Using Knowledge Of Adversary TTP’s To Inform Cyber Defense: MITRE's ATT&CK™ Framework

Borderless Cyber Conference and Technical Symposium / 6-8 Dec 2017 / Prague

Using Knowledge of Adversary TTP’s to Inform Cyber Defense: MITRE's ATT&CK™ Framework

Bohemia Ballroom

06 Dec 2017 04:00 PM - 04:30 PM(America/Chicago)

20171206T1600 20171206T1630 America/Chicago Using Knowledge of Adversary TTP’s to Inform Cyber Defense: MITRE's ATT&CK™ Framework Traditionally, Cyber Threat Intelligence (CTI) has tended to one of two extremes – low-level technical indicators of compromise or very high-level descriptions of adversary groups and their objectives. While both types of information can be extremely useful, there is knowledge that exists in between those two ends of the spectrum that can help organizations improve their defenses against known adversaries. This presentation explores MITRE ATT&CK, a freely-available resource developed by MITRE engineers based on real-world experience in detecting, tracking and interdicting adversary behavior on operational networks. MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a modeling methodology and suite of threat models to represent common adversary tactics, techniques, and procedures (TTPs) used against computer systems. While the specific ATT&CK model can vary based on the platform and technology domain that it targets, each model consists of the following core components: Tactics denoting tactical adversary goals during an attack. Techniques describing how adversaries achieve tactical goals. Documented adversary usage of techniques. ATT&CK originated out of a project to classify post-compromise adversary techniques against Microsoft Windows systems to improve detection, however it has since grown to include Linux and MacOS, with additional domains including PRE-ATT&CK, covering pre-compromise, and technology-focused domains like ATT&CK for Mobile, covering pre- and post-compromise for mobile devices. Since its public release, a hallmark of the ATT&CK project has been to collaborate with the cybersecurity community, both red and blue teams, to improve the model. ATT&CK is now in use by over 100 organizations, including government, ... Bohemia Ballroom Borderless Cyber Conference and Technical Symposium / 6-8 Dec 2017 / Prague events@oasis-open.org

Add to my Schedule

17 attendees saved this session

Traditionally, Cyber Threat Intelligence (CTI) has tended to one of two extremes – low-level technical indicators of compromise or very high-level descriptions of adversary groups and their objectives. While both types of information can be extremely useful, there is knowledge that exists in between those two ends of the spectrum that can help organizations improve their defenses against known adversaries. This presentation explores MITRE ATT&CK, a freely-available resource developed by MITRE engineers based on real-world experience in detecting, tracking and interdicting adversary behavior on operational networks.

MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a modeling methodology and suite of threat models to represent common adversary tactics, techniques, and procedures (TTPs) used against computer systems. While the specific ATT&CK model can vary based on the platform and technology domain that it targets, each model consists of the following core components:

Tactics denoting tactical adversary goals during an attack.
Techniques describing how adversaries achieve tactical goals.
Documented adversary usage of techniques.

ATT&CK originated out of a project to classify post-compromise adversary techniques against Microsoft Windows systems to improve detection, however it has since grown to include Linux and MacOS, with additional domains including PRE-ATT&CK, covering pre-compromise, and technology-focused domains like ATT&CK for Mobile, covering pre- and post-compromise for mobile devices.

Since its public release, a hallmark of the ATT&CK project has been to collaborate with the cybersecurity community, both red and blue teams, to improve the model. ATT&CK is now in use by over 100 organizations, including government, non-profit, and commercial companies. MITRE’s role as a non-profit operating in the public interest has allowed us to collaborate with all types of organizations on ATT&CK, with a goal of improving the model for everyone’s use. Examples of collaboration have included a joint blog post on detecting cyber threats, incorporation of ATT&CK techniques and methods of detection into commercial software, and inclusion of new ATT&CK techniques that were not previously covered.

This presentation will provide an overview of ATT&CK and describe how to use it in operational contexts to focus and prioritize defenses. Attendees will learn how they can begin to employ ATT&CK within their organization using freely-available resources.

Mr. Richard Struse

Chief Strategist for Cyber Threat Intelligence

The MITRE Corporation

Moderators public profile is disabled.

Attendees public profile is disabled.

Upcoming Sessions

260 visits

Please enter the four digit secret code The secret code should have been announced or displayed at the session location.

Please enter the four digit secret code
The secret code should have been announced or displayed at the session location.