MICS Capstone Project Fall 2019


Elemental is a web application that enhances the use of the Mitre ATT&CK Framework, a knowledge base for describing cyber-adversary behavior, by complementing it with two open source projects, Sigma and Red Canary's Atomic Red Team. Elemental provides enterprise security teams with a threat library of ATT&CK's adversarial behavior information and adds tactical details of how to simulate and detect the behaviors.

The Mitre ATT&CK framework is a matrix that helps defenders understand adversarial behavior in two basic ways:

  • Tactics: the adversary's objectives
  • Techniques: how the adversary achieves the objective.

For example, an adversary attempts to gain "Initial Access" into your environment by way of a "Spearphishing Attachment," which are the Tactic and Technique, respectively.

ATT&CK generally provides the following high level information about a technique:

  • Description of the technique
  • Relevant operating systems, software, and data sources
  • threat groups which have used a technique

One challenge for Security Operations teams when trying to use ATT&CK is not knowing how to turn this information into a detection or an alert in their security tools, such as in a SIEM (Security Information and Event Management platform). There are limited details within the ATT&CK Enterprise Matrix on how to detect malicious Techniques, and how to validate detection rule efficacy.

Sigma helps defenders create meaningful detections within their environment by providing a SIEM-independent detection rule format. Self described as analogous to what Snort is for network traffic and YARA is for files, Sigma rules provide a universal taxonomy for writing detections for log files originating from Operating Systems and applications. Additionally, Sigma provides a converter for some of the most common SIEM platforms in enterprise environments. This enables defenders to share detection rules without needing to worry about translating to their specific platform's detection syntax.

Atomic Red Team Helps defenders test their security posture by providing a repository of simple "Atomic Tests" that can be run on systems to simulate adversarial techniques. Because the Atomic Tests are also mapped to the Mitre ATT&CK Framework, Elemental is able to provide a unified interface for defenders to view details of ATT&CK Techniques, how an adversary can actually achieve them (via Atomic Red Team), and how they can detect the activity (via Sigma Rules).

Elemental comes preloaded with the latest ATT&CK Techniques, current Atomic Tests, and over 280 Sigma Rules from the Sigma project GitHub. Additionally, Elemental allows defenders to create custom Techniques and upload custom Sigma Rules. Please visit the Elemental GitHub page for more details.

Last updated:

December 12, 2019