Overview #
Maltiverse offers an Automated MITRE ATT&CK® Enrichment feature that automatically labels Indicators of Compromise (IoCs) with MITRE ATT&CK® categorizations. This is based on the information provided in the blacklist.description field of the IoC data.
The enrichment process ensures that IoCs, such as malicious hostnames, URLs, or files, are enhanced with relevant MITRE ATT&CK® information, including malware families, groups, or tactics. This enrichment is particularly useful for cybersecurity teams to better understand the nature of the threat and associate it with known adversarial techniques, tactics, or software.
Key Features #
- Automatic Mapping to MITRE ATT&CK®: Based on the IoC description, the system automatically enriches the IoC with appropriate MITRE ATT&CK® techniques, tactics, or groups.
- Real-time Labeling: Upon uploading IoCs into Maltiverse, the enrichment happens instantly.
- External References: The enrichment adds a reference to the MITRE ATT&CK® knowledge base, including descriptions, external IDs, and links.
How MITRE ATT&CK® Enrichment Works #
When you upload an IoC, such as a malicious hostname, URL, or IP address, the system examines the blacklist.description field for known threat actor names, malware families, or attack techniques. If a match is found with a MITRE ATT&CK® entry, the system enriches the IoC by adding corresponding details into the blacklist.external_references field.
Example: Enrichment for “Cobalt Strike” #
Consider an example where you upload a malicious hostname with the description:
"blacklist.description": "Cobalt Strike"In this case, Maltiverse will automatically map “Cobalt Strike” to its corresponding MITRE ATT&CK® software entry and enrich the IoC as follows:
"external_references": [
{
"description": "Cobalt Strike",
"external_id": "S0154",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0154/"
}
]
Enrichment Process: #
- Input IoC: The user uploads the IoC with a description that matches a MITRE ATT&CK® entity (e.g., “Cobalt Strike”).
- Pattern Matching: Maltiverse automatically detects the keyword and searches the MITRE ATT&CK® framework for a match.
- Automatic Enrichment: Once a match is found, the system adds an
external_referencessection to the IoC, which contains:description: A description of the matched entity (e.g., malware family, group).external_id: The unique identifier for the MITRE ATT&CK® entry.source_name: The source of the information, which is “mitre-attack”.url: A link to the official MITRE ATT&CK® webpage for that entity.
Fields Affected by Enrichment #
- blacklist.description: The field where the initial categorization is detected (e.g., malware names, threat actors).
- blacklist.external_references: This field is enriched with MITRE ATT&CK® references, including descriptions, external IDs, source names, and URLs.
Frequently Asked Questions (FAQ) #
Q1: What happens if the IoC description doesn’t match any MITRE ATT&CK® entity?
If the description field does not match any known MITRE ATT&CK® entry, no enrichment will occur for that IoC. You can manually enrich such IoCs or modify the description field to trigger automatic enrichment.
Q2: Is there a limit to the number of IoCs that can be enriched automatically?
There is no specific limit on the number of IoCs that can be enriched. The system processes IoCs in real time as they are uploaded.
Conclusion #
The MITRE ATT&CK® Enrichment feature in Maltiverse provides automatic labeling and context enrichment for Indicators of Compromise, helping security professionals gain immediate insight into the threats they face. By leveraging the MITRE ATT&CK® framework, Maltiverse ensures that users can rapidly and accurately understand the behavior of malicious actors and their associated tools.
For more information on configuring and using this feature, visit the Maltiverse MITRE ATT&CK® Enrichment Guide.
