MITRE Engenuity has released ATT&CK Workbench, an open source tool that allows organizations to customize their local instance of the MITRE ATT&CK database of cyber adversary behavior.
The tool allows users to add notes, and create new or extend existing objects – matrices, techniques, tactics, mitigations, groups, and software – with new content. It also allows them to share these insights with other organizations.
“For too long, sophisticated users of MITRE ATT&CK have struggled to integrate their organization’s local knowledge of cyber adversaries and their tactics, techniques, and procedures (TTPs) with the public ATT&CK knowledge base,” MITRE Engenuity noted.
The contents of the knowledge base are accessed via a REST API, making it possible to integrate all kinds of tools into the local database.
At the moment, Workbench supports integrations with ATT&CK Website Repository, which allows users to see and navigate their customized knowledge base through the ATT&CK website, and ATT&CK Navigator Repository, a web-based tool for annotating and exploring ATT&CK matrices.
Future iterations of the tool will be informed by user feedback, though there are some things already planned for the future.
The ATT&CK Workbench allows users to share the newly entered / modified (and saved) notes and information, to further collaboration inside and outside the organization.
“To facilitate team collaboration, the Workbench includes features such as the ability to mark objects as ‘work in progress,’ ‘awaiting review,’ or ‘reviewed,’ and the ability to look through the history of an object to determine when a change was made and by whom,” Isabel Tuson, MITRE ATT&CK Infrastructure Lead, and Jon Baker, Director of Research & Development, Center for Threat-Informed Defense at MITRE Engenuity, explained.
“As teams extend and annotate their ATT&CK data, Workbench will enable them to import updates to that data and provide the option to selectively share their work.”
This is done by subscribing to collections and creating and publishing their own.
Sharing of ATT&CK-related information among organizations will streamline the process of staying synchronized with ATT&CK, allow users to integrate the latest from ATT&CK with intelligence extensions from other sources (threat intel vendors, ISACs & ISAOs, and other members of the ATT&CK community), and create structure and consistency for contributions to ATT&CK, they added.