Concept of Operations
The ATT&CK Sync project provides the tools and methodology to keep your internal systems and data in sync with MITRE ATT&CK® releases. For example, if your organization is currently on v10.0 and you want to move to v13.0, then you would need to consult the ATT&CK release notes not just for the recent version, but also every version in between:
That is a lot of cumulative change to keep track of! ATT&CK releases twice per year, so the longer you wait to upgrade, the more cost and effort continues to pile up. The ATT&CK release notes enumerate all of the new and updated techniques, but lack a granular level of detail about what kinds of changes were made to techniques, which is an additional hurdle for upgrading.
The ATT&CK Sync project tackles these problems to reduce the cost and effort to stay up to date with ATT&CK. The Center for Threat-Informed Defense uses ATT&CK Sync internally to keep our own projects up to date as efficiently as possible, e.g. NIST 800-53 Mappings to ATT&CK.
The concept of operations includes two phases. In the first phase, we compute a machine-readable delta (a.k.a. "changelog") between the two versions of ATT&CK. The ATT&CK Sync web site contains JSON changelogs for any pair of ATT&CK versions ≥v8.0. You may also download sequential changelogs (i.e. no more than one major version at a time) from attack.mitre.org.
The JSON changelog captures all of the cumulative changes between the two versions, giving a comprehensive picture of the upgrade effort, including what techniques are new, which techniques are modified, and which techniques are removed. This machine-readable format can be integrated into your internal systems and data with relative ease.
Download a sample JSON changelog.
The second phase of the concept of operations is to apply the changelog to your internal systems and data. Whereas phase 1 is universal–all organizations can use same JSON changelogs–phase 2 is more particularized. The mechanics of this phase depend on where your data lives and how it is structured. As of ATT&CK Sync 1.0, this phase requires some custom scripting, but in future versions we want to provide a higher degree of automation for the most common use cases. (Please leave feedback on our issues page or via email.)
For example, we provide a script in this repository for updating an Excel spreadsheet containing NIST 800-53 Mappings to ATT&CK:
$ poetry shell
$ python -m attack_sync.generate_mapping_excel \
samples/attack-changelog-v10.1-v12.1.json \
data/nist800-53-r4-mappings.xlsx \
"D" "E" "F" \
data/nist800-53-r4-mappings-output.xlsx
This command parses the specified JSON changelog, reads in the existing mappings Excel file, and creates a new Excel file containing the original mappings with the pertinent changes between ATT&CK v10.1 and v12.1 appended to each row. The arguments "E", "F", and "K" indicates which excel columns contain the ATT&CK ID, the ATT&CK name, and which column the diffs should start in. This script only reports changes in ATT&CK that are considered material to the security control mapping methodology: for example, it reports changes to descriptions, detections, and mitigations, but does not report changes in contributors, references, or other metadata.
Download sample Excel mappings.
This approach drastically reduces the amount of time and effort involved in updating the mappings to the latest version of ATT&CK. For more details, see Case Study: NIST 800 53 Mappings.