A newly developed plugin allows security analysts and researchers to interact with the Mitre ATT&CK framework without leaving their Visual Studio Code (VSCode) environments.
VSCode-ATT&CK, an extension for Microsoft’s popular code editor that integrates the Mitre ATT&CK framework, was developed by managed detection and response vendor Red Canary and offers an integrated ATT&CK technique search command, among other features.
Red Canary developed VSCode-ATT&CK internally as a tool for threat research before releasing it to the wider community as an open source project earlier this month.
Query the ATT&CK database
Leom Burke, a senior web developer at PortSwigger Web Security (the makers of Burp Suite and The Daily Swig’s parent company), looked over the extension at our invitation and reported that the tool is more suited to researchers than developers, as it doesn’t allow users to directly test code against the ATT&CK framework.
Burke explained “When a researcher is making notes (in markdown and YAML by default), they can query the Mitre ATT&CK database to auto-populate details of what they have identified during their research.”
Thomas Gardner, a detection engineer at Red Canary, conceded that other tools might be appropriate for software developers, while arguing VSCode-ATT&CK has some utility in a development context.
“We don’t address testing against Mitre ATT&CK in this tool, as that’s better handled by something like Atomic Red Team, which is an open source library of tests designed to emulate ATT&CK techniques, validate visibility, and detection controls,” Gardner told The Daily Swig.
“However, any software developer that needs to consult the ATT&CK framework while developing could benefit from this tool.”
Commenting on the intended audience and use case for VSCode-ATT&CK, Gardner said: “Researchers and analysts who already work with the Mitre ATT&CK framework to classify security events and behaviors will find this helpful,” Gardner explained.
“The extension is meant to aid its users by allowing them to maintain focus within VSCode without having to leave the application and access information about ATT&CK via their browser.”
Red Canary has no plans to take the core of VSCode-ATT&CK and adapt it to work with other programming platforms, though it has objection if other teams want to carry out this work.
“We don’t have any plans to develop this tool for other platforms, but if anyone is interested in doing so for their favourite editor, the code is open source and we are more than happy to answer questions about how specific features work to aid in that endeavour,” Gardner said.