ATT&CK Tags
  • 20 Jun 2024
  • 10 Minutes to read
  • Dark
    Light

ATT&CK Tags

  • Dark
    Light

Article summary

An ATT&CK® Tag is a system-generated Tag that represents a technique or sub-technique in the MITRE ATT&CK® Enterprise Matrix. ATT&CK Tags are tied directly to the ATT&CK Visualizer in ThreatConnect®, as they must be applied to a Group in order to view the Group’s techniques and sub-techniques when using the ATT&CK Visualizer with the Group added as an analysis layer. In addition to Groups, you can apply ATT&CK Tags to Indicators, Intelligence Requirements (IRs), Victims, and Workflow Cases.

System Administrators can use pre-configured rules to convert standard Tags to ATT&CK Tags based on whether they exactly or approximately match a specific ATT&CK Tag. These rules ensure that all users on the ThreatConnect instance use ATT&CK Tags when identifying the techniques and sub-techniques associated with a particular object.

Important
ATT&CK Tags do not belong to an owner, as they are created at the system level, and cannot be deleted. Also, they cannot be used as synonymous Tags when configuring Tag normalization rules.

Before You Start

User Roles

  • To view the Details drawer and Details screen for an ATT&CK Tag, your user account can have any Organization role.
  • To apply ATT&CK Tags to a threat intelligence data object in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
  • To apply ATT&CK Tags to a threat intelligence data object in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.
  • To apply ATT&CK Tags to a Case in an Organization, your user account must have an Organization role of Standard User, Sharing User, or Organization Administrator.
  • To add a ThreatConnect owner to an ATT&CK Tag conversion rule, your user account must have a System role of Administrator.

Prerequisites

  • To be able to apply ATT&CK Tags to Cases, turn on Workflow for your Organization on the Account Settings screen (must be an Accounts, Operations, or System Administrator to perform this action).

Viewing ATT&CK Tag Details

Follow these steps to view only ATT&CK Tags on the Browse screen and access the Details drawer and screen for an ATT&CK Tag:

  1. Hover over Browse on the top navigation bar and select Tags.
  2. Click Advanced at the upper-right corner of the Browse screen to initiate an advanced query. By default, Tags will be selected from the dropdown to the left of the search bar at the top of the screen.
  3. Enter the following ThreatConnect Query Language (TQL) query into the search bar at the top of the Browse screen:
    techniqueId is not null
    Note
    To filter ATT&CK Tags based on a specific technique/sub-technique ID (T1055 in this example), enter a query in the following format: techniqueId is not null and techniqueId startswith "t1055".
  4. Click SearchSearch buttonto the right of the search bar on the Browse screen, or press the Enter key on your keyboard, to run the query and return only ATT&CK Tags.
  5. Select an ATT&CK Tag in the results table on the Browse screen to open its Details drawer. Alternatively, hover over an ATT&CK Tag in the results table and click on one of the following icons in its Summary cell to open its Details screen:
    • View full detailsView full details_Browse: Click this icon to open the ATT&CK Tag’s Details screen in the current browser tab.
    • View full details in new tabView full details in new tab icon: Click this icon to open the ATT&CK Tag’s Details screen in a new browser tab.

Applying ATT&CK Tags to an Object

While you are editing the Tags applied to a threat intelligence data object or a Case, ATT&CK Tags that match part or all of the text entered into the Tags text box will be listed under the ATT&CK Tags heading in the menu below the text box. In addition, each ATT&CK Tag will have theicon to the left of its name. Figure 1 shows a set of ATT&CK Tags that match the text “t1059” entered into the Tags text box.

Figure 1_ATT&CK Tags_7.2.0

 

Important
If there are standard Tags whose names match part or all of the entered text, they will be listed under the Standard Tags heading in the menu, which comes before the ATT&CK Tags heading. In this scenario, scroll down to view the list of ATT&CK Tags under the ATT&CK Tags heading.

To apply an ATT&CK Tag to an object while editing the object’s Tags, select the ATT&CK Tag from under the ATT&CK Tags heading in the menu below the Tags text box. Then, after all desired ATT&CK Tags haven been selected and added to the Tags text box, click Confirmto the right of the text box.

