26 January 2026: Expanding the ATT&CK surface

New year, new blog post. I am still looking for work so reach out of you have something, including contract work, or would like a copy of my resume. It is kind of with that resume in mind that I write today's newsletter, but I think it is useful regardlessly.

Martijn
martijn@lapsedordinary.net
martijngrooten.37

Expanding the ATT&CK surface

Today, I’m discussing something I worked on while at Internews: an extension to MITRE ATT&CK for at-risk groups. 

The project this work was developed under suddenly lost its funding in January 2025 and while the extension is more or less ready and has been presented in a few places, I could never properly finish it. Because I still think it is a nice and useful idea that others may want to pick up (I’d be glad to help!), I decided to share it here.

First, some background.

An Indicator of Compromise (or IOC for short) refers to any artifact or piece of evidence linked to a digital threat. Think of a piece of malware used, a domain name used for phishing, or an IP address that the malware connects to.

IOCs are very useful when researching threats. If two organizations received phishing emails that use the same domain, or were infected with the same malware, it is likely that the same actor was behind it. (There are some exceptions when a publicly shared resource is used, for example a phishing site hosted on sites.google.com, but it’s usually clear when that is the case.)

But the usefulness of IOCs beyond that is limited. If you tell a small NGO to beware of a certain domain name or an IP address, what are they going to do? Not to mention that it is very easy for threat actors to use many different domains, IP addresses and pieces of malware in the same campaign. Linking these can be a lot of but, but it is beyond the capabilities (and the time available) of most such NGOs.

This is where TTPs come in.

TTPs stands for Tactics, Techniques, and Procedures and are the ‘things’ a threat actor does in the course of a campaign, from setting up phishing domains to using stolen credentials to exfiltrate data from a hacked computer.

TTPs are helpful to understand how a threat actor works and thus teaches you how to defend against them. If actors targeting organizations like yours mostly do so through phishing, it might be a good idea to improve your phishing defenses (such as training or, more helpfully, phishing resistant multi-factor authentication). 

When talking about TTPs, it is impossible not to mention ATT&CK, a framework developed by MITRE, a not-for-profit organization closely aligned with the US government. ATT&CK is essentially a huge spreadsheet with all the TTPs used by threat actors targeting enterprises. From searching a website of the targeted organization for information that can be used in a targeted attack to wiping a disk on an infected website. Each TTP has been given a unique ID and there are often several sub-techniques too.

ATT&CK plays a crucial role in threat intelligence as a language to describe threat actors and their campaigns. Reports on threats, such as this recent one, often list TTPs at the bottom referring to the ATT&CK ID and name.

I have worked on digital threat-related projects for at-risk groups and they often mentioned ATT&CK in the project description. That makes sense, it is a really good framework. But for these groups, there are two problems with it.

The first is that ATT&CK is designed for enterprises which means it doesn’t include certain unique challenges that at-risk groups face, such as device seizure by law enforcement or intelligence officers, arrest of a staff member, or removal of a crucial social media account.

The second problem is that most incident response performed for at-risk groups is partial: lack of time, funding or, often, interest means most investigations stop at some point. The researcher never finds out who the actor is, let alone what their TTPs are. Quite often they never get to actually see the possibly infected device or the email that might be phishing.

But they do see some indicators linked to the (possible) incident. Maybe some ‘weird behaviour’ of a device (it suddenly gets hot, apps stop working, etc) that may or may not be linked to a digital threat. Maybe a certain alert on the device. Maybe something that could indicate an incident has happened in the past, such as private data appearing online.

Being able to share these in a structured way can help make other researchers aware of them. If the same ‘weird things’ happen at different (but possibly related) organizations they are less likely to be random occurrences. To give a concrete example: I once supported an incident where many ‘weird things’ happened but where there was no possibility to analyze the device. Later, after reading Citizen Lab’s report on Quadream, I realized it was likely an example of this particular spyware.

With these two problems in mind, I worked with others to build an extension to ATT&CK. It consists of four layers.

First, there are the IOCs. Despite their limited use, when doing so is possible, they should always be shared. They are the most concrete indicators linked to a threat.

Second, there is the original ATT&CK framework with some TTPs added that are specific to at-risk groups.

Third, there are indicators of the incident, such as “battery runs out quickly” or “security product alert”. Sometimes these are all you have. At other times, these can be included to help people understand how this particular threat manifests itself.

And fourth, there is metadata linked to the individual or organization targeted. Especially when it comes to high-risk groups, threats often target one particular country or region, or even professionals of one particular gender (such as female and non-binary journalists). This can be helpful information to share too.

The idea behind this extended framework is twofold. First, to make the very useful ATT&CK framework usable in this particular context, so that it can be referred to in public and private reports and shared in private channels.

And secondly, to help organizations who perform incident response work for at-risk groups report their work to the funder in a structural way. Unfortunately, this kind of reporting is often a requirement of funders and this may make this tedious task a bit easier and the output a bit more helpful for funders and the wider the community too.

The framework currently lives in a large Google Doc that has many more details and also includes a long introduction into IOCs and TTPs. I would love to hear from anyone who is interested in implementing this framework in a formal or informal way. I will be glad to help! It should also be relatively easy to add the framework to threat intelligence sharing systems like MISP or STIX. 

What else?

Citizen Lab has a detailed report of the use of Cellebrite in Jordan. The authorities in the country used the tools from the Israeli company to get access to seized phones of activists and civil society members. This is similar to a case in Serbia late in 2024, where subsequently spyware was installed on the phones. There is no suggestion that this happened in Jordan too (but Jordanian authorities have used spyware in the past) but it would still have gotten the operators full access to the unlocked devices.

While the Internet shutdowns in Iran (used to cover up protesters being massacred) made a lot of news, the Internet was also turned off in Uganda, while the country held elections. Unwanted Witness has some details.

Digital Security Lab Ukraine analyzed targeted phishing attacks in Ukraine that led to the installation of remote access trojans (RATs), something that has been a common occurrence in the country for a few years now.

Security company JAMF analyzed anti-analysis techniques used by the Predator spyware, which has often been used to target civil society.

I posted a thread on BlueSky on what happened in January 2025 when the US government suddenly and immediately cut funding for many NGOs.

Non-security things

As mentioned before, for my musical writing I now have my own blog where I write about songs I like most days. Of recent discoveries I am particularly excited about Worldpeace DMT & Rowan Please and Rocket Rules, while I am very happy to have rediscovered Cub.

As for books, many books I read in recent years are very relevant these days. Let me pick out two. Cuba: an American History by Ada Ferrer is a detailed history of the island, later country of Cuba and its complex relationship with the United States, which continues to define it.

Phillippe Sands’s The Last Colony details the history of the Chagos Islands that the UK recently ‘gave back’ to Mauritius (something that apparently upset Trump) and explains the quotation markes in this sentence.