The research and development division of Mitre Engenuity launched a tool that allows organizations to integrate their own proprietary threat intelligence with the Mitre ATT&CK framework's public knowledge base – thereby creating their own customized repository of cyber threat information.
Called ATT&CK Workbench, the free and open-source tool was designed to reduce the barriers preventing defenders from aligning their aggregated TTP intel with Mitre ATT&CK's content. Officially announced today via press release and blog post, Workbench is a creation of Mitre Engenuity's Center for Threat-Informed Defense, with contributions from Center members AttackIQ, HCA Healthcare, JPMorgan Chase, Microsoft and Verizon. Mitre exclusively shared the news with SC Media in advance of its official announcement.
Enabled via a REST API, the tool lets ATT&CK users create and build off their own unique instance of the framework, adding and annotating content, while also sharing their version internally or externally with other collaborators. Such functionality will should provide users with additional flexibility in how they personally wish to collect, prioritize and communicate threat information based on their own companies' needs and past experiences.
"With Workbench, teams can record adversary tactics, techniques and procedures used during red team engagements and threat emulations, track detection and analytics, and then feed new intelligence back into the public ATT&CK framework as they discover it," said Jonathan Reiber, senior director, cybersecurity strategy and policy at AttackIQ. "Workbench facilitates collaboration and information sharing, and that will help give the defensive community a strategic and operational advantage.”
Richard Struse, director of the Center, told SC Media that Workbench will help companies compensate for a notable limitation of Mitre: it accounts for only publicly reported threat activity that have been observed and confirmed in the wild. "It's super useful, but in some sense it's generic," he explained. "If you're sitting at your own company, it obviously by definition doesn't have any information about your experiences with that TTP or that adversary group."
This limitation means companies have had to maintain their own separate data detailing their own unique experiences with certain TTPs or APT groups, keeping it on a spreadsheet or even Post-It notes that employees can refer to as a way to supplement the ATT&CK knowledge base, said Struse. "With enough discipline, you could do it, but you're really forcing people to bifurcate their view: 'Well this is what it says in ATT&CK and then here's all our local stuff.'
But Workbench unifies all this information. "It'll save them time and effort and keep everything in one place," said Struse.
"The whole idea behind ATT&CK Workbench is to give you the ability to stand up your own instance of a full ATT&CK knowledge base within your organization, whether it's a financial institution or cybersecurity company... and then begin to extend and annotate... the information in that knowledge base," Struse continued. That way, if you have personally observed certain TTPs by a group not accounted for in the ATT&CK knowledge base, you can add it to your version, and perhaps even end up with a valuable new finding that additional businesses might also benefit to see, should you choose to share.
Or you can annotate already known ATT&CK techniques with notes the are especially relevant to your organization. "So maybe you're having trouble detecting a particular adversary technique in ATT&CK," Struse said. "You can go in and create a little note... say, 'Talk to Sue about improving detection accuracy or reducing false positives,' so it becomes a focal point for the defense team who's using ATT&CK in their operations."
Struse believes the ability to tailor your own ATT&CK database could make the Workbench tool especially useful to ISACs and ISAOs, or for large conglomerates and their subsidiaries, that wish to "create and curate their own local view of adversary behavior that's rooted in the ATT&CK knowledge base, but that benefits from all of the additional expertise and knowledge that exists within a sector or an organization.
Updates to the original framework do not overwrite or affect variant versions. Additionally, there is a feature that allows users to create their own copy of the ATT&CK website, but using their own customized version of the knowledge base.
Moving forward, the center expects to introduce additional features and improvements to the tool, including authentication, enhanced sharing capabilities, more usability, more advanced search functionality, and integration with logs.
"We really want to make it so that as the community evolves and its use of ATT&CK evolves, Workbench is there every step of the way to support those users," said Struse.
Even more innovation is making its way down the center's project pipeline, including an effort to map different cloud-native security technologies against adversary behaviors to see how well the former defends against the latter. One such project will focus specifically at Microsoft's Azure cloud computing service, while another will look at Amazon AWS.