2023 R&D Roadmap to Advance Threat-Informed Defense

Written by Jon Baker, Maggie MacAlpine, and Ross Weisman.

At the Center for Threat-Informed Defense (Center), we work with our Participants and the global community to advance the state of the art and the state of the practice in threat-informed defense. We continually and systematically evaluate new ideas and hard problems as candidates for impactful research and development (R&D) projects. Through our collaborative R&D program, we create practical resources that make cyber defense more efficient and effective with a goal of changing the game on the adversary.

2023 is off to a strong start. In March, the Center announced a new Advisory Council to increase impact and support strategic growth in the interest of advancing threat-informed defense. Last week, we published our first project of the year (VERIS Mappings to MITRE ATT&CK®) and we are actively developing six distinct projects (plus moving several more through the innovation pipeline).

R&D problem areas

Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.

Our R&D projects address practical, real-world problems faced by organizations as they operationalize MITRE ATT&CK® and implement threat-informed defense. The R&D program includes three core problem areas that together allow us to systematically advance threat-informed defense.

1. Cyber Threat Intelligence: Increase the operational effectiveness of threat-intel products and advance the global understanding of adversary behaviors.
2. Test & Evaluation: Bring the adversary perspective to cybersecurity test and evaluation to understand true defensive posture.
3. Defensive Measures: Systematically advance our ability to detect and prevent adversary behaviors.

Threat-Informed defense enables a continual feedback loop.

We collaborate with our Participants to develop the Center’s R&D agenda, working across these problem areas. Center Participant insights and experience ensure that we are focused on the challenges that will have the greatest benefit across the ecosystem. Our R&D program is agile and designed to adjust as our environment changes and new challenges arise.

R&D Roadmap

2023 looks to be our biggest year yet. We have aligned our R&D roadmap around our core problem areas to better show how each project contributes to the problem areas and supports our mission to advance threat-informed defense globally.

Threat Intelligence

Cyber threat intelligence (CTI) reports should provide data that helps users make decisions about how to defend against specific threats.​ But CTI producers often do not get feedback about what works and what does not. We launched the CTI Blueprints project to address this problem and advance standardization and quality in CTI reporting that is tailored to audience needs. The CTI Blueprints project will guide threat-intel teams to create well-structured reports that are both tailored to their target audience and actionable. Expected release in June 2023.

TRAM is getting a major overhaul because it needs to be much easier for security teams to identify and track adversary behaviors in CTI reports. In March, we kicked off this project with a blog that details our plans for TRAM and offered a community-wide invitation to join us as we explore the application of Large Language Models to identify ATT&CK Techniques in threat-intel reports. Expected release Q3.

ATT&CK Workbench, the open-source platform for managing and extending ATT&CK, is also under active development. The next major update will better support enterprises and communities that seek to customize and extend ATT&CK with features like support for teams of users, enhanced search, a matrix view, import and export capabilities, and a rich set of user training material. Expected release Q3.

Sightings Ecosystem is building a global view of threat activity mapped to MITRE ATT&CK. To create this view, we are seeking data contributors willing to contribute observations of adversary activity mapped to ATT&CK, called “sightings”. Insight into real-world adversary behaviors enables cyber defenders to focus on defending against the most pressing threats to their organization. Expected release Q3.

Attack Flow, the data model for representing sequences of observed adversary behaviors, will be foundational to new threat-intel related R&D. We are actively scoping research to enable more intelligent threat hunting and investigating what we can discover about previous or subsequent adversary behavior after analyzing collections of attack flows. Stay tuned for more as we define the next set of R&D projects building upon Attack Flow.

Test & Evaluation

Micro Emulation Plans help organizations validate their defenses quickly and easily by building smaller scale adversary emulation plans focused on common threats that are fully automated using compatible tools. Building upon last summer’s release, we aim to publish new attack sequences to empower defenders against a new set of important threats. Initially released last year, expect additions to this release in April.

The Adversary Emulation Library has expanded tremendously since we first published the FIN6 emulation plan in September 2020. Although the Library has focused on threats to Windows enterprise systems, attackers increasingly target macOS and we plan to develop new emulation content to help defenders better understand and emulate these threats. Look for an addition to the library in Q4 2023.

