New Wheels on the CAR: Updates to the Cyber Analytics Repository

Published in

MITRE ATT&CK®

6 min readSep 17, 2019

Like proud parents, we wanted to share some recent improvements to one of our closely-related projects. CAR (Cyber Analytics Repository), MITRE’s repository of cybersecurity analytics aligned to ATT&CK, has been having a bit of a growth spurt over the past few months. It’s grown by a few inches worth of analytics, has rounded out with a few steps towards better ease of use, and has outgrown some awkward quality issues in ATT&CK mappings. As previewed in an earlier post, we wanted to share what we and the community have done, let you know how we’re looking to continue this progress over the next year, and suggest how you can help.

Recent Updates and Changes

News

First of all, you no longer have to rely on constantly F5ing the website to see updates. From now on, we’ll keep the news section on the CAR homepage up to date with the latest (including more detail on these changes).

Multiple implementations

In the previous iteration of CAR, analytics included only a single pseudocode “implementation”, or search/query expression. Our goal with the pseudocode was to include an expression that clearly described the various operations (e.g., search, filtering, etc.) that should be executed against the expected data in order to find and output what the analytic was looking for. The idea was that analysts using CAR could then translate these pseudocode expressions into whatever search/query syntax is used and supported by their detection infrastructure.

Multiple implementations example (from CAR-2019–07–002)

While we still think this is important, we also realize that having native, “plug-and-play” implementations for each analytic would make it easier for many consumers to integrate and test these analytics in their own environments. Therefore, we’ve started adding other implementations (including EQL, Sigma, and Splunk) to CAR — our plan is for any new analytics to include multiple implementations from the start, and to steadily add new (i.e., non-pseudocode) implementations to existing analytics over time. It’s worth noting that any Sigma implementations in CAR can be fed into the Sigma Converter, which can translate Sigma rules into a number of popular search languages.

We’re also looking into adding other implementations based on community feedback, so if you have a favorite search technology that we’re not supporting, let us know or open an issue to add it!

ATT&CK Detection

Each CAR analytic includes a detection section which defines the set of ATT&CK Tactics and Techniques that can be detected by the analytic, along with the corresponding level of coverage for each Tactic/Technique pair. After reviewing this data, we’ve realized it could use a bit of tweaking — sometimes we no longer agreed with the mapping, and in other cases it referenced the wrong Tactic for a Technique. Accordingly, we’ve gone through and made updates to ensure the accuracy of the detection section for each analytic.

New Analytics

Since April 2019, we’ve added 8 new analytics to CAR, including those for UAC bypass, Mimikatz credential dumping, and Squiblydoo. Along with pseudocode, each of these analytics also includes a native Splunk implementation, and several include Sigma and EQL implementations as well. Special thanks goes to Meric Degirmenci (IBM), Kaushal Parikh (Cyware Labs), and Tony Lambert (Red Canary) for their submissions. If you, dear reader, have any analytics that you’d like to share with CAR we’d be happy to add those as well — feel free to open an issue or pull request.

YAMLization

Prior to May 2019, all CAR analytics lived only as markdown-formatted versions of the content hosted on the CAR website. However, in an effort to make it easier for users to parse/ingest analytics and for us to generate the CAR website content, we’ve updated the “native” representation of all CAR analytics to be in YAML. This provides a structured representation that is easily machine-parseable, and also enables us to make updates without having to dig into the markdown files themselves. You can find these YAML analytics here on GitHub.

Data model updates

CAR’s data model serves several purposes, including being the basis for the pseudocode implementations in CAR analytics, but also as a means of providing a vendor-agnostic set of fields and actions that can be used more generally to explain causality in the cyber domain.

The data model’s relevancy is also tied to its ability to write expressions that align with the output of modern detection tools, particularly in the realm of endpoint detection and response (EDR). We had a gap of several years between data model updates, during which EDR tools have evolved in their breadth of detection capabilities; however, we are now taking steps to update the data model to better align with the capabilities of today’s tools. In particular, we’ve added new fields to the Process object model, which can be leveraged for detection of UAC bypass as well as other TTPs.

BZAR

While we love endpoint analytics as much as everyone else, it’s also important to think about what we can do with internal network monitoring. To that end, a few months ago we released a set of Zeek scripts known as BZAR as a companion project to CAR. We’ve had a great response on these and plan to continue to build them out. As always, we’re always looking for suggestions or improvements to these as well.

Side note: if you’re attending the SANS Threat Hunting Summit later this month, you can see John Wunder and Mark Fernandez present on this work.

Future Work

We’re by no means done with updates to CAR. In the next few months, we have plans for further improvements, some of which are previewed below.

Sensor coverage updates

CAR’s current sensor coverage contains tools like Sysmon 3.2, which was great for 2016, but for 2019….not so much. We hope to make CAR’s sensor coverage relevant again in the near future.

Further data model updates

We have plans for more data model updates, including adding support for the capture of application layer network information such as HTTP Request header fields in the flow object. This will directly support the creation of analytics against such data. Also, we’re always curious as to what our community thinks about our data model, so if you have any thing you’d like to add or tweak we’d love to hear about it.

CARET overhaul

With the updates to the CAR website, we’ve come to realize that the CAR Exploration Tool (CARET) could use some love as well. While we don’t currently have a definite set of plans for this overhaul, we realize that there are usability improvements that could be made such as making it easier to select and view a group of techniques at the same time, as well as address the addition of sub-techniques. We’d certainly welcome any ideas on things that could be done better or differently with CARET, so please send them our way!