Skip to content

Methodology

Jump to bottom
Tiffany Bergeron edited this page May 31, 2023 · 1 revision

About this Methodology

This page describes the methodology used to analyze and compare the differences between MITRE ATT&CK® releases to more efficiently carry out the project migration process to newer versions of ATT&CK. While the methodology is based upon our experience updating the Center’s NIST Special Publication 800-53 control mappings to ATT&CK, the methodology was designed to be easily tailored and applied to other projects based on ATT&CK. The goal of the ATT&CK Sync project is to provide the community with resources that save time and effort for keeping projects in sync with the latest version of ATT&CK and establishing a means to incorporate updated ATT&CK-based threat information within existing projects. Staying up to date on ATT&CK releases helps organizations around the world keep their threat-informed defense timely and relevant to emerging threats.​

The ATT&CK Sync methodology can be applied to any existing projects that incorporate data provided in the ATT&CK knowledge base. The ATT&CK Sync output can be used to learn more about specific changes between ATT&CK versions and how newer or the most recent ATT&CK release will affect existing projects. ATT&CK Sync can assist with the following types of questions:

  • How do I determine what has changed between two given ATT&CK versions?​
  • How do I determine the impact the changes to ATT&CK will have on my existing project?​
  • How can I efficiently keep up to date with ATT&CK releases, which are typically twice per year?​
  • If I were to have a tool to highlight ATT&CK version changes, could I customize it to apply to my project?

This methodology does not define degrees of changes or effect on existing ATT&CK usage. Changes to existing ATT&CK objects are indicated as either modified or not modified (i.e., no output). In this way, the output provides an easily understood foundational resource that is intended to inform the ATT&CK version migration process.

Process

  1. Select the version of ATT&CK you are currently using and the version to which you want to upgrade on the ATT&CK Sync website to view the changelog.

  2. You can use the web version of the changelog or download a machine-readable JSON.

  3. Make a first pass through the mappings to rule out any items where there are no changes, e.g., mapped to an ATT&CK technique that was not modified.

  4. Review the remaining mappings and rule out any items that are not materially impacted by the ATT&CK changes. For example, techniques may have typos fixed or may have changes that are clearly not pertinent to the mapping.

  5. Analyze each mapping that remains after the previous two steps, using the ATT&CK changelog to guide your analysis in terms of what new pieces of information to consider.

  6. Complete the project migration to the updated version of ATT&CK.

Customization

This ATT&CK Sync project provides foundational tools and this methodology to assist with upgrading existing projects.​ While the ATT&CK Sync project is focused on assisting any organization to update their existing projects that incorporate ATT&CK data sources to newer versions of ATT&CK, most (potentially all) projects or mappings incorporating ATT&CK will have unique needs. There may be a need to customize the way the changelog is used, and custom code may need to be written to process the changelog. To help meet these needs for customization, the underlying code is also available.

Please note that to fully realize the project goal and produce a more turnkey resource for staying up to date with ATT&CK, we need community feedback – your feedback - on applying the tools and methodology to your own projects. Input on what format your data is in, how you would want to filter the changelog, etc., is invaluable to furthering the development of ATT&CK Sync resources.

The ATT&CK Diff Tool analyzes ATT&CK releases and produces a changelog in machine-readable format. The ATT&CK Sync tool is a customizable Python script to parse the ATT&CK changelogs (JSON): it reads in existing project ATT&CK mappings (e.g., Excel) and returns the original mappings with the pertinent changes between ATT&CK versions appended to each mapping. The ATT&CK Sync tool input sources must have Capability or Control Identifiers mapped to ATT&CK IDs.

Sample application of ATT&CK Sync is provided for a tool that processes the output of the ATT&CK Diff tool and applies it to the Center’s existing NIST 800-53 800-53 mapping data. The modified technique descriptions are displayed with red and green text to indicate word-by-word edits, which helps mapping analysts quickly review the changes to assess the impact on the validity of that mapping.

In our case study, the output data showed that over half of the existing mapped ATT&CK techniques had no changes and therefore did not require further review or updating. Approximately another 20% were easily reviewed as the analysts were able to easily identify that changes were insignificant to the mappings (e.g., typo corrections, new but similar detections). This left about 30% where the associated ATT&CK techniques had changes requiring more in-depth analysis and research, such as significant changes to technique descriptions, new techniques, and technique deprecations.

Guidance, samples, and instructions are included in this project wiki.

Clone this wiki locally