How the art of cybersecurity is advanced by research for the public domain

MITRE Corporation's Center for Threat-Informed Defense has collaborated with more than a dozen companies to produce 13 reports freely available to anyone.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The nonprofit MITRE Corporation has become the locus of an extensive research program in cybersecurity. Its Center for Threat-Informed Defense has collaborated with more than a dozen companies to produce so far 13 reports and these are freely available to anyone. For a progress report, the Center’s Director for Research and Development John Baker spoke to the Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Mr. Baker, good to have you on.

John Baker: Thanks for having me on, Tom.

Tom Temin: So tell us more about this program. MITRE, well known and does a lot of consulting directly with the federal government, but you are working with the players in industry to do what exactly?

John Baker: As you said, Tom, MITRE is a nonprofit that’s been around for around 60 years, running federally-funded research and development centers with the government. We saw an opportunity to create a new model. And you can think of it as a privately funded research and development center, where what we did was we brought together some of the most sophisticated cybersecurity teams from around the world to identify hard problems. And then we built an engine that allows us to run research projects to solve those hard problems. When we’re done, because we work in the public interest, we publish all the results of our R&D.

Tom Temin: And what are the grand challenges or what are the big problems that require research as opposed to just simply software development, when it comes to cyber?

John Baker: Tom, we tried to develop the Center with a mission to advance threat-informed defense. And when we think about how to advance it, we want to both advance the state of the art and the state of the practice. And so to your question around the hard problems, we want to develop resources that are practical and can be used to solve problems today.We also want to have a balance of resources and research projects that are tackling things that are trying to advance the state of the art. So in that space of threat-informed defense, our goal is to continually advance our knowledge and understanding of adversary behaviors. So what are attackers doing today? How are they achieving their goals, and then use that knowledge to systematically improve our defenses. And so what you end up with is sort of a feedback loop. As we get better at defending, we learn more. As we learn more, we identify defensive gaps, and we can improve our defenses, until you get this circle.

Tom Temin: So a lot of the research then is not so much on what you do about the threat necessarily as understanding the threat?

John Baker: Yeah, actually, we have a good balance in our R&D program to date. As you mentioned, we released a 2021 impact report a couple of weeks ago now. And that report highlights 13 projects that we released in the first year or so of operating a Center for Threat-Informed Defense. Some of those projects are specifically at helping us better understand, for example, how adversaries achieve their goals in cloud environments, or how they use container technologies and how they attack container technologies. On the other hand, we also have a set of projects that are looking at it from the defender’s perspective. OK, given this set of threats and the set of behaviors that we’ve observed in cloud technologies, what are the security capabilities that are available to us to defend against those? And so we did a project that essentially maps the native security capabilities of Azure. And then we did one for AWS. And we’re running one for the Google Cloud Platform, back to the MITRE ATT&CK knowledgebase, where we’re trying to help people understand, for a given threat, how do I use the technologies in front of me today to defend against those threats?

Tom Temin: And what are some of the research methodologies you use, like for example, to understand how someone is attacking containers? And that’s a big issue, because everybody’s putting containers in the cloud, partly as a security measure, because you have various instances that can reproduce if some other instance is attacked, cyberwise. But if all the containers are contaminated, then you’re kind of out of luck. So give us an example of how you go about this.

John Baker: The Center’s R&D engine was formed with this belief that if you brought these really sophisticated security teams together, that saw that it was kind of in their own best interest to come together and collaborate on some of these problems, like understanding adversary behaviors, we could essentially lay a foundation for others to build upon and innovate on top of. And so just to pick an example for you with one of our projects, we collaborated with our center participants and the MITRE ATT&CK team to end up creating what is now ATT&CK for containers. And so we worked sort of as a closed research team, with our participants to understand their priorities and their concerns about attacks against container technologies. And then we actually wanted to go much broader. And so we ended up doing a communitywide call for inputs and leverage that to help us get a sense of the real world in the wild attacks against container technologies. One of the things that we’ve really tried to advance through our research program is this notion of really focusing on what adversaries are actually doing, simply because if you about the whole universe of possible attacks, what adversaries might do or could do, it’s simply overwhelming. And so we try to focus ourselves on what has been done. And that then necessitates that call for community contributions and influence.

Tom Temin: We’re speaking with John Baker, he’s director of Research and Development at the MITRE Corporation’s Center for Threat-Informed Defense. And we should talk a little bit about the ecosystem involved here, looking at some of the names that are names familiar to the federal government: Booz Allen Hamilton, CrowdStrike, Ernst & Young, the Google Cloud, Microsoft, these are all kind of household names, both commercially and for the federal agencies. Given the reports that are published, how do organizations including agencies best take advantage of them?

