Lp changes

docs/additional-analysis.rst

@@ -4,16 +4,16 @@ Additional Analysis
 Top 15 Techniques by Year
 **************************
 
-.. figure:: _static/Top_15_TID_over_time.png
+.. figure:: _static/NEW_Top_15_TID_over_time.png
    :alt: Top 15 Techniques over Time.
    :align: center
    :width: 100%
 
    Techniques by Year. (Click to enlarge)
 
 By reviewing the top 15 techniques across the entire timeline, we can use frequency
-analysis to identify any patterns or anomalies. Nota there are abrupt increases in our
-sightings at different times throughout the 28 months. We do not have enough information
+analysis to identify any patterns or anomalies. Note from the figure that there are abrupt increases in our
+sightings at different times throughout the 26 months. We do not have enough information
 to know definitively why these spikes occurred. It could be due to an increase of
 attacks in the wild, or a modified detection capability that suddenly started finding
 and reporting new techniques. Nearly 80% of our data is raw, meaning it has not been
@@ -25,7 +25,7 @@ We also noted changes in the top technique over time. T1059 dominated the top sp
 ranking in our top 15 techniques. `T1059 – Command and Scripting Interpreter
 <https://attack.mitre.org/techniques/T1059>`__ and `T1112 – Modify Registry
 <https://attack.mitre.org/techniques/T1112>`__ are extremely common techniques used by
-attackers. Unusually, these techniques are part of our data surges. For T1059, it was
+attackers. However, it is unusual that these techniques are part of our data surges. For T1059, it was
 consistently reported prior to these increases, so a configuration change would likely
 not be the cause for a sudden increase in sightings. Instead, this technique may have
 truly been seen more frequently in the wild during these times, or perhaps Sightings
@@ -120,9 +120,7 @@ Regions
 
    Sightings by Country. (Click to enlarge)
 
-We were provided with the corresponding ISO Alpha-2 country code for our sightings.
-Where necessary, the country code has been changed to the country’s name for clarity. It
-should also be noted that 66% of our data contains region information.
+We were provided with the corresponding ISO Alpha-2 country code for our sightings. The above image represents a world view of our data set. The color is darker where more Sightings were seen. Where necessary, the country code has been changed to the country’s name for clarity. It should also be noted that 66% of our data contains region information.
 
 Unsurprisingly, the United States dominated the count by an order of magnitude above the
 next closest country. We can likely attribute this to several causes:
@@ -244,7 +242,7 @@ most observed by platform, defenders can hone their defenses and verify their vi
 into each platform to detect the different software used by attackers.  Within our data,
 we can observe software usage by Windows and Nix platforms. For Nix, our sightings were
 primarily comprised of Mirai usage. For Windows, our sightings were spread more evenly
-across the top 10 software. However, our top 3 were Heodo, AgentTeslsa, and
+across the top 10 software. However, our top 3 were Heodo, AgentTesla, and
 RedLineStealer. As evidenced by the wordclouds, AgentTesla, Formbook, and SnakeKeylogger
 were the main 3 software that spanned Windows and Nix platforms.
 
@@ -300,15 +298,15 @@ MacOS platforms. T1027 and T1059 were seen on Windows and MacOS platforms, and T
 overlaps with MacOS and Other platforms. For the remaining techniques (that are not in
 the top 15 techniques), attackers focused on varying Tactics. For Nix, the techniques
 seen were Discovery focused. For MacOS, the techniques span the Execution, Persistence,
-Privilege Execution, and Defense Evasion Tactics. For Other platforms, the techniques
+Privilege Escalation, and Defense Evasion Tactics. For Other platforms, the techniques
 cover Defense Evasion, Persistence, Privilege Escalation, and Initial Access Tactics.
 Cyber defenders can use this breakdown to gain insight into the techniques,
 corresponding defenses, and NIST controls observed by specific platforms.
 
 Techniques by Privilege Level
 *****************************
 
-It should be noted that 99% of our data contains privilege level information.
+It should be noted that 35% of our data contains relevant privilege level information. 
 
 .. figure:: _static/priv_level_user_to_technique.png
    :alt: Top 5 Techniques by User Privilege Level.
@@ -324,9 +322,7 @@ It should be noted that 99% of our data contains privilege level information.
 
 Similar to platforms, the MITRE ATT&CK matrix includes information on what permissions
 are required for each technique. By using sightings data, we can observe the top
-techniques seen by privilege level. Around 35% of our data contains relevant privilege
-level information, most of which primarily consists of user and system permissions.
-Overall, most privilege level techniques are in the top 15 techniques,. The remaining
+techniques seen by privilege level. Overall, most privilege level techniques are in the top 15 techniques. The remaining
 techniques, T1218.011 and T1222.001, are used by adversaries for Defense Evasion. Cyber
 defenders can use this breakdown to gain insight into the techniques, corresponding
 defenses, and NIST controls observed by specific permissions.

docs/defenses-in-summary.rst

@@ -1,7 +1,7 @@
 Defenses in Summary
 ===================
 
-For our report, we included security controls from NIST 800-53 and detections from CAR
+For our report, we included prevention controls from NIST 800-53 and detections from CAR
 analytics and Sensor Mappings to ATT&CK. These preventions and detections are intended
 to be a starting point for defenders to protect against the top 15 most observed
 techniques. From NIST, Access Control, System and Information Integrity, and
@@ -58,12 +58,11 @@ a complete list of all mappings.
 
