MITRE ATT&CK
Orbital adheres to MITRE ATT&CK. It is a knowledge base that contains listings and descriptions of tactics, techniques, and sub-techniques used by adversaries to attack an organization's infrastructure. This knowledge base is grounded on real-world observations and investigations. It is useful for threat risk assessment, security improvements, and verifying defense effectiveness.
The ATT&CK knowledge base employs a hierarchical structure, employing tactics at the top, followed by techniques, and then sub-techniques. Techniques are mapped to tactics using the tactic's ID, and a technique can apply to more than one tactic; however, not all tactics have techniques. Sub-techniques relate to techniques in a similar manner to the method that techniques relate back to tactics. Sub-techniques are detailed descriptions of specific implementations of a technique.
For more information on ATT&CK Tactics, refer to the MITRE ATT&CK Tactics web page. Additionally, for more information on ATT&CK Techniques, refer to the MITRE ATT&CK Techniques web page.
All predefined catalog queries and scripts have MITRE ATT&CK tactics and techniques assigned to them.
MITRE ATT&CK Indicator
The MITRE ATT&CK Indicator, shown in the figure below, is used to indicate which MITRE ATT&CK Tactics, Techniques, and Sub-techniques a given stock query or stock script adheres to. The MITRE ATT&CK Indicator contains 14 dots, each one corresponding to a different tactic. Starting on the left, the severity of the tactics increases for each dot as you move to the right.
|
Dot № |
Corresponding Tactic |
|---|---|
| 1 | Reconnaissance (TA0043) |
| 2 | Resource Development (TA0042) |
| 3 | Initial Access (TA0001) |
| 4 | Execution (TA0002) |
| 5 | Persistence (TA0003) |
| 6 | Privilege Escalation (TA0004) |
| 7 | Defense Evasion (TA0005) |
| 8 | Credential Access (TA0006) |
| 9 | Discovery (TA0007) |
| 10 | Lateral Movement (TA0008) |
| 11 | Collection (TA0009) |
| 12 | Command and Control (TA0011) |
| 13 | Exfiltration (TA0010) |
| 14 | Impact (TA0040) |
The way in which Orbital identifies the tactic that a particular query or script adheres to is by displaying the corresponding dot darker than the others. If, for example, the third dot from the left is darker than the surrounding dots, it means that the query adheres to the Initial (TA0001) Access MITRE ATT&CK. If all of the dots in the MITRE ATT&CK Indicator are grey, the query or script does not adhere to any MITRE tactics.
When you hover over the MITRE ATT&CK Indicator, Orbital will display the Applied Tactics pop-up.
Clicking the MITRE ATT&CK Indicator will display the Tactics Detail pop-up. This pop-up will list only those tactics, techniques, and sub-techniques that the query or script adheres to. In addition, the Tactics Detail pop-up provides a description of the related tactics, techniques, and sub-techniques and provides a link to the MITRE ATT&CK website that describes the selected component.