A Cyber Security Engineer Scores a Big Win with ATT&CKOctober 2015
Blake Strom joined MITRE in 2013 with a solid track record in cyber threat intelligence. His first job out of college was with the Department of Defense, where he took on increasingly senior roles investigating high-profile intrusions and how to reduce risks to critical networks. He stood out for the creative ways in which he responded to—and lessened the impact of—opponents' attacks. In other words, he played for the defense.
But, his first assignment at MITRE was to plan "red team" operations for an internal research project called the Fort Meade eXperiment (FMX). FMX is a heavily sensored "living lab" segment of over 200 hosts on a corporate network, with live users performing their normal duties. The red team goes into the FMX network and emulates the behavior of a known threat after it has penetrated the network, while the blue team dedicates itself to determining the best strategies for detecting the red team's activity.
For the first time, Strom found himself on offense, orchestrating the covert activities he had for many years been trying to counter.
A Different Perspective on Network Defense
"It's fair to say that I was a little surprised to be in this position because my background was so different, but it was such a good learning opportunity," says Strom, the red team leader. "In cyber threat intelligence, you're really focused on the specific indicators linking events together—you're in the weeds with data. But on the red team, you're looking at an entire system and network from the adversary's point of view. Uniting those two viewpoints, I brought a different perspective to the work. It ended up being very fruitful to MITRE research."
Fruitful may be an understatement. Strom's insights led to the creation of a promising new approach to cybersecurity. Fittingly, it goes by the acronym ATT&CK™—short for Adversarial Tactics, Techniques, and Common Knowledge.
While most other tools and approaches focus on safeguarding the network perimeter to keep the bad guys out, ATT&CK is based on today's reality—your adversary is probably already in. ATT&CK is the first detailed model and framework to describe the actions an adversary takes once he's in the network.
Learning Lessons from Notorious Adversaries
What Strom discovered—and one of the insights that forms the basis for ATT&CK—is there just aren't that many variations in the ways adversaries behave once they've successfully breached the system. Strom learned this from studying the most notorious adversary groups and then leading his team in emulating their behavior in the FMX network.
"There could be hundreds or thousands of variants of malware, including backdoors, Trojans, remote access tools, and so on, that adversaries use to get inside a network," he says. "But once they're inside, they exhibit a lot of common behaviors. They learn about their environment, gather credentials for legitimate users and accounts, and move to other systems in the network to steal information or set up some longer-term operation or effect."
Building a Community of ATT&CK Users
Strom is currently applying ATT&CK in various sponsor projects to build better capabilities for threat detection. He's also guiding efforts to use it on internal research projects at MITRE. Various organizations now use ATT&CK, and Strom notes the public reception has been favorable. He is continuing to build a community of users and vendors that can share their insights and experiences to keep advancing the capability.
"Anything I can do to help further that is extremely important to me," he says. "One of the reasons I came to MITRE is our nonprofit mission—and I'd like to see as many people as possible benefit from this approach."
—by Twig Mowatt