Introducing Cybersecurity to the Most Connected Generation

“Don’t talk to strangers!” Growing up, we heard that a lot. These days, the warning requires a footnote—because for young people who spend a good chunk of their lives on the internet, talking to people you don’t know is a natural part of the allure.

“Kids are already living online, using social media, and gaming,” says ATT&CK's Deputy Lead Amy Robertson. “For their safety, they should be aware of the malicious people who could be on the other end of their screens.”

More than a decade ago, MITRE developed ATT&CK to formally raise awareness about said “bad actors.” It has since become the global gold standard for the collective cybersecurity community tracking adversary behavior in the wild.

As stewards of the free resource, a MITRE team—including Robertson—provides context and a common language for adversary tactics and techniques. They also share intel for how to defend against clever hackers.

The tool’s value to cybersecurity practitioners is obvious, but ATT&CK’s leadership also believes in the benefit of sharing knowledge with novice audiences. Over the years, Robertson, Courtney Clark (ATT&CK's strategy lead), Lauren Lusty (ATT&CK's enterprise lead), and others have presented ATT&CK 101 primers at more than a dozen high schools and college classes.

Recently, Robertson introduced ATT&CK and core cyber concepts to an even younger generation, starting with first through third grade Girl Scouts.

Sparking a Broader Conversation

“ATT&CK makes jumping into the cybersecurity conversation a little bit easier,” Clark says. “When people think cyber, they think coding or something that's hard to touch, but if you equate those things with actions that could happen to them, it’s easier to visualize and understand.”

The visits are a hands-on avenue to share the key message that ATT&CK consistently confirms—bad actors online are getting savvier. Chatting with students also serves as a solid introduction to the burgeoning cybersecurity sector.

“Getting young people interested in cybersecurity from either a personal or career perspective is important,” says Lusty. “The more they understand the threats, the better they can defend themselves, at home or work.”

Inquiring Minds Want to Know

In the first few minutes of her presentations, Robertson likes to tell young audiences that as “the most connected generation in history,” they should understand that “literally anything online can be taken offline.” She starts with an example they can easily imagine, but might seem unlikely in their day-to-day lives: the electrical grid being shut down by a state-sponsored actor from China or Russia.

There’s a science to thinking like the bad guy and understanding their intent, Robertson elaborates. A state-sponsored actor has a different way of navigating an attack than a criminal simply looking to profit financially. “I try to make distinctions between the types of behaviors you might see from different adversaries,” she says. “Because if you understand why they’re attacking, you can often determine how, and what they may do next.”

Recently, she’s cited the young, native English-speaking hacker collective known as Scattered Spider, a group that first honed their skills on platforms like Roblox and Minecraft by deceiving, blackmailing, and “griefing”—intentionally ruining the game for other players. Now, they’ve grown into a highly adaptive threat group targeting multinational organizations. “It’s important they understand how dangerous and sophisticated the environment is,” Robertson says.

ATT&CK is a Swiss Army Knife

Robertson and Clark agree that the best part of student outreach is the meaningful discussion it sparks. One question they get asked a lot: "How do you get to know ATT&CK without boiling the ocean?"

“ATT&CK is a Swiss Army Knife™,” Clark tells groups. “I encourage people with specific interests to start by looking for adversaries targeting that field.” Another great option for newbies is clicking the random page button on the ATT&CK website, which directs visitors to a miscellaneous tactic, technique, procedure, or group detection. Formal trainings for various levels are also available via the website.

Robertson suggests finding one or two techniques a week and reading about use cases where they’ve been applied before. “The most crucial part is showing them how we're using the framework to communicate with each other in the cybersecurity world,” she says.

Before ATT&CK, cybersecurity teams lacked a consistent way to discuss and document adversary behaviors, leading to redundancy and miscommunication across both the public and private sector. Now it’s used by thousands of companies globally—from small organizations to top 10 Fortune 500 organizations.

“What I like about ATT&CK is that it’s accessible,” Clark says of the resource’s broad reach. “But it also evens the playing field.”

As the cybersecurity field faces a massive capacity gap, MITRE is stepping up to provide the skills and tools needed to meet the challenge.

“The time and investment we put into the next generation is crucial,” Robertson adds. “Because some of them are going to be on the front lines of cybersecurity next, probably along with us.”