Bohemia Ballroom 06 Dec 2017 16:00 - 16:30

Traditionally, Cyber Threat Intelligence (CTI) has tended to one of two extremes – low-level technical indicators of compromise or very high-level descriptions of adversary groups and their objectives. While both types of information can be extremely useful, there is knowledge that exists in between those two ends of the spectrum that can help organizations improve their defenses against known adversaries. This presentation explores MITRE ATT&CK, a freely-available resource developed by MITRE engineers based on real-world experience in detecting, tracking and interdicting adversary behavior on operational networks.

MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a modeling methodology and suite of threat models to represent common adversary tactics, techniques, and procedures (TTPs) used against computer systems. While the specific ATT&CK model can vary based on the platform and technology domain that it targets, each model consists of the following core components:

  • Tactics denoting tactical adversary goals during an attack.
  • Techniques describing how adversaries achieve tactical goals.
  • Documented adversary usage of techniques.

ATT&CK originated out of a project to classify post-compromise adversary techniques against Microsoft Windows systems to improve detection, however it has since grown to include Linux and MacOS, with additional domains including PRE-ATT&CK, covering pre-compromise, and technology-focused domains like ATT&CK for Mobile, covering pre- and post-compromise for mobile devices.

Since its public release, a hallmark of the ATT&CK project has been to collaborate with the cybersecurity community, both red and blue teams, to improve the model. ATT&CK is now in use by over 100 organizations, including government, non-profit, and commercial companies. MITRE’s role as a non-profit operating in the public interest has allowed us to collaborate with all types of organizations on ATT&CK, with a goal of improving the model for everyone’s use. Examples of collaboration have included a joint blog post on detecting cyber threats, incorporation of ATT&CK techniques and methods of detection into commercial software, and inclusion of new ATT&CK techniques that were not previously covered.

This presentation will provide an overview of ATT&CK and describe how to use it in operational contexts to focus and prioritize defenses. Attendees will learn how they can begin to employ ATT&CK within their organization using freely-available resources.

The MITRE Corporation
Chief Strategist for Cyber Threat Intelligence


Discussion not started yet.