MITRE unveils ATT&CK Workbench sharing tool and NSA-backed D3FEND

Workbench allows users to explore, create, annotate, and share extensions of the ATT&CK knowledge base.
Written by Jonathan Greig, Contributor

MITRE Engenuity announced the release of a new tool that will help cybersecurity users add their own knowledge and experiences to ATT&CK. 

Jon Baker, the director of research for the Center for Threat-Informed Defense, wrote a blog post about the tool -- named ATT&CK Workbench -- explaining that it was built because sophisticated users of MITRE ATT&CK have "struggled to integrate their organization's local knowledge of adversaries and their tactics, techniques, and procedures with the public ATT&CK knowledge base."

Richard Struse, director of the Center for Threat Informed Defense for MITRE Engenuity, told ZDNet the idea for this project came from conversations with organizations that use ATT&CK as a way to organize their security posture.

"Some of them were struggling with managing two different views: the 'official' MITRE ATT&CK knowledge base based on publicly-reported adversary behavior, and their own internal knowledge of adversaries and their TTPs," Struse said. 

"We saw that a lot of time and effort was being spent trying to integrate these two manually, and we felt that a solution that gave people a 'single pane of bits' that they could use to manage their threat-intel would have a significant positive impact on the security community. Our members concurred, and this led to the creation of this R&D project." 

Struse added that having a modern, API-driven platform to organize and manage all adversary TTP-related threat intelligence will make it that much easier for organizations to integrate ATT&CK into their processes fully.

"ATT&CK Workbench has the potential to fundamentally improve and accelerate the use of ATT&CK by security practitioners around the world," Struse said.

The effort was sponsored by Microsoft, Verizon, JPMorgan Chase, AttackIQ, and HCA Healthcare, originally starting as a research project. Baker said Workbench is an easy-to-use open-source tool that allows organizations to manage and extend their own local version of ATT&CK and keep it synchronized with the ATT&CK knowledge base.

"Workbench allows users to explore, create, annotate, and share extensions of the ATT&CK knowledge base. Organizations or individuals can initialize their own instances of the application to serve as the centerpiece to a customized variant of the ATT&CK knowledge base, attaching other tools and interfaces as desired," Baker wrote. 

"Through the Workbench, this local knowledge base can be extended with new or updated techniques, tactics, mitigations groups, and software. Additionally, Workbench provides means for a user to share their extensions with the greater ATT&CK community, facilitating a greater level of collaboration within the community than is possible with current tools."

Baker added that if an organization uses ATT&CK for security operations, actively tracks threats against ATT&CK, or plans security investments based on ATT&CK, then the Workbench tool is suggested. 

The center was able to add a note-taking capability to the Workbench platform, which allows users to put annotations in their copy of ATT&CK related to matrices, techniques, tactics, mitigations, groups, and software.

Baker explained that data created within Workbench could be incorporated into existing ATT&CK data, and new groups or software can be connected to existing techniques through procedure examples, or new sub-techniques can be created under existing ATT&CK techniques. 

Through Workbench, users will also be able to publish their work and share it with others who may be in a similar situation. Other users can then subscribe to certain collections of notes in ATT&CK data. 

Baker said the center is planning to continue adding to the platform throughout 2021 and was eager to see how users responded to the tool. 

In addition to Workbench, MITRE announced a new NSA-funded project called D3FEND. In a statement, the NSA said D3FEND is "a framework for cybersecurity professionals to tailor defenses against specific cyber threats [and] is now available through MITRE."  

The NSA worked with MITRE to harden the defenses of the National Security Systems, the Department of Defense, and the Defense Industrial Base.

"The D3FEND technical knowledge base of defensive countermeasures for common offensive techniques is complementary to MITRE's ATT&CK, a knowledge base of cyber adversary behavior," the NSA said in a statement. 

"D3FEND establishes terminology of computer network defensive techniques and illuminates previously-unspecified relationships between defensive and offensive methods. This framework illustrates the complex interplay between computer network architectures, threats, and cyber countermeasures."

MITRE added that it released D3FEND as a complement to the ATT&CK framework and said it provides a model of different ways organizations can combat offensive techniques. 

The creation of D3FEND, according to the NSA, will help "drive more effective design, deployment, and defense of networked systems writ large." 

"Frameworks such as ATT&CK and D3FEND provide mission-agnostic tools for industry and government to conduct analyses and communicate findings," the NSA statement said. "Whether categorizing adversary behavior or detailing how defensive capabilities mitigate threats, [these] frameworks provide common descriptions that empower information sharing and operational collaboration for an ever-evolving cyber landscape."

Editorial standards