In our last post we talked about how we define threat-informed defense. When I first heard of threat-informed defense, and probably longer ago than I would like to admit, it was unclear to me how it differed from MITRE ATT&CK®. Expecting there might be others with similar confusion, I thought it would be helpful to explain how these worlds come together, relating it back to my own experience.
To start the discussion on how ATT&CK and threat-informed defense come together, let’s first go back nearly a decade... I had just started my journey into post-exploit detection research in a little-known MITRE project called FMX. This project was designed with the goal of changing a mindset from a perimeter focused defense to presumed breach – finding the adversary faster within the network. In the early days of the project, I was spending my days in my Splunk dashboard, developing analytics of what I think might be unusual behavior while learning about new data sources we had from turning sensors on their side, and developing our own.
Then came the moment of clarity…I was blessed with an email that was a (more or less) top 10 list of adversary behaviors from Adam Pennington (the current lead of ATT&CK). These behaviors he had observed and thought they could be used to focus my (and the rest of the team’s) analytic development processes. A month or two later, we had our first FMX red team exercise, and those analytics would prove pivotal to our success. But perhaps more importantly, it created a new way of thinking for me and the rest of the blue team – every analytic we develop should be grounded by the threat.
As we matured, we needed intel beyond that top 10 list, we needed ways of communicating within our team what we were working on during each sprint, and we needed ways of understanding what the red team did in our post-engagement hot-washes. Additionally, we needed ways for leadership to define test criteria and for us to communicate progress and success. Out emerged ATT&CK as a common language for us to use.
ATT&CK would continue to motivate everything we did. ATT&CK-based analytics. ATT&CK-based red teaming. ATT&CK-based evaluations. It was everywhere. Fast-forward through its public release, there has been an enormous amount of work by so many influential people within MITRE and without. ATT&CK has become a powerful mechanism to communicate throughout industry, and as a result, widespread adoption has followed.
In the middle of this “ATT&CK-based” movement, I started getting asked about “Threat-Informed Defense”. I couldn’t help but wonder why this new guy at MITRE, Rich Struse was putting a new name to the “ATT&CK-based” moniker that I, like so many others, had been using in those early years of the MITRE ATT&CK® knowledge base’s existence.
Then came a discussion where he made me realize that threat-informed defense, while empowered by ATT&CK, is far from limited to it. Threat-informed defense includes other threat information, such as vulnerabilities and open source and closed source intelligence. It includes defensive context, such as capabilities, mitigations, and controls. What ATT&CK does is provide a common language to connect each of those sets.
While I had been on the forefront of ATT&CK as the common language between red, blue, intel and leadership from my experience with FMX, I had lost the broader context in which ATT&CK existed. I had eaten, slept, and breathed ATT&CK since it was a spreadsheet of a handful of techniques being pitched around the office, but I was too accustomed with answering the “why ATT&CK”, to the detriment of putting up mental blocks around vulnerabilities and controls who were someone else’s problem to tackle.
But as I took this step back with Rich, I realized to effectively leverage ATT&CK and enable its widespread adoption, we really needed to consider the broader ecosystem. As much as I might live in the presumed breach world, vulnerabilities enable adversaries to get into the organization in the first place. I might be focused on endpoint detection of adversary behaviors, but many organizations are stuck living in a world driven by compliance.
The good news was that ATT&CK could also serve as a common language on the technical plane, between adversary behaviors and vulnerabilities, controls, intel, mitigations, etc., in the same way it is used in the logical plane, between red teams, blue teams, etc. And while ATT&CK was game changing, the staples – the vulnerabilities, controls, etc., could not be forgotten. Instead, they are all part of a threat-informed ecosystem.
On the one hand, the potential complexity caused by all these different relationships seems daunting. The Center for Threat-Informed Defense has over 6,300 NIST 800.53 controls to ATT&CK mappings. They also mapped over 800 CVEs to ATT&CK, as just the tip of the iceberg. ATT&CK allows us to focus on behaviors that change less frequently than vulnerabilities or the malware that implements the behaviors, but there are currently 188 Techniques and 379 Sub-techniques. For organizations just starting with ATT&CK, and even many that have been using it for some time, prioritization is a problem. Does this threat du-jour matter to me? Am I prepared to defend against it? Which ATT&CK coverage gaps should I address first? How do I know how to address those gaps?
On the other hand, each relationship forged in the threat-informed defense ecosystem, made possible by ATT&CK, allows us to better prioritize the threats and what we do about them. We can understand how a vulnerability enables certain ATT&CK techniques, and whether a specific threat we care about is known to use that technique. We can map our capabilities and controls to those same techniques to know how we are prepared (or not) to defend against those threats. Put simply, ATT&CK is the glue that makes threat-informed defense possible. It allows us to focus our energy, and not just tilt at windmills.
The challenge can then shift to how to identify what threats matter to you and what to do about them. While this is still far from trivial, threat-informed defense makes the prioritization of threats and defenses more effective. Understanding the art and science of identifying these for your organization is where Tidal focuses its efforts and are also topics we look forward to discussing more in the future.
(1) For more information on the FMX-ATT&CK history, I recommend reading the MITRE paper entitled "Finding Cyber Threats with ATT&CK-Based Analytics", as well as the “MITRE ATT&CK: Design and Philosophy” paper.