Introduction to MITRE ATT&CK, STIX, and TAXII

7 min readMay 25, 2021

What is MITRE?

If you are new to cybersecurity, it can be a daunting task to know what resources are used in the industry. In this article, we are going to introduce you to MITRE. If you go to the MITRE website (mitre.org) and navigate to the ABOUT page, they have this statement which describes the organization:

At MITRE, we solve problems for a safer world. Through our federally funded R&D centers and public-private partnerships, we work across government to tackle challenges to the safety, stability, and well-being of our nation.

MITRE is a non-profit organization that has a large portion of its funding provided by the U.S. government. They work on solving all sorts of problems, one of which is cyber-security. You may ask, why should I care about this? MITRE has created three things that are heavily used in the cyber-security field.

1. STIX

2. TAXII

3. The MITRE ATT&CK Framework

We are going to give you a basic understanding of these concepts and provide you with the resources to do more research for yourself to gain a deeper level of knowledge. We would recommend that you familiarize yourself with all these concepts as they are all used in the cyber-security field.

(Cyber) Threat Intelligence

To understand some of the proceeding concepts you will need to understand what threat intelligence is. CrowdStrike who is a threat intelligence provider defines cyber threat intelligence as this:

“Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.” –

Source: https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/

Put simply threat intelligence is information that is shared about previous or on-going attacks. This information is analyzed for the purpose of learning how to protect or prevent the same attack from happening to the consumer of the threat intelligence. An example of Cyber Threat Intelligence might contain information such as a malicious actor from a specific country or criminal organization, it could contain information about details of email phishing campaigns or malware that may affect a system.

STIX

STIX is a way to communicate information in a structured format. If you are familiar with JSON, then STIX should look familiar. STIX provides a structure for people to package threat intelligence data, put more simply is defines elements in JSON data structure. The structure has the following STIX Domain Objects (SDOs):

· Attack Pattern

· Campaign

· Course of Action

· Grouping

· Identity

· Indicator

· Infrastructure

· Intrusion Set

· Location

· Malware

· Malware Analysis

· Note

· Observed Data

· Opinion

· Report

· Threat Actor

· Tool

· Vulnerability

There are also two additional data points that MITRE refers to as STIX Relationship Objects (SROs)

· Relationship

· Sighting

So based on this information, an organization that leverages a threat intelligence service can start to build out a map like one that is displayed below.

You may be able to decern from this graphic, indicators can be attributed to threat actors, such as a criminal organization. Threat actors, like a criminal organization, can run an attack campaign, which is a series have actions to try to harm an organization. These data points paint a picture of how a threat actor will attempt to attack organizations over time.

We would highly recommend that you review details of SDOs and SROs if you plan on digging into Cyber Threat Intelligence.

https://oasis-open.github.io/cti-documentation/stix/intro

TAXII

TAXII may be an easier concept to understand than Cyber Threat Intelligence if you are new to information security. TAXII is really a communications methodology, it is broken down into two primary logical areas: collections and channels.

At it is core TAXII is an application protocol that runs over HTTPS, and TAXII defines communication over a RESTful API. Explaining what an API interface goes beyond the scope of this article, but if you are not familiar with it, I would recommend you investigate what an API is. It is used within the cyber-security space frequently when trying to work with data.

According to MITRE collections and channels are:

”Collection — A Collection is an interface to a logical repository of CTI objects provided by a TAXII Server that allows a producer to host a set of CTI data that can be requested by consumers: TAXII Clients and Servers exchange information in a request-response model.

Channel — Maintained by a TAXII Server, a Channel allows producers to push data to many consumers and consumers to receive data from many producers: TAXII Clients exchange information with other TAXII Clients in a publish-subscribe model. Note: The TAXII 2.1 specification reserves the keywords required for Channels but does not specify Channel services. Channels and their services will be defined in a later version of TAXII.”

I do not want to dive too deep into TAXII because you will likely consume it as a service, and you do not need to deeply understand the deeper workings. I would think of TAXII like email, with email there is a specific format on how emails should be structured, you need things like:

· Source address

· Destination address

· Subject

· Headers

· Body

· Etc

You can think about the format and structure of a STIX object like the structure of an email. TAXII on the other hand acts like your email server, it is a server that transmits the STIX data over the HTTP(S) protocol.

Generally, when you want to use a STIX / TAXII resource you will install a TAXII client. There are many TAXII clients that you can install free of charge, and there are many TAXII compliance threat intelligence sources that are available for you to consume for free. An extremely popular free STIX/TAXII service is OTX by AT&T:

https://cybersecurity.att.com/blogs/security-essentials/otx-is-now-a-free-stix-taxii-server

You can sign up for this service to start looking that examples of real cyber threat intelligence.

MITRE ATT&CK

In my opinion MITRE ATT&CK may be one of the best resources for learning about cybersecurity on the Internet. Why would I say that and what is MITRE ATT&CK are questions you may ask? Per MITRE the ATT&CK framework is:

“a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.” — https://attack.mitre.org/

If you are new to cybersecurity this may not be an easy definition to understand. Simply put, MITRE ATT&CK is a collection of attack techniques that have been used in real-world cyber-attacks. These attack techniques are put into various categories which are as follows:

· Reconnaissance — The adversary is trying to gather the information they can use to plan future operations.

· Resource Development — The adversary is trying to establish resources they can use to support operations.

· Initial Access — The adversary is trying to get into your network.

· Execution — The adversary is trying to run malicious code.

· Persistence — The adversary is trying to maintain their foothold.

· Privilege Escalation — The adversary is trying to gain higher-level permissions.

· Defense Evasion — The adversary is trying to avoid being detected.

· Credential Access — The adversary is trying to steal account names and passwords.

· Discovery — The adversary is trying to figure out your environment.

· Lateral Movement — The adversary is trying to move through your environment.

· Collection — The adversary is trying to gather data of interest to their goal.

· Command and Control — The adversary is trying to communicate with compromised systems to control them.

· Exfiltration — The adversary is trying to steal data.

· Impact — The adversary is trying to manipulate, interrupt, or destroy your systems and data.

So why is this such a great resource? MITRE ATT&CK is beneficial for individuals who want to learn how to defend networks, but it also helps those who want to go into red team activities identify skills to practice. These are the attacks that are succeeding in the wild, so those are the attacks you should learn if you are trying to become a penetration tester. The MITRE ATT&CK Matrix could fill a complete course on its own and I would recommend that you dive deep into the framework, so you gain a deeper understanding of the topic.

In this article, we have introduced you to MITRE. We have identified three key things that MITRE has produced that are commonly used in the cybersecurity industry today: