ATT&CK Workbench: A tool for extending ATT&CK

Written by Isabel Tuson and Jon Baker.

The ATT&CK Workbench is here!

For too long, sophisticated users of MITRE ATT&CK® have struggled to integrate their organization’s local knowledge of adversaries and their tactics, techniques, and procedures (TTPs) with the public ATT&CK knowledge base. In response to this, the Center for Threat-Informed Defense (Center) embarked on a research project sponsored by AttackIQ, HCA Healthcare, JPMorgan Chase, Microsoft, and Verizon to drastically reduce the barriers for defenders to ensure that their threat intelligence is continually aligned with the public ATT&CK knowledge base. ATT&CK Workbench is an easy-to-use open-source tool that allows organizations to manage and extend their own local version of ATT&CK and keep it synchronized with the ATT&CK knowledge base.

Workbench allows users to explore, create, annotate, and share extensions of the ATT&CK knowledge base. Organizations or individuals can initialize their own instances of the application to serve as the centerpiece to a customized variant of the ATT&CK knowledge base, attaching other tools and interfaces as desired. Through the Workbench this local knowledge base can be extended with new or updated techniques, tactics, mitigations groups, and software. Additionally, Workbench provides means for a user to share their extensions with the greater ATT&CK community facilitating a greater level of collaboration within the community than is possible with current tools.

Who is the ATT&CK Workbench for?

We developed the Workbench with the ATT&CK user community in mind.

• Is ATT&CK at the core of your organization’s security operations?
• Do you actively track threats against ATT&CK?
• Do you align your defenses to ATT&CK?
• Do you plan your security investments based on ATT&CK?

If the answer to any of these questions is yes, then Workbench is for you.

Annotating your copy of ATT&CK

Workbench enables users to annotate their local copy of ATT&CK with note-taking capabilities. Notes are an excellent way to capture additional context about an object in your knowledge base and can be applied to matrices, techniques, tactics, mitigations, groups, and software. Most importantly, as your knowledge base is updated with new ATT&CK data, Workbench will preserve your notes.

Some possible uses of notes include:

• Sharing informal knowledge within an organization (e.g “This mitigation might be useful to protect us from X”)
• Recording potential knowledge (e.g “TO DO: verify whether the mention in threat report X is actually this technique”)
• Enabling collaboration in development workflows (e.g “Review data source information and create a plan to start collecting data required to detect this technique.”)

Figure 1: Adding a note to an object

Extending your copy of ATT&CK

The primary utility of the Workbench is the ability to create new objects or extend existing objects with new content. Matrices, techniques, tactics, mitigations, groups, and software can all be created and edited. This means you can create an extension of the knowledge base according to your own needs, or even an entirely new dataset aligned with ATT&CK terminology and usable with ATT&CK tools. Data created within the Workbench can be seamlessly integrated into existing ATT&CK data — new groups or software can be connected to existing techniques through procedure examples, or new sub-techniques can be created under existing ATT&CK techniques.

Creating or extending ATT&CK data in a local knowledge base enables a number of important use cases, such as:

• Creating red-team techniques so you can track them just like existing ATT&CK techniques
• Documenting groups or software that target your sector or organization but are not presently tracked by the ATT&CK team
• Updating ATT&CK data to reflect internal, proprietary, or other reporting to which the ATT&CK team does not have access
• Developing your own matrix with new techniques and tactics outside of the scope of the ATT&CK knowledge base

Figure 2: Creating a new group in Workbench

To facilitate team collaboration, the Workbench includes features such as the ability to mark objects as “work in progress,” “awaiting review,” or “reviewed,” and the ability to look through the history of an object to determine when a change was made and by whom.

Breaking down silos — updating and sharing your extensions

As teams extend and annotate their ATT&CK data, Workbench will enable them to import updates to that data and provide the option to selectively share their work. Workbench users can subscribe to collections of ATT&CK data and publish their own. Subscriptions allow users to stay up to date with the evolving knowledge base by automatically pulling down updates when they’re available. When a collection is imported into the Workbench you can preview exactly what it contains and how the contents relate to your local knowledge base. Sharing of ATT&CK-related information among organizations as collections will:

• Streamline the process of staying synchronized with ATT&CK when it is updated by enabling automated import and providing detailed change history
• Allow users to integrate the latest from ATT&CK with intelligence extensions from other sources (threat intel vendors, ISACs & ISAOs, and other members of the ATT&CK community) by importing multiple collections
• Create structure and consistency for contributions to ATT&CK

Figure 3: Connecting to MITRE ATT&CK and other ATT&CK data providers while sharing your ATT&CK extensions

Alongside the release of the Workbench, ATT&CK has made official collections representing current and previous ATT&CK releases available on GitHub. Users can simply subscribe to these collections and import new ATT&CK releases as soon as they are published.

ATT&CK in STIX 2.1

Since collections are represented in STIX 2.1, this is also the first time ATT&CK data is available in that version of the STIX specification. Since many community tools are still reliant on STIX 2.0, we will be maintaining both STIX 2.1 and STIX 2.0 versions of the dataset for the foreseeable future. However, the collection objects will only appear in the STIX 2.1 version of the dataset.

A hub for Integrations

The Workbench serves as the keystone to a local knowledge base and supports a number of integrations with other ATT&CK tools. A REST API provides programmatic access to the contents of the knowledge base, allowing ATT&CK developed tools or third-party applications to extend the functionality of your local knowledge base to match your use case. The initial Workbench release includes the following integrations:

• ATT&CK Website Repository: View your knowledge base through the lens of the ATT&CK website and see notes you created on objects directly on their pages on the website. We expect that the ATT&CK Website integration will be useful to users who want to see their customized content in a familiar setting or use the many built in features of the website such as full ATT&CK matrices, generated Navigator layers, and more.
• ATT&CK Navigator Repository: See and annotate your new techniques, tactics, and matrices in the ATT&CK Navigator and view notes you’ve created on techniques in the matrix view as if they were comments. This integration allows users to create layer files based on customized extensions of the ATT&CK dataset, enabling many of the existing workflows developed within the ATT&CK community which utilize the Navigator.

Read more about how to set up Workbench integrations in our integrations document.

Supporting Resources

The ATT&CK Workbench Frontend repository is the entry point for user documentation and installation instructions. In addition to the option of setting up each component individually, we also include a docker compose (and associated instructions) to ease deployment of the application.

• The usage document explains how to use each feature of the application and many of the potential workflows for developing your extended knowledge base.
• The integrations document provides step by step instructions for setting up the ATT&CK Navigator and ATT&CK Website to connect to a local Workbench instance.

What’s next?

Going forward, we have a number of additions planned for the Workbench over the course of 2021. Our roadmap and issue tracker documents many of the upcoming updates we’re planning on adding over the coming months.

We’re excited to hear about how the tool is used throughout the ATT&CK community. We welcome users to request new features, provide feedback, and report bugs via our issue trackers so that we can continue to improve the tool to best support the needs of the community.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2021 MITRE Engenuity. Approved for Public Release. Document number CT0020.