MITRE TRAM: Mapping Threat Reports to ATT&CK

TRAM is a web-based tool that automates the extraction of adversary behaviors for the purpose of mapping them to ATT&CK.

TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CK®. TRAM enables researchers to test and refine Machine Learning (ML) models for identifying ATT&CK techniques in prose-based threat intel reports and allows threat intel analysts to train ML models and validate ML results.

Through research into automating the mapping of cyber threat intel reports to ATT&CK, TRAM aims to reduce the cost and increase the effectiveness of integrating ATT&CK into cyber threat intelligence across the community. Threat intel providers, threat intel platforms, and analysts should be able to use TRAM to integrate ATT&CK more easily and consistently into their products.

Threat Report ATT&CK Mapper (TRAM) aims to provide a streamlined approach for analyzing reports and extracting ATT&CK techniques. Our hope is that automating mapping to ATT&CK can reduce analyst fatigue, increase ATT&CK coverage, and improve consistency and accuracy of threat intelligence mappings. We are excited to now share a public beta of TRAM with the ATT&CK community.

TRAM Under the Hood:

1. Get Data : STIX & TAXII >> TIP

2. Clean the Data.

3. Train Model.

4. Collect Reports. >> Report Uploading

5. Test Data.(Through ML Models).

6. Accept or Review Model Decisions.(Score & Technique).

7. Feedback loop.

How TRAM is a Enabler:

1. Make it easier to get started with ATT&CK.

2. Remembering 266+ techniques is hard.>> Not only 266+ but is ever growing..>> MITRE ATT&CK is a Live framework.

3. Use Reporting which is important.