Usage
Many organizations and cyber defenders, including the Center for Threat-Informed Defense (Center), build projects that depend in some way on MITRE ATT&CK®. Some projects map security control frameworks to ATT&CK techniques (e.g., the NIST SP 800-53 mappings) while others consume ATT&CK data for search and display purposes (e.g., Attack Flow and ATT&CK Powered Suit). These projects typically depend on a specific release of ATT&CK – generally whatever version of ATT&CK was current at the time that the project was being developed. The ATT&CK team typically releases new versions of ATT&CK twice per year and, as new versions of ATT&CK come out, these projects fall behind and become out-of-date. ATT&CK Sync has been developed to provide users of ATT&CK data with an efficient way to maintain currency of existing projects with releases of ATT&CK, keeping their threat-informed defense timely and relevant to emerging threats.
The ATT&CK Sync website allows users to easily access the deltas that they care about between two versions of ATT&CK. The resultant output assists with easily identifying changes between two versions of ATT&CK which is a valuable resource for migrating projects that depend on ATT&CK to the most recent or a newer version.
From the home page, users are presented with a simple form. The following information is input to generate all changes between two versions of ATT&CK:
- Old Version - Select original version, i.e., the version of ATT&CK currently in use by the project.
- New Version - Select updated version, i.e., the version of ATT&CK to which to migrate.
- Domain - Select ATT&CK product, i.e., Enterprise, ICS, or Mobile.
- See Changes - Click this button to see the differences or delta between the selected original and updated versions.
The user is then brought to differences summary displays, for different components of the ATT&CK knowledge base, such as Techniques, Groups, and Mitigations. For each, there is an option to "View Details", which results in the presentation of detailed changelogs showing the deltas as a list of changes that can be collapsed or expanded, with red and green shading to highlight text that has been added, changed, or removed.
I have a set of cybersecurity controls mapped to ATT&CK for Enterprise vX. I would like to update them to map to a newer version of ATT&CK, vY.
- I visit ATT&CK Sync HTML page.
- I select ATT&CK version used for my existing mappings as well as the ATT&CK version to which I would like to update (e.g., old=X, new=Y), select Enterprise from the dropdown, and click "See Changes".
- I am returned with output display of detailed diffs for Mitigation, Technique, Sub-technique, etc. changes between existing and update ATT&CK versions (e.g., ATT&CK vX to ATT&CK vY changes) associated with my existing mappings.
- I am able to use the output ATT&CK delta information and custom tooling to link with my mappings. Items of interest to me include: a. New Mitigations, Techniques, and Sub-techniques (ID and Name) b. Deprecated Mitigations, Techniques, and Sub-techniques (ID and Name) c. Changed Mitigations, Techniques, and Sub-techniques (ID and Name) i. Changed fields, old and new ii. Specific changes to descriptions, highlighted green/red in the output
The existing communities of ATT&CK users include many roles and responsibilities that incorporate the data provided in the ATT&CK knowledge base as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community. The following use cases are intended to capture the operational context associated with those users/roles consuming threat intelligence data into an operational environment, and how ATT&CK Sync can be used to reduce the burden on the community to develop their own solutions for staying up to date with ATT&CK releases – allowing users to focus on understanding how the changes to ATT&CK map to their specific environment and impact their existing projects.