 To identify which prevention and detection methods are needed in their environment,
 defenders can use the Sightings data to assess their current security products and
-inform their security strategy. With ATT&CK Navigator, defenders can document what
+inform their security strategy. With `ATT&CK Navigator <https://mitre-attack.github.io/attack-navigator/>`_, defenders can document what
 techniques they can detect and how they prioritize those detections. Resources, such as
-the Center’s Adversary Emulation Library, MITRE’s CALDERA platform, or Red Canary’s
-Atomic Red Team library, can test an organization’s defenses and detections on a
+the Center’s `Adversary Emulation Library <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/adversary-emulation-library/>`_, MITRE’s `CALDERA platform <https://caldera.mitre.org/>`_, or Red Canary’s
+`Atomic Red Team library <https://atomicredteam.io/atomics/>`_, can test an organization’s defenses and detections on a
 recurring basis. These libraries contain tests for the specific adversary behaviors
 observed in our Sightings dataset. These resources, and others, allow defenders to
 identify coverage gaps and test their tools against the top 15 techniques observed in
-the wild. This section is not intended to be a comprehensive list of tools for
-defenders, but it should provide a useful starting point.
+the wild. 

docs/index.rst

@@ -6,9 +6,9 @@ Sightings Ecosystem |version|
 The Sightings Ecosystem gives cyber defenders visibility into what adversaries are
 actually doing in the wild. With your help, we are tracking MITRE ATT&CK® techniques
 observed to give defenders real data on technique prevalence. With this data, we can
-analyze trends in evolving adversary behaviors, and ultimately provide a data-driven
+analyze trends in evolving adversary behaviors and provide a data-driven
 resource to support prioritizing defensive operations. This project ingests ATT&CK
-technique sightings and process them to produce useful datasets and reporting.
+technique sightings and processes them to produce useful datasets and reporting.
 
 This project is created and maintained by the `MITRE Engenuity Center for
 Threat-Informed Defense <https://ctid.mitre-engenuity.org/>`__ in futherance of our

docs/introduction.rst

@@ -4,6 +4,13 @@ Introduction
 Background
 ----------
 
+Adversaries are constantly evolving their attacks, driving up the cost of intrusions.
+Consequently, defenders must continue to protect against an increasing amount of
+adversary techniques and behaviors. Despite their best efforts, it is not possible to
+defend against all potential scenarios. This raises the questions, “How many MITRE
+ATT&CK techniques apply to the average organization?” and “Which techniques does an
+organization realistically need to defend against?”
+
 MITRE’s Center for Threat-Informed Defense (the Center) began addressing these questions
 with the Sightings Ecosystem. The project focused on creating an anonymous,
 community-sourced repository of technique detections to identify when and where ATT&CK
@@ -22,22 +29,17 @@ organization based on location, industry sector, and deployed platforms.
 Framing our Analysis
 --------------------
 
-Adversaries are constantly evolving their attacks, driving up the cost of intrusions.
-Consequently, defenders must continue to protect against an increasing amount of
-adversary techniques and behaviors. Despite their best efforts, it is not possible to
-defend against all potential scenarios. This raises the questions, “How many MITRE
-ATT&CK techniques apply to the average organization?” and “Which techniques does an
-organization realistically need to defend against?”
+While our volume of data has increased significantly, there are caveats to keep in mind when reading our results. Primarily, we are limited to the data we were provided. While getting the data straight from vendors is beneficial, it introduces biases. To ameliorate this bias, we have a diverse set of providers and a large data set, which reduces some skewing within the data. 
 
 Additionally, the quality of the data is limited to what the vendors generate. We
 provide a data model for submitting data, but it is up to the vendors which fields to
-submit to us. While some fields are required, such as technique and data source, others
-are optional, such as region or privilege level. We also place trust in our contributors
+submit to us. While some fields are required, such as technique and data source; others
+are optional, such as region or privilege level. We also trust our contributors
 to provide complete and accurate data. Mapping observed events to adversary techniques
 is an art form and therefore has some degree of subjectivity. Where an adversary is
 using PowerShell to run an executable with a valid account, one analyst may mark the
 event as PowerShell Scripting, while another might mark it as Valid Accounts; it depends
-on the context and how the analyst views it. One mitigation for this bias is to mark the
+on the context and the analyst's perspective. One mitigation for this bias is to mark the
 data with all relevant techniques (both PowerShell and Valid Accounts).
 
