This past October many of you joined us as we held our second ATT&CKcon, ATT&CKcon 2.0. 260 of you travelled to McLean to participate in person while an incredible 7,315 of you registered to live-stream the conference with a total of 11,301 hours watched. We also had at least 98 watch parties and many of you interacted with us on Twitter, commenting on the talks, and sending us your best ATT&CK memes.
To all of you who joined in ATT&CKcon, whether physically or virtually, we thank you! ATT&CK is all about community-based collaboration and it can’t exist without you.
We’ve had a busy few months since ATT&CKcon, with the beta release of the Threat Report ATT&CK Mapper (TRAM) Tool, the unveiling of the ATT&CK for Cyber Threat Intelligence (CTI) training, and the roll out of ATT&CK for ICS. With the dust temporarily settling, we wanted to recap some of the key takeaways we saw at ATT&CKcon 2.0.
Our keynote speaker, Toni Gidwani from Google’s Threat Analysis Group, spoke about how ATT&CK has helped to bridge intelligence and operations by empowering enterprises to evolve from indicators of compromise (IoC)-based intel to more forward-leaning adversary TTPs. Gidwani also highlighted that despite ATT&CK’s complexity, it enables a team consensus-based approach to defense.
This collaborative focus on empowering defenders is a key tenant of ATT&CK and one that was echoed across many of the presentations this year. Our ATT&CKcon lineup featured contributors from across the community with tactics on how to ATT&CK better. Whether an organization is just starting to use ATT&CK or has been using it for years, ATT&CKcon presenters shared key observations, best practices, and approaches for teaming up across organizations to operationalize the framework.
Prioritization within ATT&CK was a theme we heard across regular sessions and the BoF conversations. This isn’t a new topic within the community, but it can present challenges for even the most resourced and mature organizations. Our contributors reinforced that prioritizing efforts and resources should be tailored to your unique environment and the threat actors targeting it. Key strategies were shared on ranking data sources and ensuring their accuracy, identifying gaps in detection capability, and visualizing coverage.
If you weren’t able to participate in the ATT&CKcon sessions, the recordings and slide decks are posted on the ATT&CK website.
Birds of a Feather
ATT&CKcon Birds of a Feather (BoF) conversations took place the day before the main conference during our pre-conference program. These dialogues enable community peers to meet for informal discussions on a common topic. Our topics ranged from emulation, machine learning, cyber threat intelligence, and cloud, to ATT&CK for ICS, threat hunting, and sub-techniques.
ATT&CK’s complexity was a topic we heard throughout BoF conversations. Contributors shared their experiences prioritizing techniques, harnessing a blend of contextual data sources, and consistently challenging defenses to validate coverage and detect gaps. We explored mapping controls to ATT&CK and using adversary emulation for the best metrics, as well as minimizing vulnerabilities through defense in depth strategies.
Some of our machine learning conversations highlighted challenges, including data tagging and showing the value of detection. We heard about the value of combining machine learning and natural language processing (NLP) to more efficiently categorize, ingest and describe threat behavior. The SIEM paradigm shift was explored and we discussed layering big data tools on top of SIEMs for more accurate correlations at scale. We talked about upping the defense game through predictive and compound analytics. We heard from the many of you about the need for a community-driven common data model and exchange format.
We reflected on adversary emulation providing more true positives to gauge effectiveness, along with using purple teaming for threat modeling and enhancing findings. Our participants promoted factors that contribute to purple team success (common goals, communication, collaboration, and transparency). Innovation and automation are also vital elements highlighted for taking purple teaming to the next level. We heard that continuous iterative testing is a key approach to validate detection and the value of countermeasures.
Our discussions explored the human aspect of actors. Key elements included understanding their reactions, the levers influencing their behavior, and predicting end points based on behavior chains. Legal infrastructure takedowns were up for debate — we talked about how they can halt progress by confusing the landscape and forcing adversary behavior change. We agreed that while contextual indicators still matter, moving towards behavioral analytics can lead to more favorable results. Attribution conversations touched on the challenging elements, including a shift towards public and commonly used tools and overlapping techniques. This led to a consensus that findings should be conveyed with confidence levels.
Information sharing conversations highlighted success stories, but also the challenges in this space. Some participants have success with “advance sharing” among vendors prior to publication and ATT&CK-based intel sharing. In information sharing situations, we the more sophisticated entities rarely receive the same level of benefit. Many teams are also struggling with making information sharing more scalable and useful.
Another conversation motif was using ATT&CK in tandem with other frameworks and methodologies — and we agree. ATT&CK was not created as one framework to rule them all and it has its own limitations. Participants shared their experiences with layering tactical and strategic frameworks for effective outcomes.
One of our favorite conversations centered on sub-techniques. We’ve heard from the community that the differing technique granularity can be a challenge, and that some organizations have started developing their own sub-techniques. As you may be aware, we’ve been working towards restructuring ATT&CK with sub-techniques and we had the opportunity to discuss this and minimizing the potential impact. You told us that a sub-technique roadmap and training would be helpful, and we welcome any other feedback that would make ATT&CK even more useful.
Thank you to everyone who participated in ATT&CKcon physically, virtually, or vicariously through others — we look forward to hearing more about your experiences and connecting with you again.
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–01075–22.