Set up the MITRE-ATT&CK framework

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Activate the MITRE-ATT&CK profile, and set up a scheduled job so that you can set up MITRE-ATT&CK collections for threat detection in your organization.

    Before you begin

    Role required: sn_ti.admin

    About this task

    Structured Threat Information Expression (STIX™) is a language for describing cyberthreat information in a standardized and structured manner. Using STIX data and Trusted Automated Exchange of Indicator Information (TAXII™) profiles, security teams can use shared cyberthreat information to isolate threats that have been previously identified by your company and from other sources.

    Procedure

    1. Navigate to All > Threat Intelligence > Sources > TAXII Profiles.
      You see the available TAXII profiles.
    2. Click the MITRE ATT&CK profile that is provided with the base system.

      Threat Intelligence: MITRE ATT&CK profile.
    3. To activate the TAXII collection, set the Active option to true for the TAXII collection that is relevant to your organization (Enterprise ATT&CK, Mobile ATT&CK, or ICS ATT&CK).
      TAXII collection Description
      Enterprise ATT&CK Describes the behaviors and actions that an adversary takes to compromise and operate in an enterprise network and cloud.
      Note:
      The Pre ATT&CK matrix has been deprecated by MITRE and is merged with the Enterprise matrix.
      Mobile ATT&CK Describes the adversary behaviors and actions that focus on mobile devices.
      ICS ATT&CK Describes the actions that an adversary takes while operating within an Industrial Control Systems (ICS) network.
    4. To periodically refresh the collection, set the Run option as appropriate for your organization.
      By default this option is set to On Demand.
      Note:
      1. Collections are packaged as part of Threat Intelligence Core plugin. Installing or updating the Threat Intelligence Support Common - Version 12.0 or higher, and Threat Intelligence - Version 12.0 or higher ensures that your collections data is auto-populated.
      2. Activate the TAXII collection only for the collection that you intend to use in your organization and disable the other collections. For example, if you intend to use Enterprise ATT&CK matrix, then activate Enterprise ATT&CK at the TAXII collection level and at the Matrices level. Disable the other Mobile ATT&CK and ICS ATT&CK matrices at the TAXII collection and at the Matrices level.
      3. In the TAXII Collections related lists, if you select the Run option as Daily, then an error occurs and the option defaults to On Demand. This error occurs as scheduling the MITRE-ATT&CK data refresh daily is restricted to optimize the load on the MITRE servers. Also, MITRE updates the ATT&CK data only twice a year.
      4. The TAXII collections are not refreshed unless you activate the TAXII collection.
      5. Updates to existing collections can be retrieved from the MITRE server by scheduling the ‘run’ frequency in each collection.
      6. The customizations that you make to the MITRE-ATT&CK repository data (Malware, Group, Mitigation, and Tool objects to a technique) are saved during scheduled updates.
      7. MITRE updates the MITRE-ATT&CK knowledge base where some objects are identified as revoked or deprecated, new objects are added, or existing objects are modified. If MITRE revokes any tactic or technique, then these objects are marked as revoked in the ServiceNow AI Platform. The revoked objects are kept in the repository but are not available for use in the ServiceNow AI Platform.

    What to do next

    After the TAXII profile setup is complete, the MITRE-ATT&CK repository data is imported at regular intervals to the ServiceNow AI Platform®. You can see this data by navigating to MITRE ATT&CK Repository > Matrices and MITRE ATT&CK Repository > Techniques.