ATT&CK™: Building a Cybersecurity Community

June 30, 2015
Cyber Threat Intelligence: Post by Blake Strom

MITRE recently released ATT&CK™—Adver­sarial Tactics, Techniques & Common Knowledge—a framework that consolidates and provides concise, more complete descriptions of what cyber attackers do once inside and embedded in a computer network. ATT&CK can help organizations quickly detect cyber threats and identify and categorize cyber adversary behaviors. This allows for both a tailored response and a recovery plan specific to the breach—saving valuable time and resources. The ATT&CK license is available for free.

Blake Strom, MITRE cybersecurity researcher, who led the work, says, “Our ultimate goal for ATT&CK is to create a community to raise awareness about what actions might be seen during an intrusion.”

Below, Blake talks more about ATT&CK and the critical role an engaged and active community can play.

Why is ATT&CK so important to the cyber defense community?

First of all, ATT&CK is a totally new approach because it provides you with real intelligence that you can act on in a structured and intuitive way. And it goes a long way toward filling the huge gaps in knowledge that have hampered the entire cyber defense community. We decided to focus on the post-compromise phases, not only because of the strong likelihood of a breach and the dearth of actionable information, but also because of the many opportunities and intervention points available for effective defensive action.

Who will benefit most directly from ATT&CK?

Organizations interested in host-based sensing as a way of detecting intrusions will reap the most benefits. ATT&CK is meant to highlight how adversaries operate by describing specific actions they make and why, so that network defenders are better equipped to understand what tools they need to address very specific problems.

What kind of cyber or IT professionals would use ATT&CK in their daily job?

ATT&CK has enough information to be used by both security specialists and IT professionals. Sometimes those who build and maintain networks aren’t well-versed in how adversaries try to operate within them. Security professionals can use it as a reference to explain what they may see during day-to-day activity analysis for detecting intrusions, responding to an intrusion, and understanding what adversaries are capable of doing. ATT&CK is also a good reference for education and training. And it can be used to help determine how to invest in security technology and to compare different tools by seeing how well they detect the set of techniques described in ATT&CK.

Why do you want to build a community? Why is it so important? Who should join?

Cybersecurity defenders, analysts, and researchers can all play a critical role in building a community. The more we collectively understand a threat, the better we're equipped to deal with it. Some groups may see activity before others, so getting information out early will help. Threat sharing has generally been a closed effort because adversaries will learn how they're being detected. Certain types of information are quite fragile because adversaries can evolve and change quickly. ATT&CK can help facilitate sharing on-system behavior of adversaries—which is harder and more expensive for an adversary to change.

ATT&CK can help focus community efforts on areas that are not well understood or covered by current defensive technologies and best practices. Developers of defensive tools and policies can identify where their value and strengths are in relation to the ATT&CK framework. Likewise, cybersecurity research can use ATT&CK as a grounded reference point to drive future investigation.

Since ATT&CK is a constantly growing common reference of post-compromise techniques, the more information we have, the greater our awareness becomes of actions that might be observed during a network intrusion. Therefore, we invite and encourage the community to contribute additional details and information to continue developing this body of knowledge. This could include new techniques, categories of actions, clarifying information, examples, methods of detection or mitigation, and data sources. The Contribute page on the project Wiki site has instructions on how to get involved.

What would the community do together?

Collaborate more on how to categorize and identify malicious activity within networks after an adversary has gained access. A lot of focus has already been placed on malware, domains, IP addresses, and other static indicators as a way of detection, but those change frequently and aren’t a robust way to detect an intrusion in progress. How adversaries conduct an intrusion using what’s already available on the systems they land on isn't well known unless you have a lot of experience in threat intel and incident response. To address the huge shortfall of experienced cyber security practitioners, we need new ways of sharing information like this.

What are the benefits to the field of cybersecurity?

There are a lot of host-based and behavioral intrusion detection tools and systems coming to market recently and there hasn’t been a common framework to evaluate them against yet, so I think that is going to be the most immediate impact to the community.

How do folks get involved in the community?

The first step to participating is to contact us at attack@mitre.org. We're looking for any and all information on new techniques or refinements to existing information. What people see happening, what works for them, clarifying information, new ways of using ATT&CK, etc. It's up to the contributor if they want to be mentioned for credit.

What will MITRE do on behalf of the community?

We will facilitate adding this valuable information into the framework for the community to use and benefit from. Any new material will be vetted by a group of experts to see if it fits within the ATT&CK model and whether the model should be extended to incorporate this information.

Where do you hope to see ATT&CK in five years?

I would like to see ATT&CK continue to grow as a repository of knowledge and become an industry recognized way of describing this type of information, much like CVE® did with software vulnerabilities.

Learn more about ATT&CK:
MITRE Research Opens Window into Cyber Attacker Behavior
How to ATT&CK Cyber Invaders within the Perimeter