Identifying ATT&CK Tags Applied to an Object

You can identify ATT&CK Tags applied to an object in the following areas of ThreatConnect:

Figure 2 shows the Tags section of the Details card for an object with standard Tags and ATT&CK Tags applied to it.

Figure 2_ATT&CK Tags_7.2.0

 

  • Standard Tags: This section displays the standard Tags applied to the object. A standard Tag is any Tag that is not an ATT&CK Tag.
  • ATT&CK Tags: This section displays the ATT&CK Tags applied to object. An ATT&CK Tag will have theATT&CK Tag iconicon to the left of its name when viewing it on an object’s Details screen, as well when viewing the Tag on the Browse screen and the Details drawer.
Important
Tags copied from the MITRE ATT&CK Source are not ATT&CK Tags; rather, they are standard Tags named after ATT&CK techniques and sub-techniques. For example, the T1059 - Command and Scripting Interpreter - EXE - ENT - ATT&CK in Figure 2 is a standard Tag named after an ATT&CK technique. If this Tag has not been converted to an ATT&CK Tag and you apply it to a Group instead of the T1059 - Command and Scripting Interpreter ATT&CK Tag, you will not be able to view that technique when using the ATT&CK Visualizer while the Group is added as an analysis layer.

When viewing Groups, Indicators, IRs, and Victims on the Browse screen , you can use the advanced query feature to filter objects based on the ATT&CK Tags applied to them. For example, the following query will return only objects with an ATT&CK Tag representing one of the specified technique IDs applied to them:

hasTag(techniqueId is not null and techniqueId startswith ("T1486","T1490","T1027","T1047","T1036","T1059","T1562","T1112","T1204","T1055"))

For more information on using ATT&CK Tag–related TQL queries, see the “Query for ATT&CK Tags” section of Constructing Query Expressions.

Converting Standard Tags to ATT&CK Tags

Before Performing a Conversion

Before performing the ATT&CK Tag conversion process on an owner’s standard Tags, which is irreversible, review the following recommended tips:

  • If an owner contains standard Tags with common names that match the names of ATT&CK techniques (e.g., Phishing, Rootkit, Email Collection, etc.), verify whether you want to convert them to ATT&CK Tags. If you do not want to convert them, rename the standard Tags, or use Tag normalization rules to convert them to a main Tag whose name does not match an ATT&CK technique. For example, if you use a standard Tag named Phishing and you do not want to convert it to the T1566 – Phishing ATT&CK Tag, use either of these methods to change that standard Tag’s name to something like Phishing Attack, which does match an ATT&CK technique.
  • If you leverage ThreatConnect Query Language (TQL)queries (e.g., in dashboard cards), review those queries and determine whether they will need to be updated based on the results of the ATT&CK Tag conversion process. The following examples demonstrate scenarios where an existing query may need to be updated after completing the ATT&CK Tag conversion process:
    • If using a query such as summary contains "t1001" to return only Tags whose summary contains the technique ID “T1001,”, use techniqueId startswith "t1001" instead to retrieve the ATT&CK Tags that map to the “T1001” technique ID.
    • If using a query such as summary contains "ent – att&ck" to return only Tags named after Enterprise techniques and sub-techniques, use techniqueId is not null instead to return all ATT&CK Tags that map to Enterprise techniques and sub-techniques.
  • If you use Playbooks that execute when a particular Tag is applied to or removed from an object, review the configuration of those Playbooks and verify whether they will need to be updated based on the results of the ATT&CK Tag conversion process. For example, if you use a Playbook configured to execute when a Tag whose summary contains “ENT – ATT&CK” is applied to an Indicator, you may need to update the Trigger's configuration, as ATT&CK Tags do not include that specific text in their summaries.

ATT&CK Tag Conversion Rules

Table 1 describes the pre-configured ATT&CK Tag conversion rules to which System Administrators can add owners in order to convert their standard Tags to ATT&CK Tags.

