Guidance to help cyber threat intelligence analysts apply MITRE ATT&CK

CISA has partnered with the Homeland Security Systems Engineering and Development Institute (HSSEDI), which worked with the MITRE ATT&CK team, to issue guidance to help cyber threat intelligence analysts make better use of MITRE ATT&CK.

MITRE ATT&CK guidance

MITRE ATT&CK is a knowledge base of adversary information widely used by network defenders as they analyze and report on security threats. Understanding adversary behavior is often a critical initial step in protecting networks and data, and the success that defenders have in spotting and mitigating cyberattacks depends on this understanding, according to the guidance.

A solid understanding of how to apply ATT&CK can be used to develop adversary profiles; conduct activity trend analyses; and be incorporated into reporting for detection, response, and mitigation purposes, the document states.

MITRE ATT&CK guidance

The guidance includes strategies and tips for identifying adversary behaviors in finished reporting and raw data. It recommends that analysts first become comfortable with mapping their finished reports to ATT&CK, as there are often more clues within finished reports that can help them determine the appropriate mapping.

“In addition to helping agencies and organizations strengthen their cyber defenses, CISA is also focused on supporting their efforts to build appropriate resilience in the event of a compromise,” said Eric Goldstein, executive assistant director for cybersecurity, CISA.

“Our close and collaborative partnership with HSSEDI enabled us to produce a valuable resource to help entities apply ATT&CK, a framework that can build cyber defenses and resilience. We look forward to exploring more opportunities with HSSEDI and like-minded partners.”

Many security pros struggling to take full advantage of the ATT&CK knowledge base

While ATT&CK is used by more than 80 percent of enterprises, a recent study indicated that many security professionals struggle to take full advantage of the knowledge base.

“It has been great to partner with CISA as it applies ATT&CK, and I’m so pleased that they’re sharing their experience so that the whole community can benefit,” said John Wunder, cybersecurity operations principal in HSSEDI. “A better understanding of ATT&CK can help people focus on watching for adversary behavior as they defend their networks, rather than just searching for indications of compromise.”

“The MITRE ATT&CK team and I were glad to support HSSEDI in the development of this guide with CISA. I am confident that this guide will help users more effectively map cyber threat intelligence to ATT&CK,” said Adam Pennington, MITRE ATT&CK lead.

Don't miss