CISA Issues Guidance for Using MITRE ATT&CK® for Cyber Threat Intelligence

Knowledge Base Can Benefit Threat Analysis, Reporting
Programmer working on code

McLean, Va., and Bedford, Mass., June 2, 2021The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the Homeland Security Systems Engineering and Development InstituteTM (HSSEDI), which worked with the MITRE ATT&CK® team, to issue guidance to help cyber threat intelligence analysts make better use of MITRE ATT&CK. HSSEDI is a DHS-owned federally funded research and development center operated by MITRE.

MITRE ATT&CK is a knowledge base of adversary information widely used by network defenders as they analyze and report on security threats. Understanding adversary behavior is often a critical initial step in protecting networks and data, and the success that defenders have in spotting and mitigating cyberattacks depends on this understanding, according to the guidance. A solid understanding of how to apply ATT&CK can be used to develop adversary profiles; conduct activity trend analyses; and be incorporated into reporting for detection, response, and mitigation purposes, the document states.

The guidance includes strategies and tips for identifying adversary behaviors in finished reporting and raw data. It recommends that analysts first become comfortable with mapping their finished reports to ATT&CK, as there are often more clues within finished reports that can help them determine the appropriate mapping.

“In addition to helping agencies and organizations strengthen their cyber defenses, CISA is also focused on supporting their efforts to build appropriate resilience in the event of a compromise,” said Eric Goldstein, executive assistant director for Cybersecurity, CISA. “Our close and collaborative partnership with HSSEDI enabled us to produce a valuable resource to help entities apply ATT&CK, a framework that can build cyber defenses and resilience. We look forward to exploring more opportunities with HSSEDI and like-minded partners.” 

While ATT&CK is used by more than 80 percent of enterprises, a recent study indicated that many security professionals struggle to take full advantage of the knowledge base.

“It has been great to partner with CISA as it applies ATT&CK, and I'm so pleased that they're sharing their experience so that the whole community can benefit,” said John Wunder, cybersecurity operations principal in HSSEDI. “A better understanding of ATT&CK can help people focus on watching for adversary behavior as they defend their networks, rather than just searching for indications of compromise.”

“The MITRE ATT&CK team and I were glad to support HSSEDI in the development of this guide with CISA. I am confident that this guide will help users more effectively map cyber threat intelligence to ATT&CK,” said Adam Pennington, MITRE ATT&CK lead. 

About MITRE

MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.

Media Contact: Jeremy Singer, media@mitre.org