MITER ATT&CK, the common language for cybersecurity professionals to communicate with each other and better understand real-world adversary behavior, celebrates 10 years this fall. In this Help Net Security interview, project leader Adam Pennington talks about the framework, how defenders can get the most out of it, and what’s next.
What were the key drivers for creating the MITER ATT&CK framework in 2013?
This framework grew out of an internal exercise conducted at MITRE’s University of Fort Martin. 2013, Mead, Maryland site. Sensors were attached to his desktop computer to analyze a series of cyber operations by the Red and Blue Teams, which was not common at the time. Observers of the white team realized that the red team’s actions were not representative of their real-world adversary’s actions. When they asked the red team to adjust their tactics, they lacked a unified language to explain themselves.
The white team changed tack by pulling real cyber attack scenarios from a honeypot of real data for the blue and red teams to design their operations. Ultimately, the exercise culminated in a basic Excel spreadsheet that uses a common language to outline various intrusion techniques. It was so useful internally that we released it to the public as MITER ATT&CK, thinking it might be useful in other parts of the world.
How has this framework evolved over the past 10 years, especially over the past 5 years as it has seen a surge in popularity?
What started as an Excel spreadsheet identifying one adversary and one tactic has turned into a framework that is referenced and contributed to by users around the world. It took about 100 acts before it was publicly disclosed, and in 2016 it began tracking the group and software based on open-source threat intelligence reports. In 2018, we generated enough interest to launch his ATT&CKcon (the fourth edition of the user conference will be held October 24-25 at his MITER headquarters in McLean, VA) ).
Over the past five years, we have extended our core framework with ATT&CK to include industrial control systems, mobile, Linux, various cloud platforms (Office 365, Azure, etc.), network devices (computer switches and routers), and more. We continue to make the information understandable and user-friendly by including both what enemy tactics are and techniques users can use to defend against attacks. To that end, we recently added pseudocode analysis directly to ATT&CK that people can use as an “easy button” in their defense.
How does the framework keep up to date with real-world observations and contributions? How often is it updated?
While I was answering this question, I received at least one post from a community member via email. This is proof that we receive frequent updates. ATT&CK is community-driven. Our framework is only effective if users stay informed of the latest threats.
We also monitor social media, public reports from various government agencies, and updates from incident response companies. Behind the scenes, we have large teams that maintain and organize information for their respective areas.
New versions of ATT&CK are released every six months. After experimenting with shorter and longer time periods, we have found that 6 months is the optimal time period to satisfy both organizations that incorporate his ATT&CK into their products and defenses, and those that require information immediately. Ta.
Given the evolving nature of cyber threats, what long-term value does the MITER ATT&CK framework provide to cybersecurity professionals?
ATT&CK continues to evolve in parallel with its adversaries, but historically this is a space that changes slowly over time. Once malicious attackers have penetrated your network, they exhibit relatively routine techniques. Even if the exact piece of software, IP address, or even the person on the other end varies, there is a basic attack sequence that does not change often. The behavior documented in ATT&CK ten years ago is still seen today.
On the other hand, there are new spaces ripe for infiltration, such as cloud-based products. We are expanding our framework to accommodate new technologies.
For organizations finding the initial adoption process complex, what advice do you have to ease this learning curve?
Let’s start with bite-sized portions. How many times have we seen cybersecurity teams at small organizations try to comprehensively integrate ATT&CK into their company’s defenses only to quickly realize that ATT&CK is outside their heads? I’ve also seen it. Frameworks are not a panacea.
To overcome this challenge, we recommend multiple strategies that focus on starting small. The framework is divided by technique, so organizations can start with one tactic related to the system. For example, if you are interested in identity management, you can take a closer look at how attackers steal passwords and identify overlaps in their behavior. Once you reach these priority points, it’s easy to work backwards and add protection against them.
What are some of the less obvious framework applications that cybersecurity industry professionals should know about?
We’ve been pleasantly surprised to see how ATT&CK is being used in academic environments from high school to college. A high school in Virginia invited our team to talk about an initiative they had previously incorporated into their curriculum.
Several private sector organizations have also incorporated this framework into their employee training. I recently spoke with someone at a company where we regularly discuss “techniques of the week” extracted from the ATT&CK database.
What future enhancements and extensions do you foresee for the MITER ATT&CK framework?
As adversaries seek new ways to exploit, we catalog their every move. Our team continues to report on threat intelligence in areas that are becoming more popular, such as Linux and non-Windows operating systems.
The goal is to build a community of cyber defenders. We know that ATT&CK is beneficial to large organizations, but he is also working on ways to make ATT&CK more accessible to smaller, less resourced organizations.
Other resources