MITRE ATT&CK project leader on why the framework remains vital for cybersecurity pros

MITRE ATT&CK, a common language for cybersecurity professionals to communicate with each other and better understand real-world adversary behaviors, celebrates its 10th anniversary this fall. In this Help Net Security interview, project leader Adam Pennington discusses the framework, how defenders can best use it, and what’s next.

MITRE ATT&CK framework evolution

What were the main drivers behind the creation of the MITRE ATT&CK framework back in 2013?

The framework was born out of an internal exercise performed at MITRE’s Ft. Meade, Md. site in 2013. We put sensors on desktop computers to analyze a series of red and blue team cyber operations, which wasn’t common back then. White team observers noticed that the red team’s actions weren’t representative of real-world adversary behavior. When they requested that the red team adjust their tactics, they lacked a unified language to explain themselves.

The white team changed course by pulling actual cyber-attack scenarios from honey pots of real data for the blue and red teams to design operations around. Ultimately, the exercise culminated with a basic Excel spreadsheet outlining different intrusion techniques using a common language. It was incredibly helpful to us internally, so on the chance it would be useful to the rest of the world, we released it publicly as MITRE ATT&CK.

How has the framework evolved over the past decade, especially in the last five years, where we’ve seen a surge in its popularity?

What started out as an Excel spreadsheet identifying one adversary and one tactic has transformed into a framework referenced and contributed to by users across the world. By the time it reached the public, there were around 100 behaviors, and in 2016 we began tracking groups and software based on open-source threat intelligence reporting. In 2018, we amassed enough interest to launch ATT&CKcon (the fourth iteration of the user conference will run Oct. 24-25 at MITRE’s McLean, Va., headquarters).

In the last five years, we’ve expanded the core framework with ATT&CK for industrial control systems, mobile, Linux, various cloud platforms (Office 365, Azure, etc.), network devices (computer switches and routers), and more. We continue to make information digestible and user friendly by including both what adversary tactics are, and techniques users can employ to defend against them. To that end, we recently added pseudocode analytics directly to ATT&CK that people can use in their defenses as an “easy button.”

How does the framework stay up to date with real-world observations and contributions? How often is it updated?

As I’m answering this question, we’ve gotten at least one contribution from a community member via email—evidence that we receive updates often! ATT&CK is heavily community driven. Our framework isn’t effective without users keeping us abreast of the latest threats.

Additionally, we monitor social media, public reports from various government entities, and updates from incident response firms. Behind the scenes, we have large teams maintaining and organizing information for each respective arena.

We release a new version of ATT&CK every six months. After trying out shorter and longer timeframes, we found six months to be the sweet spot satisfying both organizations that bake ATT&CK into their products and defenses and those who want information fast.

Given the evolving nature of cyber threats, what long-term value does the MITRE ATT&CK framework offer to cybersecurity professionals?

ATT&CK continues to evolve right alongside adversaries, but historically this is a space that changes slowly over time. Bad actors exhibit relatively routine methods once they’ve gained entry into a network. Even though the exact piece of software, IP address, or even the human on the other end may differ, there are fundamental attack sequences that don’t often fluctuate. Behaviors documented in ATT&CK a decade ago are still seen today.

On the other hand, there are new spaces ripe for intrusion like cloud-based products. We’re expanding the framework in step with new technologies.

For organizations that find the initial implementation process complex, what advice do you have to ease this learning curve?

Start with bite size pieces. Time and time again, we’ve seen cybersecurity teams from small organizations attempt to comprehensively integrate ATT&CK into their defenses, just to quickly realize they’re in over their heads. The framework is not one-size-fits-all.

To solve for this challenge, we recommend multiple strategies focused on starting small. The framework is divided into techniques, so an organization may begin with a single tactic relevant to their system. For example, if you’re concerned with identity management, you can dig into how adversaries are stealing passwords and identify overlap between their behaviors. Once you reach those prioritization points, it’s easier work backwards and add protections against them.

What are some of the less obvious applications of the framework that professionals in the cybersecurity industry should be aware of?

We’re pleasantly surprised to see how ATT&CK is being leveraged in academic environments, from high schools to universities. One high school in Virginia invited our team to come in and speak to the work, which they previously integrated into their curriculum.

Several private sector organizations also have woven the framework into employee education. I recently spoke to somebody whose company regularly discusses a “technique of the week” pulled from the ATT&CK database.

What future enhancements or expansions do you envision for the MITRE ATT&CK framework?

As adversaries explore new exploitation methods, we’ll be there cataloging their every move. Our team continues to advance threat intelligence reporting on spaces growing in popularity, such as Linux and operating systems beyond Windows.

The goal is, and has always been, to build a community of cyber defenders. We know ATT&CK is a boon for larger organizations, but we’re working on ways to make it more accessible for smaller and less-resourced entities.

More resources

Don't miss