 Most of the events in our dataset are machine-generated and are not manually validated.

docs/key-results.rst

@@ -10,7 +10,7 @@ Key Results
 Key Figures
 -----------
 
-* Time Range: **Aug 2021 – Nov 2023**
+* Time Range: **Aug 2021 – Sept 2023**
 * **1.6M+** Sightings
 * **353** Unique Techniques
 * **198** Countries
@@ -20,7 +20,7 @@ What's in the Data
 ------------------
 
 In Sightings 1.0, we had around 1.1M normalized sightings. Sightings 2.0 has around 1.6M
-sightings, and nearly twice as many unique techniques. This provides the Center with a
+sightings and nearly twice as many unique techniques. This provides the Center with a
 more comprehensive view of what techniques are being used in the wild. Out of 201 core
 Enterprise techniques, we saw 173 techniques, or 86% of the ATT&CK Framework, in our
 data.
@@ -71,7 +71,7 @@ cyber threat intelligence tends to report on, like the Professional, Scientific,
 Technical Services or Information sectors. While we collected sightings from multiple
 platforms, the vast majority came from Windows environments. Similarly, while we
 collected sightings from multiple privilege levels, most of the data reflects
-low-privilege behavior (e.g. not admin). For future reports, we hope to have more
+low-privilege behavior (i.e., user-level). For future reports, we hope to have more
 sightings from other platforms and privilege levels.
 
 Top 15 Techniques
@@ -84,7 +84,7 @@ Top 15 Techniques
 
    Percentage of the Top 15 Techniques.
 
-Of all techniques observed between 1 August 2021 to 30 November 2023, the top 15 most
+Of all techniques observed between 1 August 2021 to 30 September 2023, the top 15 most
 observed techniques comprise 82 percent of our sightings. This is lower than our last
 report, where the top 15 techniques comprised 90 percent of all observed techniques.
 This difference is likely due to the larger data set analyzed for this report, as well

docs/lessons-learned.rst

@@ -3,7 +3,7 @@ Lessons Learned
 
 We discovered multiple issues during analysis. One of the most significant issues was
 the different ATT&CK versions present in our data. While ATT&CK updates occur twice per
-year, often they are minor updates. However, our data spans 28 months and includes data
+year, often they are minor updates. However, our data spans 26 months and includes data
 from older ATT&CK versions, such as ATT&CK version 7 which introduced many new
 techniques and depreciated/revoked several others. While this was released in 2020, we
 still found data using old Technique IDs pre-version 7. As a short-term solution, we

docs/technique-co-occurrences.rst

@@ -1,6 +1,6 @@
 Technique Co-Occurrences
 ========================
- For the purposes of this paper, a co-occurrence means that a sighting event contains more than one technique. Within our data, 18.96% of events contained co-occurrences. Interestingly, we discovered multiple events contained the same cluster of techniques.
+ For the purposes of this project, a co-occurrence means that a sighting event contains more than one technique. Within our data, around 19% of events contained co-occurrences. Interestingly, we discovered multiple events contained the same cluster of techniques.
 
 .. figure:: _static/TTP_co-occurrences-v7.png
    :alt: Top 15 Technique Co-occurrences.
@@ -43,7 +43,7 @@ It was grouped with T1027 and T1105 in over 140,000 events (represented by the b
 line), the most out of any co-occurrences, and seen nearly 40,000 times with T1105 and
 around 34,500 times with T1027. It is also included in the largest grouping we saw –
 T1059.001, T1021.006, T1027, T1047, T1055, T1074.001, and T1568.001, represented by the
-light green line. Similarly, the same cluster of techniques, without T1055, were seen
+light green line. Similarly, the same cluster of techniques, without T1055, was seen
 just as frequently, represented by the black line.
 
  .. figure:: _static/co-occurrence_software.png
@@ -59,17 +59,16 @@ information, providing insight into how adversaries are using these techniques.
 Ukraine, Turkey, and Bangladesh. This aligns with the broader regional trend in our
 data, with a significant majority of events occurring in the US. Additionally, over 98%
 of co-occurrence events are Windows-based, which also aligns with the overall trend in
-our data. Adversaries used co-occurring techniques to largely target the Manufacturing,
-Administrative Support sectors. This is semi-similar to our broader data trend, where
+our data. Adversaries used co-occurring techniques mostly in the Manufacturing and Administrative and Support... sectors. This is semi-similar to our broader data trend, where
 Manufacturing constitutes around 24% of sighting events, the most of any sector, and
-Administrative Support comprises around 9% of sighting events, the 3rd most out of all
+Administrative and Support... comprises around 9% of sighting events, the 3rd most out of all
 sectors. Overall, our data shows around 91% of events using user-level privileges, with
 around 8% using SYSTEM level privileges. However, co-occurrences swap these amounts,
 with around 97% using SYSTEM level privileges and around 2% using user-level privileges.
 When comparing multiple attributes at once (e.g., co-occurrences by region and
 platform), these trends remain the same.
 
-When reviewing the software for co-occurrences Cobalt strike was seen most frequently,
+When reviewing the software for co-occurrences, Cobalt strike was seen most frequently,
 followed by AgentTesla. In our overall data trends, AgentTesla was seen the second most
 frequently; however, Cobalt Strike was not even in the top 50.