https://github.com/center-for-threat-informed-defense/sightings_ecosystem

Sightings Ecosystem gives cyber defenders visibility into what adversaries actually do in the wild. With your help, we are tracking MITRE ATT&CK® techniques observed to give defenders real data on technique prevalence.
https://github.com/center-for-threat-informed-defense/sightings_ecosystem

ctid cyber-threat-intelligence cybersecurity data-science data-visualization mitre-attack

Last synced: 2 months ago
JSON representation

Sightings Ecosystem gives cyber defenders visibility into what adversaries actually do in the wild. With your help, we are tracking MITRE ATT&CK® techniques observed to give defenders real data on technique prevalence.

• Host: GitHub
• URL: https://github.com/center-for-threat-informed-defense/sightings_ecosystem
• Owner: center-for-threat-informed-defense
• License: apache-2.0
• Created: 2021-04-13T19:45:07.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2024-04-03T18:38:25.000Z (9 months ago)
• Last Synced: 2024-08-05T17:44:36.737Z (5 months ago)
• Topics: ctid, cyber-threat-intelligence, cybersecurity, data-science, data-visualization, mitre-attack
• Language: Python
• Homepage: https://ctid.io/sightings-ecosystem
• Size: 19.2 MB
• Stars: 33
• Watchers: 67
• Forks: 8
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - center-for-threat-informed-defense/sightings_ecosystem - Sightings Ecosystem gives cyber defenders visibility into what adversaries actually do in the wild. With your help, we are tracking MITRE ATT&CK® techniques observed to give defenders real data on tec (Python)

README

        
# Sightings Ecosystem

The Sightings Ecosystem gives cyber defenders visibility into what adversaries are

actually doing in the wild. With your help, we are tracking MITRE ATT&CK® techniques

observed to give defenders real data on technique prevalence. With this data, we can

analyze trends in evolving adversary behaviors, and ultimately provide a data-driven

resource to support prioritizing defensive operations. This project ingests ATT&CK

technique sightings and process them to produce useful datasets and reporting.

You can be a part of the success of this project by contributing your Sightings data and

help advance the state of cybersecurity at large. To join us, please submit a [Data

Contributor

Request](https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/#CFP)

form.

- [Getting Started](#getting-started)

- [Background](#background)

- [Getting Involved](#getting-involved)

- [Questions and Feedback](#questions-and-feedback)

- [Notice](#notice)

## Getting Started

To get started, we suggest skimming the documentation to get familiar with the project.

Next, you may want to try creating your own attack flows using the Attack Flow Builder,

which is an easy-to-use GUI tool. When you are ready to dive deep, review the Example

Flows and JSON Schema for the language.

| Resource                                                                                                                                   | Description                                                                              |

| ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- |

| [Project Web Site](https://center-for-threat-informed-defense.github.io/sightings_ecosystem/)                                              | Complete documentation for the Sightings Ecosystem.                                      |

| [Sightings Data](https://ctidpublic.blob.core.windows.net/sightings/sightings_v2_public.csv)                                               | Download the underlying Sightings data. (CSV – 25.7MiB)                                  |

| [Data Contributor Request](https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/#CFP) | Become a data contributor.                                                               |

| [Upload Tool](https://github.com/center-for-threat-informed-defense/sightings_ecosystem/tree/main/uploaders)                               | A tool for automatically submitting sightings data (supports Linux, MacOS, and Windows). |

## Background

Defenders need data driven answers to questions like:

- How do I know which techniques to prioritize?

- As a company in the finance sector, do the attackers I face use different tactics from

  those facing retail or healthcare?

- How are attacks trending over time? Are older forms of attacks still in use?

- Which techniques should I expect to see preceding and proceeding a specific attack?

We believe that a different type of cyber threat intelligence must be shared in order to

serve this purpose, and the Center is well-positioned to work across industry.

Specifically, security teams, vendors, ISACs/ISAOs, and governments should begin to

share sightings of ATT&CK techniques. In other words, they should share when they see

adversaries use specific behaviors against real production systems and networks.

## Getting Involved

- **Review the project website.** The project provides a detailed analysis of our

  findings and can have immediate impact on the prioritization of cybersecurity

  controls.

- **Analyze the underlying data.** We make the dataset freely available so that you can

  conduct your own analysis. If you generate any new insights, we would love to hear

  about it.

- **Become a data contributor.** Submit a [Data Contributor

  Request](https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/#CFP)

  form and help us make Sightings even better!

## Questions and Feedback

Please submit [issues on

GitHub](https://github.com/center-for-threat-informed-defense/sightings_ecosystem/issues)

for any technical questions or requests. You may also contact

[[email protected]](mailto:[email protected]?subject=Question%20about%20Sightings%20Ecosystem)

directly for more general inquiries about the Center for Threat-Informed Defense.

We welcome your contributions to help advance Sightings Ecosystem in the form of [pull

requests](https://github.com/center-for-threat-informed-defense/sightings_ecosystem/pulls).

Please review the [contributor

notice](https://github.com/center-for-threat-informed-defense/sightings_ecosystem/blob/main/CONTRIBUTING.md)

before making a pull request.

## Notice

Copyright 2021, 2024 MITRE Engenuity. Approved for public release. Document number(s)

CT0022, CT0103.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this

file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under

the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

KIND, either express or implied. See the License for the specific language governing

permissions and limitations under the License.

This project makes use of MITRE ATT&CK®

[ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)