ATT&CK Sync: A Tool for Keeping Current with MITRE ATT&CK®
Written by Mark E. Haase and Tiffany Bergeron.
MITRE ATT&CK® provides a common reference point that enables communication and coordination among cybersecurity teams and between organizations. The cybersecurity community, including the Center for Threat-Informed Defense (Center), builds projects that depend in some way on ATT&CK. Some projects map security events or control frameworks to ATT&CK techniques (e.g., the NIST 800–53 Controls to ATT&CK Mappings) while others use ATT&CK data for search and display purposes (e.g., Attack Flow and ATT&CK Powered Suit). These projects typically depend on a specific release of ATT&CK — generally whatever version of ATT&CK was current at the time the project was developed. The ATT&CK knowledge base is updated twice per year and with each new ATT&CK release, these projects fall behind and become outdated.
This led us to consider: how can we migrate existing projects to current ATT&CK versions in a timely and efficient manner as ATT&CK evolves? ATT&CK’s release notes summarize changes to the data model, new techniques that have been added, techniques that are deprecated, and changes to the existing techniques (that may be major or minor). The release notes are typically lengthy, high-level, and require the reader to understand nuances such as “major” versus “minor” version change. They also do not directly answer the important question: “how does this new version affect me?”
Earlier this year, we extended the official mitreattack-python library to improve the tools available for building detailed ATT&CK changelogs. The new changelogs are available in both human-readable and machine-readable formats. (As of May 2023, the detailed changelogs are included with each ATT&CK release.) These new changelogs are a boon for any organization that depends on ATT&CK and wants to update to the latest version, but we believe that there is more work to do in this area.
ATT&CK Sync provides tools and a methodology that organizations can use to implement their own solutions for keeping up with latest version of ATT&CK, saving time and effort for all. Streamlining the ATT&CK upgrade process allows teams to shift effort from updating references to ATT&CK to cyber defense.
Meeting the Need
ATT&CK Sync’s freely available resources are applicable to any project that depends on ATT&CK:
- ATT&CK Sync Website: Interface allowing users to easily view differences between two versions of ATT&CK.
- Project Wiki: The wiki contains project documentation: goals, tools, and methodology.
- Case Study: Case study measuring efficiency gained from using ATT&CK Sync.
- Sample JSON Changelog: A sample machine-readable ATT&CK changelog.
- Sample Excel Mappings: A sample mappings spreadsheet annotated with ATT&CK changes.
While the ATT&CK Sync project is focused on assisting any organization to integrate new versions of ATT&CK into their internal systems and day-to-day work, we understand and expect that each organization will have unique needs. For example, they may need to customize the way the changelog is used, and custom code may need to be written to process the changelog. To help meet the need for customization, the code for ATT&CK Sync is open source.
To ground the project in real-world needs, we applied the ATT&CK Sync to update our NIST 800–53 Controls to ATT&CK Mappings from ATT&CK v10.1 to v12.1. The mappings update serves as a case study for ATT&CK Sync: upon completion, we will share data showing the change in labor hours that results when using ATT&CK Sync for updates (as compared to previous, manual efforts). We project a 70% reduction in effort due to the ability to quickly focus attention on only those mappings which are materially impacted by the changes from v10.1 through v12.1.
Get Involved
The ATT&CK Sync tools, methodology, and NIST 800–53 sample output are available on GitHub. We encourage you to use the tools and resources, customize them for your needs, and tell us what you think about this project.
We welcome your feedback and contributions to continue to advance threat-informed defense. Please see the guidance for contributors if you are interested in contributing. You are also welcome to submit issues for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0070.
