How to stay up-to-date with MITRE ATT&CK: Exploring ATT&CK Sync
Sooner or later you will likely have used the MITRE ATT&CK framework and one or more versions of its matrices in multiple projects, e.g. when using the ATT&CK Navigator to map TTP of threat actors against existing defenses and cloud-native security controls or when analyzing cyberattacks and related campaigns using Attack Flow. You will then face the task of updating the projects to new releases of the matrix (or matrices) you used. Since the ATT&CK knowledge base is updated twice a year, this task may come sooner than later and we will have to read the release notes to identify potential impacts on our projects.
As this task results in significant time spent on reading and manually identifying changes between versions of the ATT&CK matrix in question, I was curious whether the Center for threat-informed Defense already published guidelines or tools to support us. Luckily, they published ATT&CK Sync, which is serving exactly this purpose: Helping us in identifying changes between multiple versions of a given MITRE ATT&CK matrix 😊
How to use ATT&CK Sync
First, we start by selecting the “old version”, the version currently used in our project, which is going to be compared with the “new version”. This is probably and by default the most recent version, but there are use cases in which you want to select a non-recent version for the comparison. Finally, we select the domain and click “See changes”:
As we can see, the only changes between these versions are 10 modified techniques and 2 modifications in the “Software” section. Let’s click on “View details” to see what techniques have changed and most importantly: What are these changes?
That’s pretty cool! But you can read even more details by clicking on the “Details” button in the bottom left of this entry. Additionally, there is an option to toggle between a side-by-side or inline comparison of the changes made to a technique:
The toolbar on top of the the comparison overview lets you quickly switch between “Techniques”, “Software”, “Groups”, “Campaigns”, “Mitigations”, “Data Sources” and “Data components” of the matrices.
There is also an option to download the changelog in JSON format to programmatically highlight changes between versions. If you wonder how this could be done and if it's worth it, have a look at the Case Study testing the comparison feature with the NIST 800-53 mappings, which reduced the number of mappings to be reviewed from 9.000 to 3.500 resulting in a 75% reduction of effort overall.
So, whether you want to have a quick look at the changes between specific versions of an ATT&CK matrix or want to programmatically identify changes and potential impacts on your projects, ATT&CK Sync should be part of your toolbox (and Bookmarks Bar 😉) .
I hope you liked this short introduction to ATT&CK Sync. Please feel free to send me a message if you have feedback or would like to learn more about how I use this and other MITRE Engenuity projects.
