Sometime in the second half of 2017, I was in a meeting with John Wunder and another MITRE colleague discussing the challenges that people were having visualizing the MITRE ATT&CK® matrix and some of the inventive ways the community was stepping up to fill those gaps. About halfway through that meeting, we reached the conclusion that MITRE could and should build an open-source tool to solve this problem in a way that benefited everyone in the community.
We left that meeting with a name for the tool – the “ATT&CK Navigator” – and a handful of other decisions. First, we agreed that the Navigator should be as flexible as possible without trying to impose any particular semantics on the information presented. Second, we sketched out the concept of “layers” and “layer JSON files” that we hoped would become a standard unit of exchange between ATT&CK community users. Third, I set a goal: that within a year we would see examples of Navigator usage in the wild, especially at conferences. Fast forward to today and the ATT&CK Navigator has exceeded my wildest expectations. Kudos to the development team at MITRE and to everyone in the community who has embraced Navigator layers to represent their views of the ATT&CK matrix.
I wanted to share this background to provide some context for something I’m really excited about here at Tidal Cyber. For some time now, users of the Community Edition have been able to create custom “technique sets” to represent a collection of adversary behaviors of interest to them. With this release, we’ve made some significant improvements to technique sets in the Community Edition, including adding color coding, scoring, and annotations, and users can now import Navigator layer files. With the introduction of these capabilities, users of Tidal’s Community Edition will now have an easy way to work with annotated and color-coded sets of ATT&CK techniques and sub-techniques without having to manage and ship around JSON files. Tidal’s platform takes care of all of the behind-the-scenes processing required to create, host and present this information as technique sets.
Peel Back the Layers with Technique Sets and Matrices
Tidal provides users the ability to create, store, and share sets of techniques, such as those that would have previously been represented in a Navigator Layer, as custom technique sets. The goal is the same: to allow the user to focus on the techniques and sub-techniques and tell the story they want to share. Tidal does this in-platform to enable users to easily juxtapose this custom content with information from ATT&CK, for example a group you have been tracking, as well as unique data sets that Tidal is making available in the platform, including product capability mappings.
By treating everything as technique sets, you gain all the functionality provided in the Tidal Platform – you can store it in your work and share it, and even request that Tidal includes it in a community spotlight – aimed to ensure your work doesn’t get lost in a Twitter timeline or Slack message forever. You can also duplicate objects. Do you have a custom group definition of APT29, or even more pertinent to this release, did you like that layer that someone shared last year, but you really want to update it to reflect your new view of threat intelligence? You can upload the file, duplicate it, and start modifying it to make it your own so it better meets your needs.
Then there is comparing and contrasting. To allow users to do comparisons, such as the age-old APT28 vs. APT29 analysis examples, Tidal allows you to easily add those objects to the matrix, but then compare it with tools, for example Olaf Hartong’s Sysmon Modular or any of the other products in Tidal’s Product Registry. But now you can also save all those labels in a single “matrix” within the Tidal Platform, so you can continually revisit that mapping you find useful and share it with others.
With Tidal technique sets and matrices, and now the ability to store all your old work done in Navigator, we believe we are still driving forward on the original promise to give users a flexible interface to curate and share ATT&CK related content. These capabilities combined in the Tidal Platform, make it easier for the community to create, modify, and publish their insights in a visually compelling manner than ever before. Ultimately, our goal is to make threat-informed defense as easy and attainable as possible.
I encourage you to check out some of the great content published by community members that we’ve imported into Community Edition - you can find them here. If you have suggestions for additional content, you’d like to see share with the community in Tidal’s Community Edition, we would love to hear about it – just drop us a note at firstname.lastname@example.org. As always, thanks to the hard work of all those in the ATT&CK community, and I hope you find these enhancements to the Tidal Community Edition useful.