John Baker: So what’s interesting about the Center, and one of the goals that we had when we established the Center is that, a lot of these problems, these challenges that we’re identifying, and then tackling as research projects, they’re not just specific to our private sector participants, right? These are broad problems that are shared by private sector in the public sector, and globally and across sectors. So I mentioned that project around furthering our understanding of adversary behaviors against container technologies. Well, everybody uses container technologies. By us conducting that research project, and then working with the MITRE attack team to have that published, we’ve now made that resource freely available to everyone. Government industry is now free to use that and leverage it in their threat modeling activities in their work as they think about it, how to defend container technologies. And in that example, I mentioned some of the work we’ve done to map security technologies to the threats that they defend against – very same thing. I know firsthand that that same kind of work happens across government every day. In the Center, one of the things that we can do, I mentioned we’re trying to develop and provide practical resources that can be used today, is simply create well-understood, well-defined resources that everybody else can build off of. So they don’t have to do that work. Once we mapped Azure to the techniques of defense and attack, you shouldn’t have to do that again. So everybody can now build upon that and leverage that resource.

Tom Temin: It sounds like this could have applications in a lot of federal programs. I’m thinking of NIST publication 800-53, kind of the Bible for software controls. And they’re always updating and I think we’re on version 4 or 5 now over the years. Do you think that some of the research that you have produced could affect the next version of something like 800-53?

John Baker: Perhaps they could, Tom. You mentioned 800-53, which I think is a great example, I’m glad you brought that one up. One of our very first research projects in the Center was just tackling this problem that so many organizations had, as you said. Everybody uses NIST 800-53. And teams are trying to understand how the security controls and NIST 800-53 help them defend against real world attacks. So what that meant was lots and lots of teams all over the world trying to do this study and analysis on their own. And so what we did is we worked with our center participants to do that analysis and produce a mapping of 800-53 controls to MITRE ATT&CK, allowing you as a user to understand for a given control in 800-53, what techniques or what adversary behaviors does that control mitigate, right? And so there’s another example of where we provided this foundational resource. So that analysis is subjective. And to make a really subjective analysis useful for others, it’s important that you document it. So we develop the methodology and our rubric and tools to support it. So our goal there is to make it as easy as possible for users around the world that are thinking about 800-53 compliance, thinking about the set of threats they care about to understand how to bring those two together.

Tom Temin: And you should be talking to the Cybersecurity Certification Maturity Model Certification program (CMMC). They probably want to hear about this, too. Alright, so you’ve been at this a couple of years, 13 reports, a couple dozen companies and some of the nonprofit associations involved. What will you do next? What’s on the agenda coming up?

John Baker: As I mentioned earlier, we built this engine and the Center’s research program. And we brought these sophisticated security teams together from around the world to identify hard problems. Since we published the report, we’ve actually published a couple of new research projects. Last week, we released a new project that is aimed at building out a knowledge base of insider threat tactics and techniques and procedures. Our goal there is to help security teams, those that are sitting in a SOC [security operations center], understand the set of behaviors that insiders might use in a way that we’ve done very similar to building out a knowledge base of traditional cyber threats. And so in that case, it’s a first draft of that work. We’re working to bring the community together to further our really our broad community understanding over how insiders achieve their goals and what you might see in an IT environment. Actually, just yesterday, we released another project, too. That one’s been a couple of years in the making. Our vision with this project, called the [ATT&CK] Sightings Ecosystem, is to provide defenders with real world data and insight into how adversaries are achieving their goals today, and allow us to see that and see how that changes over time. So the Sightings Ecosystem project is based on community data contributions where events are correlated to MITRE ATT&CK techniques. We bring in that data, anonymize it, and analyze it and produce reporting on top of that data to show people what are the most prevalent attacks today? What set of techniques might you see next to each other? So what might be step one and step two in a given attack to help us develop much more sophisticated defenses, to help us focus our defensive efforts in the research program? As I mentioned earlier, we’re really focused on continually advancing that understanding of adversary behaviors and then working together to improve our defensive capabilities. So along those lines, we have research themes that are tackling hard problems in cyber threat intelligence, and test and evaluation and detection and security engineering.

Tom Temin: Sounds like a heavy workload you got ahead here.

John Baker: Yeah!

Tom Temin: John Baker is director of Research and Development at the MITRE Corporation’s Center for Threat-Informed Defense. Thanks so much for joining me.

John Baker: Yeah, thanks for having me on today, Tom.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (Insurance Institute for Highway Safety via AP)In this frame grab from video provided by the  Insurance Institute for Highway Safety (IIHS), taken in 2015, a vehicle closes in on a Strikeable Surrogate Vehicle (SSV) at the IIHS Vehicle Research Center in Ruckersville, Va. Federal regulators and the auto industry are taking a more lenient approach than safety advocates would like to phasing in automatic braking systems for passenger cars, according to the official records of their closed-door negotiations. Systems that automatically apply brakes to prevent or mitigate collisions, rather than waiting for the driver to act, are the most important safety technology available today that’s not already required in cars. (Insurance Institute for Highway Safety via AP)

    MITRE, NHTSA expanding partnership with more transportation data sets

    Read more