Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
It's been almost a year since we first started talking about ATT&CK Sightings, a pilot program to collect raw data about the prevalence of ATT&CK techniques in the wild. Our goal with this program is to help ATT&CK users better understand how techniques are used. If you're not familiar with the Sightings program already, you can learn more on our website or via this ATT&CKCon talk.
We wanted to update you on how the pilot is going and where you can plug in.
We've had a lot of good conversations with contributors and potential contributors and the goal by this point was to be publishing some insights. However, we haven't been able to convert those discussions into enough actual contributions to publish substantive sightings.
Barriers to Sharing
If you've already connected with us about sightings, regardless of whether you've been able to contribute, thank you.
We've learned so much in our discussions with potential contributors, and determined that there are two main challenges to sightings contributions:
Technical challenge: Even organizations adopting ATT&CK for their operations might not have their raw data tagged with ATT&CK techniques. This means it would be extra work to create tagged sightings data. We recognize it's difficult to commit to contributing when it would require manually mapping data to ATT&CK.
Data sharing challenge: The other challenge is about the level of comfort associated with sharing threat data and managing risk. Unlike IOCs, which are primarily about adversary infrastructure and tooling, ATT&CK Sightings can be about things that happen on an organization's internal systems and networks. This has led to some understandable concerns about the risk of sharing the data, because it could expose sensitive information that could indicate they were breached.
We did anticipate some of these barriers and have solutions built into the program to address them — we've also adapted some of these to address feedback. For the technical hurdle, we believe that as organizations more deeply integrate ATT&CK, it will be technically easier to contribute. For the data sharing challenge, we're happy to work with contributors to ensure they understand how we're protecting their data, both as we analyze it and as we publish the associated insights. Key program data protections include:
Providing contractual protections for raw data, via non-disclosure agreements with contributors;
Limiting access to data to just the small sightings team within MITRE;
Ensuring that data is anonymized as soon as possible, and when aggregated, can't be de-anonymized. (e.g., introducing noise, setting thresholds for when we publish or don't publish, and withholding data that might be subject to de-anonymization); and
Providing opportunity for review and feedback prior to publishing any derived insights.
Why you should share
While we've been talking about some of the roadblocks to contributing, there's also an opportunity to have a positive impact and get something back. Here are just a few reasons why you should consider sharing sightings:
Street cred: We'll protect any individual sighting, but contributors are providing valuable data and we absolutely want to give them credit (if they want it). You'll be named as a contributor to the ATT&CK sightings program.
Insider access: One thing we didn't expect is that companies want to be more open with each other and, for example, to be able to get early sightings insights and participate in calls with other contributors. We want to support that and allow those that contribute to get something out of it. We haven't figured out exactly what — getting in early is a great chance to help us shape what that means.
It's a good thing to do: Maybe most importantly, your contribution can help the community get better. This is a way of both giving back to the ATT&CK community and fighting back against adversaries.
We recognize the challenges and are learning from the past year and adapting our approach.
Most importantly, we want to set a target for the pilot: if we don't have sufficient contributions in hand by April 30 we'll pause the program and revisit at a later date. We need you to help us meet this deadline!
Please reach out to firstname.lastname@example.org and we can set up a quick call to go over how to contribute.
We'll also be hosting an information session at the RSA Conference for potential contributors. The session will focus on the mechanics of contributing, addressing any concerns about sharing, and brainstorming on how to recognize contributors to make it worth their while.
2pm PST, Wednesday, February 26 Museum of the African Diaspora | 685 Mission St, San Francisco, CA 94105 | 3rd floor conference room