browser tab.

Applying ATT&CK Tags to an Object

1. Navigate to the Details screenfor an object.
   Note

   Although you can apply ATT&CK Tags to Indicators and Victims, the ATT&CK Visualizer is available only for Groups at this time.
2. On the Overview tab, click Editat the lower-right corner of the Details card, or click on the Tags section of the Details card. The object’s Tags will now be editable.
3. Begin entering the ID number or name of an ATT&CK Enterprise technique or sub-technique into the text box. As you type, a menu containing Tags whose names match part or all of the entered text will be displayed. In this menu, ATT&CK Tags will be listed under the ATT&CK Tags heading, and each Tag will have anicon to the left of its name (Figure 1).
   Important

   If there are standard Tags whose names match part or all of the entered text, they will be listed under the Standard Tags heading in the menu, which is displayed before the ATT&CK Tags heading. In this scenario, scroll down to view the list of ATT&CK Tags under the ATT&CK Tags heading.
   

    

   • Select an ATT&CK Tag from the menu to add it to the text box.
   • Click the Confirmbutton to the right of the text box to apply the ATT&CK Tag(s) to the object.

Identifying ATT&CK Tags Applied to an Object

Figure 2 shows the Tags section of the Details card for a Group with standard Tags and ATT&CK Tags applied to it.

• Standard Tags: This section displays the standard Tags applied to the Group. A standard Tag is any Tag that is not an ATT&CK Tag.
• ATT&CK Tags: This section displays the ATT&CK Tags applied to Group. An ATT&CK Tag will have anicon to the left of its name when viewing it on an object’s Details screen, as well when viewing the Tag on the Browse screen and the Details drawer.

When viewing Groups, Indicators, or Victims on the Browse screen, you can use the advanced query feature to filter objects based on the ATT&CK Tags applied to them. For example, the following query will return only objects with an ATT&CK Tag representing one of the specified technique IDs applied to them:

hasTag(techniqueId is not null and techniqueId startswith ("T1486","T1490","T1027","T1047","T1036","T1059","T1562","T1112","T1204","T1055"))

For more information on using ATT&CK Tag–related TQL queries, see the “Query for ATT&CK Tags” section of Constructing Query Expressions.

Converting Standard Tags to ATT&CK Tags

Before Performing a Conversion

Before performing the ATT&CK Tag conversion process on an owner’s standard Tags, which is irreversible, review the following recommended tips:

• If an owner contains standard Tags with common names that match the names of ATT&CK techniques (e.g., Phishing, Rootkit, Email Collection, etc.), verify whether you want to convert them to ATT&CK Tags. If you do not want to convert them, rename the standard Tags, or use Tag normalization rules to convert them to a main Tag whose name does not match an ATT&CK technique. For example, if you use a standard Tag named Phishing and you do not want to convert it to the T1566 – Phishing ATT&CK Tag, use either of these methods to change that standard Tag’s name to something like Phishing Attack, which does match an ATT&CK technique.
• If you leverage ThreatConnect Query Language (TQL)queries (e.g., in dashboard cards), review those queries and determine whether they will need to be updated based on the results of the ATT&CK Tag conversion process. The following examples demonstrate scenarios where an existing query may need to be updated after completing the ATT&CK Tag conversion process:
  • If using a query such as summary contains "t1001" to return only Tags whose summary contains the technique ID “T1001,”, use techniqueId startswith "t1001" instead to retrieve the ATT&CK Tags that map to the “T1001” technique ID.
  • If using a query such as summary contains "ent – att&ck" to return only Tags named after Enterprise techniques and sub-techniques, use techniqueId is not null instead to return all ATT&CK Tags that map to Enterprise techniques and sub-techniques.
• If you use Playbooks that execute when a particular Tag is applied to or removed from an object, review the configuration of those Playbooks and verify whether they will need to be updated based on the results of the ATT&CK Tag conversion process. For example, if you use a Playbook configured to execute when a Tag whose summary contains “ENT – ATT&CK” is applied to an Indicator, you may need to update the Trigger's configuration, as ATT&CK Tags do not include that specific text in their summaries.

ATT&CK Tag Conversion Rules

Table 1 describes the pre-configured ATT&CK Tag conversion rules to which System Administrators can add owners in order to convert their standard Tags to ATT&CK Tags.

Adding an Owner to a Conversion Rule

1. Log into ThreatConnect with a System Administrator account.
2. On the top navigation bar, hover over Settingsand select System Settings. The System Settings screen will be displayed with the Settings tab selected.
3. Select the Tags tab. The Normalization section of the Tags screen will be displayed.
4. Select ATT&CK Tag Conversion from the menu on the left side of the screen. The ATT&CK Tag Conversion screen will be displayed (Figure 3).
   

    

5. Expand the conversion rule to which you want to add an owner. By default, the Exact Match rule is expanded.
6. Click the + Add Owners button. The Add Owners window will be displayed (Figure 4).
   

    

   • Select the checkbox for each owner you want to add to the selected conversion rule. Owners may be filtered by name and type using the search bar and dropdown, respectively, at the top left of the window.
     Important

     You can add an owner to only one conversion rule. If an owner is already added to a conversion rule, that rule will be listed in the Current Rule column of the Add Owners window. Adding an owner to another conversion rule while it is already added to a conversion rule will remove it from the previous rule.
   • Preview: Click this icon to display the Preview Changes window, which shows each existing standard Tag that matches the rule’s format and the ATT&CK Tag to which it will be converted. It is recommended to preview the list of Tags that will be converted, as these Tags will be removed from the selected owner(s) as part of the conversion process.
   • Click the SAVE button.
7. After clicking the Save button on the Add Owners window, the Convert Existing Tags window will be displayed (Figure 5). Click the Convert button to start the conversion process for each owner added to the selected conversion rule.
   

    

   Warning

   The conversion process cannot be stopped once started and is irreversible. As part of the conversion process, the standard Tags that are converted to ATT&CK Tags will be removed from the selected owner(s).

The Status column on the ATT&CK Tag Conversion screen (Figure 1) indicates the status of the conversion process. If the process is queued or in progress, a status of Queued will be displayed. Once the process is complete, a status of Converted will be displayed. To refresh the status displayed in the Status column, click the Refresh button at the top right of the screen.

Rerunning the Conversion Process

To rerun the conversion process for an owner added to a conversion rule, expand the desired rule and click Rerunin the Options column for that owner. Note that the conversion process will start without prompting you for confirmation.

Removing an Owner From a Conversion Rule

To remove an owner from a conversion rule, expand the desired rule and click Deletein the Options column for that owner.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20151-02 v.01.B