Call for Participation: Sightings Ecosystem

Published in

MITRE-Engenuity

4 min readOct 20, 2022

Written by Maggie MacAlpine and Mike Cunningham.

We are taking the next step towards establishing a Sightings Ecosystem to create a global view of threat activity mapped to MITRE ATT&CK. To create this view, we are seeking data contributors willing to contribute observations of adversary activity mapped to ATT&CK, called “sightings”. Your data will be anonymized, aggregated, and analyzed to create critical visibility into adversary activity for the cyber defense community.

Insight into real-world adversary behaviors enables cyber defenders to focus on defending against the most pressing threats to their organization. Our aim is to dramatically scale the Sightings Ecosystem, increase its impact, and provide the community with foundational insight enabling threat-informed defense.

The Call for Participation is open until November 15, 2022. Sign up here to learn more: https://ctid.mitre-engenuity.org/our-work/sightings/#CFP

What is the Sightings Ecosystem?

Our vision is to establish an ecosystem in which security teams, vendors, ISACs/ISAOs, and governments share when they see adversaries use specific behaviors — Sightings of ATT&CK techniques — to give defenders unprecedented visibility into what adversaries are actually doing in the wild.

In our initial research, we collected and analyzed over 6M Sightings to create a picture of common adversary behavior, including which techniques adversaries use, how those change over time, and how adversaries sequence techniques. This next iteration of the project aims to expand upon these findings. To accomplish this, we are collecting ATT&CK-specific detections that conform to our data model, which can be found on our Github repository.

“With Sightings v1, we showed that a community-based approach to sharing real-world detections creates a more accurate picture of adversary behaviors,” said Sightings Ecosystem Project Lead, Mike Cunningham. “We’re excited to increase the scope of our impact by gaining new contributors and getting closer to our vision of an ecosystem that captures the worldwide threat landscape.”

Some facts from past findings of the Sightings Ecosystem project:

15 Techniques made up 90% of the observed techniques from April 2019-July 2021. Most of these techniques abuse legitimate system tools.
Overall 6M+ Sightings were received, pared down to 1.1M after normalizing the data.
A total of 184 unique techniques were discovered in total.

Why contribute?

Your contribution to the Sightings Ecosystem is critical for creating a community-wide view of adversary behaviors and advancing threat-informed defense globally. As a contributor you will:

Gain access & insight — contributors gain access to the full Sightings data set and tools so they can perform their own analysis
Expand your platform — contributors will be able to integrate Sightings data into their product to show customers that they are protected from the top Sightings techniques
Improve your ATT&CK mappings — we will partner with you to review and validate your mappings of ATT&CK to your detections helping you increase the accuracy of your mappings
Receive recognition — contributors can opt in to being named as a contributor and recognized in our Sightings report for their contribution and support
Advance the whole community — contributors are organizations and teams that want to give back to the community for the betterment of the entire community

How to contribute?

We aim to make data contribution as simple as possible. Submit the CFP form and we will contact you to discuss the project and onboard you as a data contributor.

We have tools, documentation, and other resources to facilitate data contribution. We will walk you through those resources and seek to understand your data to simplify the data contribution process.

Contributors share ATT&CK-based detections only. We are not interested in PII or other sensitive information. The data received will be anonymized and transformed in a way that provides meaning to the Sightings data. The data will be normalized and prepared for analysis. This allows the identification of technique frequency, co-occurrence among techniques, and other discoveries.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.