Sightings Ecosystem

The Sightings Ecosystem gives cyber defenders visibility into what adversaries are actually doing in the wild. With your help, we are tracking MITRE ATT&CK® techniques observed to give defenders real data on technique prevalence. With this data, we can analyze trends in evolving adversary behaviors, and ultimately provide a data-driven resource to support prioritizing defensive operations. This project ingests ATT&CK technique sightings and process them to produce useful datasets and reporting.

You can be a part of the success of this project by contributing your Sightings data and help advance the state of cybersecurity at large. To join us, please submit a Data Contributor Request form.

Getting Started
Background
Getting Involved
Questions and Feedback
Notice

Getting Started

To get started, we suggest skimming the documentation to get familiar with the project. Next, you may want to try creating your own attack flows using the Attack Flow Builder, which is an easy-to-use GUI tool. When you are ready to dive deep, review the Example Flows and JSON Schema for the language.

Resource	Description
Project Web Site	Complete documentation for the Sightings Ecosystem.
Sightings Data	Download the underlying Sightings data. (CSV – 25.7MiB)
Data Contributor Request	Become a data contributor.
Upload Tool	A tool for automatically submitting sightings data (supports Linux, MacOS, and Windows).

Background

Defenders need data driven answers to questions like:

How do I know which techniques to prioritize?
As a company in the finance sector, do the attackers I face use different tactics from those facing retail or healthcare?
How are attacks trending over time? Are older forms of attacks still in use?
Which techniques should I expect to see preceding and proceeding a specific attack?

We believe that a different type of cyber threat intelligence must be shared in order to serve this purpose, and the Center is well-positioned to work across industry. Specifically, security teams, vendors, ISACs/ISAOs, and governments should begin to share sightings of ATT&CK techniques. In other words, they should share when they see adversaries use specific behaviors against real production systems and networks.

Getting Involved

Review the project website. The project provides a detailed analysis of our findings and can have immediate impact on the prioritization of cybersecurity controls.
Analyze the underlying data. We make the dataset freely available so that you can conduct your own analysis. If you generate any new insights, we would love to hear about it.
Become a data contributor. Submit a Data Contributor Request form and help us make Sightings even better!

Questions and Feedback

Please submit issues on GitHub for any technical questions or requests. You may also contact ctid@mitre-engenuity.org directly for more general inquiries about the Center for Threat-Informed Defense.

We welcome your contributions to help advance Sightings Ecosystem in the form of pull requests. Please review the contributor notice before making a pull request.

Notice

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of MITRE ATT&CK®

ATT&CK Terms of Use

center-for-threat-informed-defense / sightings_ecosystem

readme