The Center for Threat-Informed Defense (Center), operated by MITRE Engenuity™, has just released a new tool to put MITRE ATT&CK® to work. ATT&CK Workbench enables ATT&CK users to easily spin up their own local copy of the ATT&CK knowledge base to extend ATT&CK for their own organizational needs, as well as easily contribute to the ATT&CK knowledge base when necessary.
So what does Workbench do? As the Center describes the tool, “This application is your own customized instance of the knowledgebase where you can explore, extend and annotate ATT&CK data.” It empowers users to leverage their own local ATT&CK instance to define new adversary tactics, techniques, and procedures (TTPs) and apply ATT&CK in bespoke ways to address threats. The ability to create and annotate TTPs as well as software and groups within ATT&CK enables the community as a whole to benefit from this enhanced level of collaboration. Not only can you store your own local instance of ATT&CK for internal use, you can also share your ATT&CK knowledge base with the community if you want to.
The Workbench project was developed through a Center collaborative R&D project sponsored by AttackIQ and several other Center Participants.
With ATT&CK Workbench, users can easily:
- create a local containerized instance of the ATT&CK knowledge base, and keep it updated automatically through the publicly maintained ATT&CK knowledge base;
- create and annotate objects within the ATT&CK knowledge base;
- submit enhancements efficiently to ATT&CK, as well as to other instances of the knowledge base;
- enable information sharing centers (ISACs) and information sharing organizations (ISAOs) to share their ATT&CK knowledge base enhancements with members.
Workbench will help red and blue teams all over the world. It enables a natural adoption of a threat-informed defense, from recording TTPs used during red team engagements or threat emulation, tracking detection and analytics of those engagements, and feeding new intelligence reports or observations back into the tool via your Cyber Threat Intelligence team. This increased collaboration between security teams and ability to share real world observations with other community members will improve overall knowledge of the adversary, and allow the wider community to gain a strategic and operational advantage.
The ATT&CK Workbench includes native support for the ATT&CK Navigator to display your local ATT&CK knowledge base, as well as a REST API service to enable storing, querying and editing of ATT&CK objects. It’s another means for putting ATT&CK to use in the world. And we’re excited to be a part of the process.
To learn more about how security teams can put MITRE ATT&CK into practice, please check out the Dummies Guide to MITRE ATT&CK, written on the basis of research from the ATT&CK team and with a foreword by Richard Struse, Director of the Center for Threat-Informed Defense, operated by MITRE Engenuity. You can also visit our MITRE ATT&CK page for resources on how to operationalize MITRE ATT&CK, uniting threat and risk management, and the benefits of automated adversary emulation using the MITRE ATT&CK framework.