Cyber Sleuth Is Changing the Rules of the Game

Kristin Esbeck

Kristin Esbeck is a woman on a mission. She wants to make the lives of cyber attackers a "living hell."

And she is doing just that.

Esbeck is a cybersecurity engineer at MITRE, who specializes in applying cyber threat intelligence (CTI) to network defense and intelligence missions. She works with sponsors in the Departments of Justice and Defense and in the Intelligence Community to help identify attack vectors and network vulnerabilities that might attract malicious intruders. For Esbeck, the best defense is to think like the offense.  

"My approach is to put myself in the mindset of the adversary—what are they thinking? What are they targeting? What’s their next step and when?" she says.

"Once you are armed with that knowledge, you are in a much better position to help defend."

Adding to the Knowledge Base of Adversary Tactics and Techniques

Esbeck joined MITRE five years ago after 12 years at two commercial companies. Her first assignment was to help develop PRE-ATT&CK, which is the pre-compromise portion of MITRE ATT&CK™. MITRE ATT&CK is a knowledge base of adversary tactics and techniques across the lifecycle of an attack.

Cyber defenders use MITRE ATT&CK to develop threat models and methodologies. Esbeck has led the PRE-ATT&CK project since its inception.

"I wanted to come to MITRE because not only did I know I would be making a difference for our nation, but I also thought I could help change the rules of the game," she says. "The adversary believes that the game is stacked to their advantage—and it is. We have to change the rules."

PRE-ATT&CK is one way to do that. It categorizes all the goals (tactics) that adversaries achieve in the attack lifecycle and the individual mechanisms (techniques) by which these goals were achieved. And it does all this from the perspective of the adversary.

"I was looking for a more granular way to characterize adversary behavior prior to the compromise itself," she says. "That means capturing the entire lifecycle--stating a target, planning for it, researching it, analyzing it, developing and weaponizing an exploit against it, and ultimately delivering that exploit."

Cyber Threat Intelligence: "Fascinating and Fun"

CTI refers to the collecting, analyzing, and disseminating of intelligence, as well as the knowledge and products that result from this process. The data is collected from a variety of sources and typically includes information on the technology, the adversary, and the asset.

"For me, what makes CTI so fascinating and fun is the challenge of understanding and analyzing adversary intent and capability," Esbeck says.  "Intent is incredibly difficult to determine because the techniques that adversaries use inside the network don’t necessarily signal whether they're trying to steal information or destroy access."

By shining light on the techniques that the adversary uses, MITRE ATT&CK provides defenders with critical insight into the intruder's capabilities. But the process doesn't stop here. Analysts at the strategic, operational, and tactical level must then put the pieces together to determine intent.

"In CTI, you get to be creative and think creatively, but also be deeply analytical," she says.

Esbeck has written an introduction to CTI that she shares with sponsors. She also helped create a series of questionnaires based on that document to help organizations determine their priorities.

To help sponsors identify adversary threat vectors to pair with vulnerabilities in their networks, she often combs through open source intelligence and builds out an attack scenario—and the resulting impact—based on her findings. She then hands her findings over to the federal agency she's working with so they can get to work fixing the problems.

"I have had the distinct pleasure of having a sponsor come back to me and say 'remember that thing you told us about two years ago? Well, we fixed it,'" she says. "That is incredibly rewarding."

Esbeck, a graduate of UC-Berkeley and Mercyhurst University, didn't know she would end up being so integral to cyber defense. But she knew early on that she wanted to support the government and intelligence community. Her first job out of college was as an unpaid intern tasked with redesigning the San Diego port of entry to make it easier to detect nuclear weapons.

"Thwarting the bad guys was ridiculously fun work," she says. "It still is."

By Twig Mowatt

Join our community of innovators, learners, knowledge-sharers, and risk-takers: View Job Openings.