MITRE expands ATT&CK-related capabilities

MITRE announced two new tools – D3FEND and ATT&CK Workbench — to help cybersecurity professionals defend their networks.

The D3FEND framework, funded by the National Security Agency and still in the experimental research phase, helps cybersecurity professionals tailor defenses for specific threats by supporting queries that can map countermeasures to offensive tactics, techniques and procedures.

The D3FEND technical knowledge base outlines defensive countermeasures for common offensive techniques and complements MITRE’s ATT&CK knowledge base of cyber adversary behavior.

Like ATT&CK, D3FEND uses a common vocabulary to describe network defenses and maps the relationships between defensive and offensive techniques, showing previously unspecified relationships between computer network architectures, threats and countermeasures. By granularly framing the complexity of defenders’ countermeasures against attackers’ techniques, “D3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system’s potential attack surface,” NSA officials said in a press statement.

The framework can be used to compare a cybersecurity functionality across products, making it possible to precisely and consistently identify differences and gaps. D3FEND can also help security pros test how a product’s claimed defenses will perform against various offensive techniques, according to the D3FEND FAQ.

MITRE said it plans to grow D3FEND by leveraging open data available through research literature and enlisting machine learning to assist in updating the knowledge graph.

“Frameworks such as ATT&CK and D3FEND provide mission-agnostic tools for industry and government to conduct analyses and communicate findings,” NSA officials said. “Whether categorizing adversary behavior or detailing how defensive capabilities mitigate threats, frameworks provide common descriptions that empower information sharing and operational collaboration for an ever-evolving cyber landscape.”

Announced June 22, the ATT&CK Workbench is an easy-to-use open-source tool that allows organizations to manage and extend their own local version of ATT&CK and keep it synchronized with the ATT&CK knowledge base.

Working with the Center for Threat-Informed Defense and sponsored by AttackIQ, HCA Healthcare, JPMorgan Chase, Microsoft and Verizon, MITRE built the ATT&CK Workbench to reduce the challenges defenders face when trying to align their own threat intelligence with the public ATT&CK knowledge base. 

According to a MITRE blog post, users can initialize their own instances of ATT&CK, which can then be annotated with notes on new or updated tactics, mitigations, groups and software. Additionally, Workbench allows users to share their versions with the greater ATT&CK community, facilitating a greater information sharing.

Building a local version of ATT&CK allows organizations to create their own red-team techniques that can be tracked just like existing ATT&CK techniques. Users can also include organization-specific data or document adversarial groups or software not currently tracked by ATT&CK.

More information on using Workbench is available here.

The headline on this article was changed June 24 to clarify that the two new services are not part of the ATT&CK knowledge base, nor were they developed by the ATT&CK team.

Leave a Reply

Your email address will not be published.