The Mitre Corporation has released the ninth version of its ATT&CK knowledge base of adversary TTP which now also includes a newly created ATT&CK matrix for containers includes 16 new Groups, 67 new pieces of Software, and updates to 36 Groups and 51 Software entries.

MITRE has also revamped data sources, consolidated IaaS platforms, added a Google Workspace matrix, updated macOS-based attack techniques and added macOS-specific malware, and has created a brand new ATT&CK for Containers matrix.

Containers ATT&CK

ATT&CK for Containers covers both orchestration-level and container-level adversary behaviors. It also includes a set of malware related to containers.

The ATT&CK for Containers builds on efforts including the threat matrix for Kubernetes developed by the Azure Security Center team for Azure Defender for Kubernetes. The Center for Threat-Informed Defense expanded on this initial framework by documenting real-world attacks, with Microsoft and other partners providing guidance and feedback throughout the process.

Producing ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. Cryptomining is one activity comes out of this learning.

Evidence from a number of parties led us to conclude that adversaries utilizing containers for more ‘traditional’ purposes, such as exfiltration and collection of sensitive data, is publicly under reported. Ultimately, this led the ATT&CK team to make the decision to include container-related techniques in ATT&CK,

The next update of the ATT&CK knowledge base is scheduled for October 2021,includes updates on ICS and Mobile matrices, as well as better coverage of macOS and Linux techniques.