Cyber Analytics Repository Migrated to Github

Written by John Wunder & Blake Strom

Those of you who have been following MITRE ATT&CK™ for awhile, or even those who are just tuning in, may be familiar with MITRE’s Cyber Analytics Repository (CAR). MITRE launched CAR a few years ago as a repository of analytics, which we take to mean a way of identifying or detecting an adversary technique. CAR also contained a data model for describing the observable behavior that can be used to detect those techniques, and a list of sensors to collect that data.

We’re happy to share that based on your feedback, we are updating and reinvigorating CAR to make it easier for you to contribute. Our update has started with a migration from the old MediaWiki site to a github.io site backed by a new Github repository — you can check it out at https://car.mitre.org.

The new CAR website at https://car.mitre.org

CAR is important because primary use cases for ATT&CK include detection and hunting. In the end, cybersecurity is about denying the adversary the ability to succeed in operating on our systems, and detecting them is one of the best ways to do that. We know this is important because of our own experiences, and also because so many people outside of MITRE are interested in CAR and in working together to build out this knowledge base.

At the same time, you might have noticed that CAR is a bit, ahem, dusty. The most recent analytics are from 2016 - and unless we’re mistaken, Sysmon 3.2 might not be the latest version (…it’s 8.0). The data model is similarly out-of-date. This isn’t because we don’t think it’s important, it’s just due to the realities of the time we had available and the infrastructure we were operating on.

It’s also been harder than we want for people to contribute and for us to accept those contributions. A read-only Wiki is kind of counter to that technology, and a custom license and terms of use is less comfortable for most people than a standard license. Given that, we shouldn’t be surprised that we’ve had so few contributions from outside MITRE.

Good News: We’re Making Changes

There’s good news on both fronts. We’ve had a lot of conversations about CAR during ATT&CKcon, at the ATT&CK community workshops in Luxembourg, and in one-on-one conversations we’ve had with many of you. We’ve heard your feedback on the importance of reinvigorating CAR, the need for a new licensing model, and the desire for easier contributions. We’ll be dedicating more MITRE time and effort to building it out, and we hope we can count on you dedicating some of your time to helping us as well.

Initially, we’ll be focusing near-term on making CAR more usable for everyone.

First, as we talked above above we’ve migrated https://car.mitre.org from a MediaWiki site to a github.io site backed by a new Github repository. The URL and content have stayed the same for now, but the look and feel of the site has changed and will continue to change in coming months. More importantly though, you can now contribute analytics via opening an issue on Github! Check out the repository at https://github.com/mitre-attack/car and the contribution guidance in CONTRIBUTING.md. Issues that are accepted will be integrated and published via the new website. You no longer have to email us and hope for the best — you can see exactly what’s going on.

To go along with the new Github approach, we’ve also changed our license to Apache 2.0, a common open source license. That serves both to make it easy to contribute (you know what you’re giving away) and easy to use (you know how you’re protected).

The goal of these changes is to make it easier for us to maintain CAR and accept your contributions, while at the same time making it easier for you to contribute and use CAR.

What’s Next for CAR

Over the next few months, MITRE will be focused on putting our new Github-centric approach to good use by making additions and improvements to CAR.

  1. We have some analytics that we’re getting ready to contribute ourselves. Get ready for CAR 2018–12–001!
  2. We’ll be reaching out to people who have previously expressed interest to talk them through contributing. If that describes you, please feel free to open an issue, create a pull-request, or email us at attack@mitre.org. At this early stage we’re focused on getting new analytics however we can and are happy to talk you through it.
  3. We have some ideas for expanding the data model to incorporate new data that can be used to detect techniques. If you have ideas of your own, we’re happy to hear them as well. At this point, I think you know what to do.

Our hope is that by getting as much content as we can in ASAP, we can start to become immediately useful for analysts and hunters — while also building a community to advance the state of the practice.

All that said, it’s important to remember that ATT&CK and CAR are separate projects for good reason. It’s critical to keep how we articulate threats with ATT&CK separate from a set of possible ways to detect them with the analytics. We don’t want the defensive recommendations in ATT&CK to be overly prescriptive about how someone can defend against ATT&CK techniques because there could be many different ways, and it’s up to the organization implementing them to determine what works best for their environment and the threats they face. This is why we didn’t put the analytics in ATT&CK to begin with. CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration — but it isn’t the be-all/end-all for defending against the threats described by ATT&CK.

Looking Toward the Future

While those are our near-term goals for improving CAR, we recognize there’s opportunity to improve things even more. Our vision is that we can make analytics for threat hunting and detection even better by focusing on a few areas.

One important area is automation. You should be able to use and share analytics natively in tools like Unfetter, MISP, and even directly in SIEM platforms. This would require developing vendor-neutral languages to represent and share analytics. One example of this happening already is Sigma, and we hope to work closely with them to find an approach that works for everyone. MITRE has also been working with IBM and others on a converter to go from STIX patterns to SIEM searches, with the goal of enabling broader analytics sharing. We don’t know what all the answers are yet, but it’s a great area for further discussion and collaboration.

This would also mean developing an ecosystem of CAR-style repositories. Not everyone will want to contribute to MITRE’s CAR— the H-ISAC Cybersecurity Analytics working group that MITRE participates in, for example, privately collaborates on the development of ATT&CK-based analytics. Not everyone can or wants to share publicly, so private sharing communities are also valuable and can be enabled by this type of automation. Our hope is that the CAR repository and the website that’s generated off of it, as well as approaches we develop for automation (e.g., perhaps a TAXII server), will serve as a pattern for others to follow.

Automation isn’t all we want to tackle, though. We also want to work together on improving how we develop analytics, test them against real attacks, and prioritize that development using real sightings data. One interesting area to us is how we can better understand how to describe “coverage” for ATT&CK so that we don’t lull ourselves into a false sense of security with a heatmap that looks mostly “green.”

Thank you

Thank you to everyone who gave us the feedback that pushed us to make this change. We’re listening and we appreciate it. Now it’s your turn! We’ll be reaching out directly to some of you, but if we don’t please feel free to get in touch as we all work to make CAR a useful resource for the community.

©2018 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 18–03730–04.