Defensive Measures

Top ATT&CK Techniques tackles prioritization of defender resources. We built a calculator with publicly-available methodology to help defenders focus on the adversary behaviors that are most relevant to their organization and should have the greatest effect on their security posture. This spring we are updating the project to align with the latest version of ATT&CK and integrate numerous community enhancements. Expect this release in May.

New research into advancing detection engineering aims to improve our collective ability to detect adversary behaviors. We need hard-to-evade detection logic, the telemetry that that logic relies upon, and the ability to validate these continuously. We centered the first three prongs of our approach around exactly this structure:

• We have research underway to determine the robustness of a behavioral analytic based on the evasiveness of the red observables it relies upon, as well as how to elevate the analytic when appropriate by using more evasive observables.
• We are starting new work to determine what observables are produced by common logs, sensors, and other defensive capabilities.
• We plan to pursue one additional research effort to automate the verification of blue detections against red observables.

This work will help detect adversary behavior even as it evolves, hampering their present and future campaigns. Expect the first release in Q3.

To advance threat-informed defense, we must be able to measure it. The concept of “coverage” (i.e., “What is my defensive posture?” for a given ATT&CK technique) is at the core of threat-informed defense, yet there is no clear consistent approach to quantifying and verifying coverage. This is reflective of a larger struggle to measure, maximize, and mature all facets of threat-informed defense. We are not only seeking to create that coverage standard, but also to create a best-practices guide for maximizing threat-informed defense. Expect initial publications Q3.

Mappings for all!

Open resources that link frameworks, concepts, and defensive capabilities to ATT&CK save countless hours of valuable defender time and create a foundation for threat-informed defense. We have several exciting mappings projects recently published or in the works including:

• Expanding our existing integration between ATT&CK and VERIS. Published April 6th.
• A new open-source tool to help the community update their mappings to ATT&CK, because staying in sync with ATT&CK needs to be much easier than it is today. Expected release May 2023.
• Updated mappings for NIST 800–53 to align with the latest version of ATT&CK. Expected release May 2023.
• Developing a one-stop-shop for all Center mappings to enable easy access to our full suite of mappings and position the community to easily expand the mappings corpus. Expected release Q4.
• Creating a new set of security stack mappings for M365. Expected release Q4.

Communicating threat and risk

Threat-modeling tools and frameworks help organizations optimize security strategies, target investments, and understand risk. Security teams use ATT&CK to communicate about adversary behaviors and threats, but they lack guidance and best practices for integrating ATT&CK into well-known threat-modeling tools. We plan to develop a set of resources that will help teams leverage the ATT&CK corpus as they conduct threat-modeling exercises, allowing them to focus on the activity of threat-modeling instead of how to threat-model with ATT&CK. Expected release Q4.

Effective communication about defensive posture, threats, and risk needs to be tailored to the audience. A detection engineer thinks about defensive posture at a different level than a CISO. We are in the early stages of defining a new project that aims to build a library of ATT&CK visualizations designed to support varying user roles and scenarios. Expected release Q4.

Applying a threat-informed perspective to new areas

In 2022, we published an Insider Threat TTP Knowledge Base built upon ATT&CK. We leveraged lessons learned and experience with ATT&CK to bring a threat-informed perspective to tracking and understanding insider threats. We will continue our research expanding this knowledge base and exploring detection and mitigation for insider threats. Expect new updates in Q3 and Q4.

We are exploring additional areas of focus like OT, privacy, resiliency, and risk. We see an opportunity to bring the perspective and lessons learned from ATT&CK and threat-informed defense to these areas to further our mission.

Want to get involved?

The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. We aim to create widely used, easily accessible, and practical resources through our R&D program. That is only possible with community support and engaged Center Participants. Your feedback is key to evolving our work and maximizing its impact. Your hard problems and ideas inform our R&D program.

Stay informed — Be the first to know about R&D project releases by signing up for our newsletter and following us on LinkedIn.

Utilize Center R&D and share your feedback — Using our work to advance threat-informed defense in your organization goes a long way to ultimately changing the game on the adversary. Letting us know how you are using Center R&D allows us to continually refine our work, making it more accessible and impactful.

Join us to support and advance the R&D program — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of MITRE ATT&CK®. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2023 MITRE Engenuity. Approved for Public Release. Document number CT0068.