New Wheels on the CAR: Updates to the Cyber Analytics Repository
Like proud parents, we wanted to share some recent improvements to one of our closely-related projects. CAR (Cyber Analytics Repository), MITRE’s repository of cybersecurity analytics aligned to ATT&CK, has been having a bit of a growth spurt over the past few months. It’s grown by a few inches worth of analytics, has rounded out with a few steps towards better ease of use, and has outgrown some awkward quality issues in ATT&CK mappings. As previewed in an earlier post, we wanted to share what we and the community have done, let you know how we’re looking to continue this progress over the next year, and suggest how you can help.
Recent Updates and Changes
First of all, you no longer have to rely on constantly F5ing the website to see updates. From now on, we’ll keep the news section on the CAR homepage up to date with the latest (including more detail on these changes).
In the previous iteration of CAR, analytics included only a single pseudocode “implementation”, or search/query expression. Our goal with the pseudocode was to include an expression that clearly described the various operations (e.g., search, filtering, etc.) that should be executed against the expected data in order to find and output what the analytic was looking for. The idea was that analysts using CAR could then translate these pseudocode expressions into whatever search/query syntax is used and supported by their detection infrastructure.
While we still think this is important, we also realize that having native, “plug-and-play” implementations for each analytic would make it easier for many consumers to integrate and test these analytics in their own environments. Therefore, we’ve started adding other implementations (including EQL, Sigma, and Splunk) to CAR — our plan is for any new analytics to include multiple implementations from the start, and to steadily add new (i.e., non-pseudocode) implementations to existing analytics over time. It’s worth noting that any Sigma implementations in CAR can be fed into the Sigma Converter, which can translate Sigma rules into a number of popular search languages.
We’re also looking into adding other implementations based on community feedback, so if you have a favorite search technology that we’re not supporting, let us know or open an issue to add it!
Each CAR analytic includes a detection section which defines the set of ATT&CK Tactics and Techniques that can be detected by the analytic, along with the corresponding level of coverage for each Tactic/Technique pair. After reviewing this data, we’ve realized it could use a bit of tweaking — sometimes we no longer agreed with the mapping, and in other cases it referenced the wrong Tactic for a Technique. Accordingly, we’ve gone through and made updates to ensure the accuracy of the detection section for each analytic.
Since April 2019, we’ve added 8 new analytics to CAR, including those for UAC bypass, Mimikatz credential dumping, and Squiblydoo. Along with pseudocode, each of these analytics also includes a native Splunk implementation, and several include Sigma and EQL implementations as well. Special thanks goes to Meric Degirmenci (IBM), Kaushal Parikh (Cyware Labs), and Tony Lambert (Red Canary) for their submissions. If you, dear reader, have any analytics that you’d like to share with CAR we’d be happy to add those as well — feel free to open an issue or pull request.
Prior to May 2019, all CAR analytics lived only as markdown-formatted versions of the content hosted on the CAR website. However, in an effort to make it easier for users to parse/ingest analytics and for us to generate the CAR website content, we’ve updated the “native” representation of all CAR analytics to be in YAML. This provides a structured representation that is easily machine-parseable, and also enables us to make updates without having to dig into the markdown files themselves. You can find these YAML analytics here on GitHub.
Data model updates
CAR’s data model serves several purposes, including being the basis for the pseudocode implementations in CAR analytics, but also as a means of providing a vendor-agnostic set of fields and actions that can be used more generally to explain causality in the cyber domain.
The data model’s relevancy is also tied to its ability to write expressions that align with the output of modern detection tools, particularly in the realm of endpoint detection and response (EDR). We had a gap of several years between data model updates, during which EDR tools have evolved in their breadth of detection capabilities; however, we are now taking steps to update the data model to better align with the capabilities of today’s tools. In particular, we’ve added new fields to the Process object model, which can be leveraged for detection of UAC bypass as well as other TTPs.
While we love endpoint analytics as much as everyone else, it’s also important to think about what we can do with internal network monitoring. To that end, a few months ago we released a set of Zeek scripts known as BZAR as a companion project to CAR. We’ve had a great response on these and plan to continue to build them out. As always, we’re always looking for suggestions or improvements to these as well.
We’re by no means done with updates to CAR. In the next few months, we have plans for further improvements, some of which are previewed below.
Sensor coverage updates
Further data model updates
We have plans for more data model updates, including adding support for the capture of application layer network information such as HTTP Request header fields in the flow object. This will directly support the creation of analytics against such data. Also, we’re always curious as to what our community thinks about our data model, so if you have any thing you’d like to add or tweak we’d love to hear about it.
With the updates to the CAR website, we’ve come to realize that the CAR Exploration Tool (CARET) could use some love as well. While we don’t currently have a definite set of plans for this overhaul, we realize that there are usability improvements that could be made such as making it easier to select and view a group of techniques at the same time, as well as address the addition of sub-techniques. We’d certainly welcome any ideas on things that could be done better or differently with CARET, so please send them our way!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18–03730–13