MITRE ATT&CK
Orbital adheres to MITRE ATT&CK. MITRE ATT&CK is a knowledge base that contains listings and descriptions of tactics, techniques, and sub-techniques used by adversaries to attack an organization's infrastructure. This knowledge base is based on real-world observations and investigations. It is useful for threat risk assessment, security improvements, and verifying defense effectiveness.
The ATT&CK knowledge base employs a hierarchical structure, employing tactics at the top, followed by techniques, and then sub-techniques. Techniques are mapped to tactics using the tactic's ID and a technique can apply to more than one tactic; however, not all tactics have techniques. Sub-techniques relate to techniques in a similar manor to the method that techniques relate back to tactics. Sub-techniques are detailed descriptions of specific implementations of a technique.
For more information on ATT&CK TACTICS, refer to the MITRE ATT&CK Tactics web page. Additionally, for more information on ATT&CK TECHNIQUES, refer to the MITRE ATT&CK Techniques web page.
| Note: | All predefined catalog queries and scripts have MITRE ATT&CK tactics and techniques assigned to them. |
MITRE ATT&CK Indicator
The MITRE ATT&CK Indicator, shown in the figure below, is used to indicate which MITRE ATT&CK Tactics, Techniques, and Sub-techniques a given stock query or stock script adheres to.
The MITRE ATT&CK Indicator contains 14 dots, each dot corresponds to a different tactic. Starting on the left, the severity of the tactics increases for each dot, as you move to the right, as shown in the figure below.
Starting on the left, each dot corresponds to a specific tactic, as defined below.
|
Dot № |
Corresponding Tactic |
|---|---|
| 1 | TA0043:Reconnaissance |
| 2 | TA0042:Resource Development |
| 3 | TA0001:Initial Access |
| 4 | TA0002:Execution |
| 5 | TA0003:Persistence |
| 6 | TA0004:Privilege Escalation |
| 7 | TA0005:Defense Evasion |
| 8 | TA0006:Credential Access |
| 9 | TA0007:Discovery |
| 10 | TA0008:Lateral Movement |
| 11 | TA0009:Collection |
| 12 | TA0011:Command and Control |
| 13 | TA0010:Exfiltration |
| 14 | TA0040:Impact |
The way in which Orbital identifies with tactic a particular query or script adheres to is to display the corresponding dot as darker than the others. If, for example, the third dot from the left is darker than the surrounding dots, it means that the query adheres to the TA0001:Initial Access MITRE ATT&CK. If all of the dots in the MITRE ATT&CK Indicator are grey, it means that the query or script does not adhere to any MITRE tactics.
When you hover over the MITRE ATT&CK Indicator, Orbital will display the Applied Tactics popup, shown in the figure below, which corresponds to the table above.
Clicking the MITRE ATT&CK Indicator will display the Tactics Detail popup, shown in the figure below.
This popup will list only those tactics, techniques, and sub-techniques that the query or script adheres to. In addition to listing the names of the tactics, techniques, and sub-techniques the Tactics Detail popup provides a description of the related tactics, techniques, and sub-techniques and provides a link to the MITRE ATT&CK website that describes the particular tactic, technique, or sub-technique.