2023 Impact Report: Advancing Threat-Informed Defense Globally

Published in

MITRE-Engenuity

5 min readFeb 12, 2024

Written by Jon Baker and Denise Davenport.

The 2023 Center for Threat-Informed Defense Impact Report is here! This year’s report showcases more than two dozen freely available projects for your team and your organization to adopt and use as your own.

Curated by 37 sophisticated cybersecurity teams from around the world, the Impact Report highlights research projects that often build upon MITRE ATT&CK® and enable industry-wide innovation. Together, these projects advance threat-informed defense across our three key problem areas: Cyber Threat Intelligence, Testing & Evaluation, and Defensive Measures.

Within this report, you will discover cyber solutions that arm defenders with a data driven view of adversary behaviors in the wild, simplify testing cyber defenses against critical threats, and help defenders understand what defensive measures can be applied to critical threats. Now let’s review a few of the projects highlighted in the 2023 Impact Report and offer some insight on what you can expect from the Center in 2024.

Cyber Threat Intelligence

CTI Blueprints was born from the need to make cyber threat intelligence reports actionable so that their users can operationalize them efficiently. This project increases the operational relevance of reports through a standardized set of templates that help analysts answer specific analytic questions for common cybersecurity use cases, sample reports that demonstrate best practices for each type of report, and a set of tools for publishing both human and machine-readable reports. CTI Blueprints is now used by cyber threat intel producers globally to create actionable intelligence reports tailored to user needs.

“We provide threat intelligence reporting to customers and their TI teams across 45 countries in government and commercial spaces, and the more people across the ecosystem we can get using CTI Blueprints, the more the ecosystem as a whole will benefit.” — Adrian Nish, BAE Systems Digital Intelligence

Testing & Evaluation

The OceanLotus Adversary Emulation Plan is the latest contribution to the Center’s Adversary Emulation Library. This adversary emulation plan gives visibility into threats against two critical operating systems, macOS and Linux, and it is our first emulation plan to include a documented range setup to better support purple teaming. This work has been shared across the macOS and Linux security communities and represents a critical step towards building threat-informed defense resources for these platforms.

“This emulation project offers a comprehensive exploration of OceanLotus, along with an in-depth understanding of penetration testing techniques applicable to macOS environments.” — Kotaro Ohsugi, Fujitsu

Defensive Measures

Sensor Mappings to ATT&CK gives cyber defenders the information they need to identify and understand cyber incidents occurring in their environment. Various tools and services are available to collect system or network information, but it is not always clear how to use those tools to provide visibility into specific threats and adversarial behaviors occurring in an environment. These mappings between sensor events and ATT&CK data sources allow cyber defenders to create a more detailed picture of cyber incidents, including the threat actor, technical behavior, telemetry collection, and impact.

“The project is key to us as it not only provides mappings for several widely-used toolsets, but also establishes a repeatable methodology for performing future mappings.” — Alex Wallace, Lloyds Banking Group

Building Community

We envision a global community of threat-informed defense practitioners learning together and working in collaboration to make cyber defense more efficient and effective. In 2023, we made significant progress towards uniting the global community by establishing an Advisory Council to provide strategic guidance and executive advocacy and laying the foundation for a global series of practitioner-led ATT&CK workshops.

As we begin 2024, we are prepared to host the inaugural Asia-Pacific ATT&CK Community Workshop in Singapore. Then, in partnership with the Centre for Cybersecurity Belgium, we will continue with the 12th EU ATT&CK Community Workshop. In the fall, we will wrap up the global series with the 5th ATT&CKCon.

“As the Center’s first Research Participant from Singapore, Ensign is honored to be at the forefront of the Center’s community building efforts in the Asia-Pacific Region. Bringing regional practitioners of MITRE ATT&CK together under one roof for a community event has enormous potential to change the game on the adversary in our unique corner of the world. We look forward to working with like-minded practitioners to safeguard the cyberspace for the greater good.” — Mr. Lim Minhan, Ensign InfoSecurity

Looking Ahead

The Center’s R&D program continually evaluates new ideas, launches new projects, and publishes impact driven R&D. As we begin 2024, we are preparing to release five new projects that will expand the corpus of security capabilities mapped to ATT&CK, make it significantly easier for defenders to analyze and apply those mappings, expand our Insider Threat TTPKnowledge Base, provide defenders with a data driven view of adversaries in the wild, and establish resources for measuring and maturing your threat-informed defense program. And that’s all planned for the first quarter of 2024.

Join Us

People like you and organizations like yours drive the Center’s R&D program. There are a number of ways you and your organization can become part of the Center for Threat-Informed Defense community. Check out the “Get Involved” section of the Impact Report for more information or contact us at CTID@mitre-engenuity.org.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.