William Booth, director, MITRE ATT&CK® evaluation, joined the SquareX Be Fearless podcast to discuss what organizations misunderstand about adversary emulation and how MITRE’s unique approach is pushing the industry forward.
Speaking about MITRE’s broader mission, Booth said, “We take real-life scenarios, run them through tests, and provide that data to the public so they can make more-informed decisions. Another part of what we do, which is unique to MITRE, is connect this work with MITRE’s broader research. There's a lot of forward-looking, horizon research happening here, and the program helps push the industry on topics that might otherwise be treated as a box to check.”
As cybersecurity threats grow more sophisticated, MITRE’s ATT&CK evaluations have become a vital tool in helping organizations evaluate and improve their defenses. The program is designed to emulate real-world adversaries and provide transparent data on how security products perform in realistic scenarios.
“We start with what is relevant and prevalent. We base it on ATT&CK, which has a core philosophy of focusing on observed behavior. It's not about hypothetical attacks, but real ones that have occurred,” said Booth. “When we select the adversary, several factors go into it. What trends are happening? Are they continued trends that have already been tested, where defenses just need to be implemented? Or are they new methods or approaches?”
Cloud infrastructure is one of the top priorities for MITRE’s upcoming evaluation, reflecting its growing importance, and complexity, in today’s threat landscape.
“We know it's a big risk, and there are threats out there,” said Booth. “Since we're basing it on known adversaries, known behaviors, and known threats, how do we address the risk when we have limited information on the threat side?”
One of the most common mistakes organizations make when approaching adversary emulation is failing to align it with their unique context. Success requires a deep understanding of internal infrastructure and risk posture.
“It's about taking a threat-informed defense approach. Even selecting which adversary to emulate is a key step,” said Booth. “That involves knowing your organization, your infrastructure, your industry, your geography.”
Booth also touched on the growing influence of artificial intelligence, not just in defense tools, but also in the attacks themselves.
"There are different levels of AI impact. It’s hard to quantify its effect. Phishing emails are improving, translating fluidly and harder to detect,” said Booth. “Standard users can’t pick out artifacts like before. Evaluations and tools focus on context and presenting relevant information to analysts. Defense includes automation and analyst investigation."