 

Rule NameDescriptionExample Matches
Exact MatchThis rule converts standard Tags that have the same name as an ATT&CK technique/sub-technique or the same combination of technique/sub-technique ID and name to the corresponding ATT&CK Tag.The following Tags would be converted to the T1055 - Process Injection ATT&CK Tag:
  • T1055 - Process Injection
  • t1055 - process injection
  • Process Injection
  • process injection
Approximate MatchThis rule converts standard Tags that start with the letter “T” followed by a set of digits that map to a technique/sub-technique ID (e.g., T1055, T1055.001) to the corresponding ATT&CK Tag.The following Tags would be converted to the T1055 - Process Injection ATT&CK Tag:
  • T1055
  • t1055
  • T1055_Process injection
  • t1055: Injecting code into processes
Important
By default, all newly created Tags that meet the conditions of the Exact Match rule will be converted to ATT&CK Tags, regardless of whether their owner is added to a conversion rule. If an owner is added to the Exact Match rule, existing Tags in that owner that meet the rule’s conditions will also be converted to ATT&CK Tags. If an owner is added to the Approximate Match rule, existing Tags in that owner that meet the rule’s conditions will be converted to ATT&CK Tags, and newly created Tags that meet the conditions of the Exact Match or Approximate Match rule will be converted to ATT&CK Tags.

Adding an Owner to a Conversion Rule

Follow these steps to add a ThreatConnect owner to an ATT&CK Tag conversion rule:

  1. Log into ThreatConnect with a System Administrator account.
  2. Hover over SettingsSettings iconon the top navigation bar and select System Settings.
  3. Select the Tags tab on the System Settings screen.
  4. Select ATT&CK Tag Conversion from the menu on the left side of the Tags tab to access the ATT&CK Tag Conversion screen (Figure 3).
    Figure 3_ATT&CK Tags_7.2.0

     

  5. Expand the conversion rule you want to add an owner to, and then click + Add Owners. By default, the Exact Match rule is expanded.
  6. On the Add Owners window (Figure 4), select the checkbox for each owner you want to add to the conversion rule.
    Figure 4_ATT&CK Tags_7.2.0

     

    Important
    You can add an owner to only one conversion rule. If an owner is already added to a conversion rule, that rule will be listed in the Current Rule column of the Add Owners window. Adding an owner to another conversion rule while it is already added to a conversion rule will remove it from the previous rule.
  7. Click PreviewPreview iconin the rightmost column for an owner on the Add Owners window to view each existing standard Tag that matches the conversion rule’s format and the ATT&CK Tag to which it will be converted. It is recommended to preview the list of Tags that will be converted, as these Tags will be removed from the selected owner(s) as part of the conversion process.
  8. Click SAVE on the Add Owners window. Then click Convert on the Convert Existing Tags window (Figure 5) to start the conversion process for each owner added to the conversion rule.
    Figure 5_ATT&CK Tags_7.2.0

     

    Warning
    The conversion process cannot be stopped once started and is irreversible. As part of the conversion process, the standard Tags that are converted to ATT&CK Tags will be removed from the selected owner(s).

The Status column on the ATT&CK Tag Conversion screen (Figure 3) indicates the status of the conversion process for a given owner. If the process is queued or in progress, the Status column will display Queued for the owner. Once the process is complete, the Status column will display Converted for the owner. To refresh the status displayed in the Status column, click Refresh at the top right of the screen.

Rerunning the Conversion Process

To rerun the conversion process for an owner added to a conversion rule, expand the conversion rule on the ATT&CK Tag Conversion screen (Figure 3) and click RerunRerun iconin the Options column for that owner. Note that the conversion process will start without prompting you for confirmation.

Removing an Owner From a Conversion Rule

To remove an owner from a conversion rule, expand the conversion rule on the ATT&CK Tag Conversion screen (Figure 3) and click DeleteTrash icon_Blackin the Options column for that owner.

Important
Removing an owner from a conversion rule does not revert previous conversion processes run on its standard Tags. Also, any new Tags created in that owner that meet the conditions of the Exact Match rule will still be converted to ATT&CK Tags.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20151-02 v.01.C


Was this article helpful?

What's Next