how to build att & ck display interface based on sandbox threat intelligence platform?

Posted by deaguero at 2020-02-28

Based on the study of some open materials of ATT & CK, the hunting threat intelligence analysis team of Anheng Security Research Institute combed some learning experiences, including:

What is att & CK?

How to use att & CK?

What are the advantages, misunderstandings and prospects of ATT & CK?

How to build att & CK display interface on sandbox based Threat Intelligence Platform with public information?

Learning notes

Based on the learning of the following five open documents:

• 《MITRE ATT&CK:Design and Philosophy》

• 《Putting MITRE ATT&CK into Action with What You Have, Where You Are》

• 《Improving Threat Intellingence and Cyber Defense with MITRE ATT&CK》

• 《ATT&CK Gamma Your CTI with Lessons Learned from Four Years in the Trenches》

ATT&CK Gamma Is Only as Good as Its Implementation: Avoiding Five Common Pitfalls》

What is att & CK?

The full name of ATT & CK is advanced statistics, technologies, and common knowledge (ATT & CK). It is a model that describes the technology used in each stage of an attack from the perspective of the attacker.

The model was proposed by mitre company, which has been modeling threats for the U.S. military. The famous Stix model was also proposed by the company before.

The official definition of ATT & CK is as follows:

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.

Technology domain and platform

The most intuitive representation of ATT & CK is a matrix. Att & CK is classified by technology domains and platforms as follows:

Technology Domains

Platform(s) defined


Linux,  macOS, Windows,Cloud


Android,  iOS

In the concrete matrix representation, the above classification is based on post compare stage. In order to describe the pre compare phase, ATT & CK establishes another matrix, called pre att & CK matrix.

Design concept

It maintains the attacker's perspective

It follows real world use of activity through empirical use examples

The level of abstraction is appropriate to bridge offensive action with possible Defensive Countermeasures

Abstraction level

According to the official statement, the abstract level of ATT & CK is positioned in the middle stage of comparison. Let's look at a picture:

As can be seen from the above figure, mitre believes that Lockheed Martin's cyber kill chain model is a relatively high-level abstraction. The following is the official cyber kill chain of Lockheed Martin:

Mitre believes that the above model is very helpful to understand the high-dimensional process and the attacker's target, but such a model cannot effectively describe what the opponent has done in a single action, for example:

• what is the link between one action and another?

How does continuous operations relate to the enemy's tactical objectives?

• how do these actions relate specifically to data sources, defenses, configurations, and other measures used between a platform / technology domain?

On the contrary, for some concepts with low level of abstraction (or almost no abstraction), such as specific vulnerability utilization data sets, various malware data sets. According to mitre, these concepts are very detailed in describing the implementation details of specific technologies, and most of them have detailed code fragments. But their short board is "only see trees, not forests". When researchers analyze a specific vulnerability or exploitation, or when they analyze a specific malware, they do not know when and under what circumstances it is used by whom, thus lacking an effective context. Moreover, this level of expression does not take into account how some legitimate software can be used to achieve malicious operations.

Att & CK, as an intermediate level model, can effectively connect these parts. Tactics and techniques in att & CK define an attacker's behavior in a life cycle to the extent that it can be more effectively mapped to a defense. High level concepts (tactics), such as control, execution, and maintenance, are further broken down into more descriptive categories (techniques). Moreover, the specific implementation process of the technology can be subdivided, and a technology can be implemented in many ways.

An intermediate level model can also effectively put the concepts of low abstraction level (such as vulnerability exploitation, malware) into context for thinking. Vulnerability exploitation and malware are very useful for the attacker's weapon base, but to fully understand their practicability, it is necessary to understand their context in the process of achieving the goal. An intermediate level model can also link Threat Intelligence and incident data to show who is doing what, and the universality of specific technologies.

data structure

While defining att & CK, mitre defines some key objects:

• tactics

• technologies

• groups

• software

In Section 3 of "mitre att & CK: design and philosophy", the data structure of these four objects is defined in detail. Here are the relationships between the four objects:

When corresponding to the specific situation, the original text gives an example of apt28:

For more information about this section, please read "mitre att & CK: design and philosophy"

How to use it?

What can att & CK do? Here is the official answer:

• detection (lift detection)

• assessment and Engineering

• Threat Intelligence

• advanced simulation

The following is a little list of the methods that can be used to improve the detection part.


• improve focus on post exploit activity (in addition to lifetime defenses)

– based on our existing logs (sandbox logs)

– coverage rating of current detection capability

– rating the quality of each test

– confidence for each test

• move forward detecting extensive TTPS in addition to indicators

•Organize detections to enable:

– finding gaps in coverage

– taking improvement over time

For more information on the use of assessment and Engineering / thread intelligence / advanced simulation, please read "putting mitre att & CK into action with what you have, where you are" and "att & CK" Gamma Your CTI with Lessons Learned from Four Years in the Trenches》


Current problems

Threat Intelligence Based on att & CK

Too many reports to read

Difficult to apply intelligence to defense

Rely on IOC

Structured Threat Intelligence makes it easier to digest apt reports

Provides a way to directly compare intelligence with defense

Turn to TTPS and behavior based detection


• provides a common language for communication

• allow us to compare apt groups

The details of this part can be found in att & CK Gamma Your CTI with Lessons Learned from Four Years in the Trenches》


