The ATT&CK Navigator is a staple in many analysts’ toolboxes.
But here’s the thing: it doesn’t actually care whether you’re using ATT&CK.
With a bit of STIX wrangling, you can make the Navigator happily render non-ATT&CK frameworks, including MITRE D3FEND, MITRE ATLAS, or DISARM
Yes, really.
In this Post
In this post, we’ll use MITRE D3FEND as our running example. In my previous post, I covered how to represent D3FEND in STIX, which is exactly the format the ATT&CK Navigator consumes. Now we’ll take the next step and see what it actually takes to make that data render correctly as a matrix.
Specifically, we’ll walk through:
- Which STIX properties the Navigator actually uses when building a matrix
- How D3FEND tactics, techniques, and sub-techniques need to be modelled to render as expected
- The practical limitations you’ll run into (notably sub-sub-techniques)
- What the final D3FEND Navigator layer looks like once everything is wired together
The Technicalities
This is where we drop below the conceptual layer and into the mechanics.
The ATT&CK Navigator doesn’t interpret STIX generically, it looks for a very specific set of object types and properties when deciding how (and whether) to render a matrix. If those expectations aren’t met, things either fail silently or render in ways that are confusing to debug.
In this section, we’ll walk through the exact STIX objects and fields the Navigator relies on, starting at the matrix level and working our way down.
Matrix
There must be a tactic_refs propert listing the STIX IDs of all Tactic objects
"tactic_refs": [
"x-mitre-tactic--0ccbac0d-777f-534b-b376-30041ad22a00",
"x-mitre-tactic--099ae1c4-95fe-5822-8942-613dad0dfd97",
"x-mitre-tactic--bb808cca-f70d-5a1e-84e4-2ecba69fff38",
"x-mitre-tactic--80c6d422-cc53-50b9-bb96-c7e64face646",
"x-mitre-tactic--e65569cd-cb01-56db-af31-037455c1b8a5",
"x-mitre-tactic--fb91e4b6-71f5-5ff1-8857-e792271670af",
"x-mitre-tactic--ec1c58a8-367a-5f4c-8138-30e77687f26c"
],
The order of this list must match the order you want to show the Tactics in the Matrix. The first entry will be rendered furthest left, and the others will follow left to right in the order defined.
Tactics
Should have an external_references property with a nested object defining the D3FEND Tactic.
"external_references": [
{
"source_name": "mitre-d3fend",
"url": "https://d3fend.mitre.org/tactic/d3f:Restore",
"external_id": "d3f:Restore"
}
],
And a x_mitre_shortname property with a machine friendly slug – used in Technique objects.
"x_mitre_shortname": "restore",
Techniques and Sub-Techniques
Should have an external_references property with a nested object defining the D3FEND Tactic.
"external_references": [
{
"source_name": "mitre-d3fend",
"url": "https://d3fend.mitre.org/technique/d3f:Proxy-basedWebServerAccessMediation",
"external_id": "D3-PBWSAM"
},
A x_mitre_is_subtechnique value (boolean) defining if this is a Technique or Sub-Technique.
Note, as discussed in the last post, D3FEND has the concept of Sub-Sub-Techniques. Due to the structure of Navigator, it’s not actually possible to include these in the Navigator.
"x_mitre_is_subtechnique": true
And a kill_chain_phases nested object with the phase_name matches the x_mitre_shortname of the Tactic this Technique is nested in.
"kill_chain_phases": [
{
"kill_chain_name": "d3fend",
"phase_name": "isolate"
}
],
Relationships
Should link Sub-Techniques (source_ref) to Techniques (target_ref), and Sub-Techniques to Sub-Techniques with the relationship_type equal to subtechnique-of.
"relationship_type": "subtechnique-of"
The Result
Once all of those pieces are in place, the matrix, tactics, techniques, and relationships, the Navigator finally has enough information to do its job.
At this point, we’re no longer thinking in terms of STIX objects and properties. We’re switching back to the Navigator’s perspective: given a valid STIX bundle, can it render as a layer.
Here’s how you can verify that the Navigator can consume what you’ve built.
- Go to the ATT&CK Navigator
- Select Create New Layer > More Options
- Add the bundle with all the objects you’ve created
- Create a layer from the bundle
OK, it’s not perfect, but for those already using the Navigator with ATT&CK, this makes it much quicker to start understanding D3FEND.
You can download Navigator-ready D3FEND, ATLAS, and DISARM bundles from CTI Butler.
CTI Butler
The most important cyber threat intelligence knowledgebases.
Discuss this post
Head on over to the dogesec community to discuss this post.
Never miss an update
Sign up to receive new articles in your inbox as they published.