IBM Security Cloud Pak for Security

 View Only

Reverse-engineering adversary attack flow

By Banu Yuceer posted Thu October 27, 2022 12:02 PM


Written by Jason Keirstead and Banu Yuceer

We are pleased to announce that today the next phase of the Attack Flow project has been released to the community by the MITRE Center for Threat Informed Defense (CTID). While you can read the complete announcement by Ingrid Skoog here, we wanted to take this opportunity to update on this important project, what it means for us at IBM Security, and why we are proud to support it.

Attack Flow is a machine-readable representation of a sequence of adversary behaviors (ATT&CK techniques), allowing sequences of behavior to be shared and collaborated upon between vendors and in the community.

image credit:             image credit:

This helps defenders to move up the pyramid of pain in their detection engineering practice, focusing on detecting chains of behavior rather than simple IoC-based detections. The project also comes with a suite of open-source tools and libraries for building and visualizing Attack Flows.

In this recent phase of development, the centre has revamped the schema and constructed Attack Flow as a STIX 2.1 extension, including several new STIX Domain Objects. By fully aligning Attack Flow to STIX 2, Attack Flow becomes easier to consume for defender tools (many of whom already support the STIX format) as well as becomes shareable using existing threat intelligence toolchains that support the standard. In addition to alignment to STIX, many updates to the toolchain were made, as well as a robust series of examples showcasing how to build and leverage Attack Flows.

In the future, IBM Security could leverage Attack Flow as part of our threat investigation capabilities and services. Our threat investigation tools automatically investigate attacks and generate the timeline of the incident, showing step by step how the attack took place. This timeline view may be augmented with the Attack Flow to provide standard documentation and visualization of the attacks. One of the strengths we see in the Attack Flow data model is its ability to communicate a specific attack sequence clearly without incorporating private details. Our investigation tools could generate the attack flow with the private information, such as asset and user identifiers, to communicate all the details of the attack to the internal security teams, but could also easily strip private details for sharing externally, without losing any context around how the attack was carried out. MITRE CTID is committed to growing and maintaining a corpus of the attack flows shared by the community for the benefit of all defenders. IBM X-Force red teaming services may also make use of MITRE attack flow to construct realistic attack emulation scenarios and to communicate them with our clients.

IBM Security looks forward to collaborating further with MITRE CTID on future evolution on Attack Flow, as well as other open organizations like the Open Cybersecurity Alliance, the Open Cybersecurity Schema Format project, and the Open Source Security Foundation - all of which help turn the advantage from the adversaries back to the defenders.


1 comment



Mon November 07, 2022 08:36 AM