1. Don't assume all technologies are equal

2. Don't try to build alerts for every technology

3. Don't realize your coverage

4. Don't stay in the matrix

5. Don't forget the fundamentals

The details of this part can be found in att & CK Gamma Is Only as Good as Its Implementation: Avoiding Five Common Pitfalls》


• being realistic about coverage

•Handling false positives 

– more coverage means more false positives

– it can reduce false positives by means of novel methods, such as machine / deep learning

• getting and searching data

For details of this part, please refer to improving thread intelligence and Cyber Defense with mitre att & CK


• improve and add to att & CK content

– sub technologies

– impacts

– new technology domains

• continue to expand the att & CK community

• open up the development and governance of ATT & CK

• create a new website and infrastructure that makes att & CK easier to use

For details of this part, please refer to improving thread intelligence and Cyber Defense with mitre att & CK

Other reference links

•Atomic Red Team

•《Threat Detection Report 2019》

Feasibility analysis of ATT & CK matrix display

We assume that the readers here have experience in sandbox system development, at least familiar with the whole process of cuckoo. Looking at all kinds of foreign cloud sandbox integrating att & CK into the platform, readers may also be thinking: how to integrate att & CK into the Threat Intelligence Platform for which they are working faster?

Next, I will analyze a feasibility thinking process.

Present situation

At present, foreign mainstream sandbox products have increased the display interface of ATT & CK

- Hybrid

  —Joe Sandbox



At present, major threat analysis manufacturers in foreign countries have also included att & CK related descriptions in their reports




- Unit42

Requirement description

If you want to add the display of ATT & CK matrix on the sandbox platform, it needs to be divided into the following steps:

1. Add the association ID of ATT & CK (for example, t10xx) in the rule file, and extract the corresponding field after ensuring the subsequent hit

2. Add a complete att & CK matrix description in the task result display interface

3. For each task, when the interface is displayed, extract the corresponding attckid to query, as follows:

1) Map all hit attckids to the large matrix of large step 2

2) Give an attckid and query its corresponding information (take Joe sandbox as an example, mainly to obtain ID, name, description, tactics, data source, platforms, URLs and the corresponding hit rules) (the corresponding query database is required)

3) When the user clicks a hit attckid box, a dialog box will pop up to display the above acquired att & CK fields and corresponding rules

Front-end work

Here we take the native cuckoo as an example. Here is the description of its rule hit format in the official document:

Therefore, to complete step 1 above, the reader must find a way to bind the relevant attckid to the corresponding rule in the rule file of cuckoo. This is not difficult, it is purely manual work.

feasibility analysis

After finishing the pre work, the following questions are mainly about how to obtain the information of ID, name, description, tactics, data source, platforms, and URLs.

Get the information you need

Mitre has opened a CTI project in GitHub, which contains the data we need.

The following directory in this project stores the details of each technology.

Each JSON file in it represents a specific technology in att & CK.

Take this file for example. The details are as follows:

Mitre also explains the relevant fields in the corresponding description documents in detail:

Therefore, from the perspective of feasibility, the sandbox system based on cuckoo can complete the display of ATT & CK matrix for each task in a relatively short time.

(at the time of writing this article) there are 244 JSON files in this part (which may be increased now), as long as you make sure that the search algorithm can display the corresponding information to the interface within the time that the user can receive it.

Further outlook

After the att & CK matrix is displayed, the corresponding threat analyst can try to use the similarity of TTP in the matrix to correlate the homologous apt samples, and the person in charge of detection can also use the matrix to continue to refine the detection points that are not covered in place.

Team Introduction

The hunting shadow threat analysis team is a team focusing on the research of attack and defense technology of Anheng Security Research Institute. The team is composed of a young team who is good at the research of attack and defense technology, apt analysis and binary research. Welcome the small partners who are interested in security detection, binary research and attack and defense technology research to join our team.

Recruitment of binary security researcher

Job description:

1. On the basis of daily suspicious file analysis, data mining is carried out to find apt attack events;

2. Analyze suspicious documents fed back by customers, prepare analysis reports, provide solutions, etc;

3. Responsible for the analysis of hot security events and latest vulnerabilities, writing analysis reports or POC code, etc

4. Research new detection methods, maintain and improve apt detection and other product strategies

5. Assist in the construction of internal threat analysis platform, etc

Job requirements:

1. Familiar with debugging methods on windows and Linux, familiar with common reverse analysis tools (IDA, WinDbg, OD, etc.);

2. Familiar with C / C + +, assembly language, at least one script programming language, able to quickly complete POC code writing;

3. Familiar with virus, Trojan communication principle, common technology and common encryption algorithm, etc;

4. Familiar with the principle of security vulnerability, have independent document vulnerability analysis ability;

5. At least 1 year working experience in reverse analysis and safety research, the ability is not limited by working years;

6. Have the ability of big data mining, extremely sensitive to data, and can quickly carry out association analysis on data;

7. Clear thinking, good at active thinking, innovative, able to analyze and solve problems independently, good communication skills and team spirit;

8. Experience in vulnerability analysis, Trojan analysis, Web attack and defense, Threat Intelligence mining, anti apt attack, machine learning, IOT, ICs, etc. is preferred.

contact information:

[email protected]

Selection in the past

Gather and watch

Help personnel training systematize the first ECSP training of safety and constant information

Hot text

Ministry of public security awarded Anheng information "National Internet enterprise network security management excellent team and individual"

Hot text

How to make enterprises feel at ease in the cloud? Fan yuan gives this answer