IBM Cloud Pak for Security

This helps defenders to move up the pyramid of pain in their detection engineering practice, focusing on detecting chains of behavior rather than simple IoC-based detections. The project also comes with a suite of open-source tools and libraries for building and visualizing Attack Flows.

In this recent phase of development, the centre has revamped the schema and constructed Attack Flow as a STIX 2.1 extension, including several new STIX Domain Objects. By fully aligning Attack Flow to STIX 2, Attack Flow becomes easier to consume for defender tools (many of whom already support the STIX format) as well as becomes shareable using existing threat intelligence toolchains that support the standard. In addition to alignment to STIX, many updates to the toolchain were made, as well as a robust series of examples showcasing how to build and leverage Attack Flows.

In the future, IBM Security could leverage Attack Flow as part of our threat investigation capabilities and services. Our threat investigation tools automatically investigate attacks and generate the timeline of the incident, showing step by step how the attack took place. This timeline view may be augmented with the Attack Flow to provide standard documentation and visualization of the attacks. One of the strengths we see in the Attack Flow data model is its ability to communicate a specific attack sequence clearly without incorporating private details. Our investigation tools could generate the attack flow with the private information, such as asset and user identifiers, to communicate all the details of the attack to the internal security teams, but could also easily strip private details for sharing externally, without losing any context around how the attack was carried out. MITRE CTID is committed to growing and maintaining a corpus of the attack flows shared by the community for the benefit of all defenders. IBM X-Force red teaming services may also make use of MITRE attack flow to construct realistic attack emulation scenarios and to communicate them with our clients.

IBM Security looks forward to collaborating further with MITRE CTID on future evolution on Attack Flow, as well as other open organizations like the Open Cybersecurity Alliance, the Open Cybersecurity Schema Format project, and the Open Source Security Foundation - all of which help turn the advantage from the adversaries back to the defenders.