Improving cybersecurity across federal agencies requires staying on top of new and evolving threats. Now, the MITRE Corporation has a new resource, called ATT&CK, to further that mission.
Richard Struse, chief strategist of Cyber Threat Intelligence at MITRE Corporation, called ATT&CK an “encyclopedia of information” on cyber adversaries and their techniques for getting into systems.
“And it’s something that continues to grow and evolve as adversaries grow and evolve and then originated out of a MITRE internal research project,” Struse said on Federal Monthly Insights — Strategic Threat Intelligence Month. “We used it to solve some of our own problems. And we saw that it really had great utility. And since then, since we publicly released it, a lot of other folks have decided that it’s really valuable to have that kind of insight into what adversaries are doing.”
The resource’s website explains that ATT&CK takes publicly available information about adversary tradecraft and organizes it in two ways. One is to identify what those adversaries are trying to achieve technically.
“Are they trying to get into the system, are they trying to move within your network? Are they trying to escalate privileges from a regular user to an administrator, and so on,” he said on Federal Drive with Tom Temin. “And then under each of those tactics as we call them, there are different techniques that represent the different ways adversaries have actually been publicly documented to achieve those techniques.”
Struse emphasized that MITRE does not assign adversaries attributions but rather relies on public reporting. From there, MITRE curates and vets those attributions. He said this distinction is what makes ATT&CK popular across both the public and private sectors.
“Whereas other organizations, and certainly the government talk in terms of attribution and the sort of strategic goals of an adversary group, ATT&CK is really focused on the kinds of things that network defenders can use, understanding adversaries’ technical objectives and the ways that specific adversary groups have been attributed to specific behavior.”
In an effort to share reliable information, each ATT&CK entry includes the source material for these attributions. As Struse acknowledged, the existence of this collection indicates or implies that no single organization knows everything going on across the internet.
“That’s the value and sometimes you have different people who disagree about a particular about attribution to adversary groups,” he said. “Our feeling is we want to provide the information in a structured format — in a regular format — to make it easy for cyber defenders to consume, and then they can make their own judgments about if they’re going to trust vendor A versus reporter B.”
For chief information officers and others who work closely with network defenses, Struse said ATT&CK is helpful for communicating threats in a concrete way. It is presented as a matrix with currently 223 cells which can help organizations prioritize their threats, as well as judge which areas of the cyber infrastructure are sufficiently protected.
In recent years, Struse said significant progress had been made to improve quality and quantity of threat intelligence. One major change he described was a move away from unstructured threat information in favor of a more structured environment with machine-to-machine sharing.
“What that allows us to do is actually have machines do some of the triaging and vetting and initial operation on cyber threat indicators, for example, instead of making analysts sort of sift through a mountain of information,” he said. “I always think about it in terms of you have really skilled analysts who are collaborating analyst to analyst but they’re essentially sitting on top of an automated ecosystem. That’s sort of the place I’d love to see us go.”