Skip to content
Tiffany Bergeron edited this page May 3, 2023 · 14 revisions

ATT&CK Sync

Many organizations and cyber defenders, including the Center for Threat-Informed Defense (Center), build projects that depend in some way on MITRE ATT&CK®. Some projects map security control frameworks to ATT&CK techniques while others consume ATT&CK data for search and display purposes. These projects typically depend on a specific release of ATT&CK – generally whatever version of ATT&CK was current at the time that the project was being developed. The ATT&CK team has a semiannual release cadence and, as new versions of ATT&CK come out, these projects fall behind and become out-of-date. The ATT&CK team publishes release notes and a script for comparing two versions of ATT&CK, which are a helpful start for consuming ATT&CK upgrades, but leave some room for further efficiencies. This led the Center to consider: how can existing projects be migrated from older versions of ATT&CK to the latest version, and how can this be done in an efficient manner?

The ATT&CK Sync project has been developed to help address these challenges in order to perform the ATT&CK version migration process more efficiently. The ATT&CK Sync project provides tools and a methodology that organizations can use to implement their own solutions for consuming ATT&CK upgrades and upgrade their existing projects to maintain currency with the latest version of ATT&CK, saving time and effort. By staying up to date on ATT&CK releases, organizations around the world can keep their threat-informed defense timely and relevant to emerging threats.

The ATT&CK Sync resources are applicable to potentially any project that depends on ATT&CK:

  • ATT&CK Sync Diff Tool: A tool that parses ATT&CK releases and produces a machine-readable changelog of the output.
  • ATT&CK Sync Website: Interface allowing users to easily view differences between two versions of ATT&CK.
  • Methodology: A written methodology for using ATT&CK Sync to migrate projects that depend on ATT&CK to an updated version.

While the ATT&CK Sync project is focused on assisting any organization to update their existing projects that incorporate ATT&CK data sources to newer versions of ATT&CK, projects may have unique needs. There may be a need to customize the way the changelog is used, and custom code may need to be written to process the changelog. To help meet these needs for customization, the underlying code of the ATT&CK Sync Diff Tool is also available.

To ground the needs in and applicability to a real-world project, the Center applied the tool and methodology to its existing NIST SP 800-53 mapping repository. Therefore, updated NIST 800-53 mappings (Rev 4 and Rev 5) for ATT&CK v12.1 have also been published.

800-53 Case Study

Use Cases & Goals (separate page?)

Clone this wiki locally