Advancing Threat-Informed Defense Together

Published in

MITRE-Engenuity

9 min readDec 11, 2023

As we come to the end of 2023, we celebrate the Center’s biggest year yet. The Center has brought more participants into our collaborative R&D program, released more products, and scaled up our impact across threat-informed defense. Our best work comes when we enable innovation across the industry, and we do so across our three Key Problem Areas:

Cyber Threat Intelligence: Increase the operational effectiveness of threat-intel products and advance the global understanding of adversary behaviors.
Test & Evaluation: Bring the adversary perspective to cybersecurity test and evaluation to understand true defensive posture.
Defensive Measures: Systematically advance our ability to detect and prevent adversary behaviors.

Our Key Problem Areas form a feedback loop for threat-informed defense

In this update to our 2023 R&D Roadmap, we will highlight some of the Center’s especially impactful work in each area, as well as summarize our accomplishments. The last section of this update will share some of our ongoing projects and some emerging research areas.

Cyber Threat Intelligence

Attackers Work in Sequences; So Do We

MITRE ATT&CK® gives us distinct elements against which we can measure defensive posture. It is also vital to identify how adversaries behave in using techniques in sequence. We built Attack Flow as the data model for representing the sequence of adversary behaviors. To defend against the adversaries’ sequence of behaviors, we have a data model with a web application that allows you to build and visualize those attack flows. These flows are foundational to the discussion around the whole threat-informed defense lifecycle.

We envision a day when:

an incident response team documents an attack and shares the attack flow with the intel team, and then
that intel team includes the attack flow in their reporting to the whole security organization, including
the adversary emulation team or a SOC team who uses the flow to evaluate their defenses and develop more robust analytics.

That day is today, and tomorrow you will see further enhancements to Attack Flow for ease in documenting your use cases.

With Attack Flow, we can visualize and understand a sequence of behaviors. The next step for us is to predict an unobserved behavior from a given sequence of observed ones. This month we will launch Technique Inference Engine (TIE). The hypothesis for this project is that based on two or three seen techniques in sequence, we can infer what the adversary’s next technique was or will be. We have a committed cadre of ten Center participants who work with us to collect a body of techniques and sequences, analyze the data against a relevant and powerful model, and infer with a measurable degree of certainty “what’s next”.

CTI Resources for CTI Teams

In 2023, the Center upgraded ATT&CK Workbench for teams to customize and extend ATT&CK for their collective needs. With the new Workbench, organizations or individuals can host an instance of Workbench to serve as the centerpiece to their own customized copy of the ATT&CK knowledge base. Another effort to help analysts came in our 2023 release of TRAM. TRAM demonstrates that Large Language Models can automate technique detection in threat intelligence reports by identifying adversary TTPs.

We heard from you and our Center members that CTI reporting is the backbone of threat-informed defense. So, the Center created CTI Blueprints to give all organizations a resource for higher quality, less manually-intensive finished reporting. CTI Blueprints provides templates developed by some of the world’s most mature intelligence consumers, sample reports that are customizable to each organization’s unique reporting needs, and open-source suite of authoring and publishing tools.

Intel reports generated through CTI Blueprints

Threat-informed defense, and cyber threat intelligence in particular, is a team sport. With Blueprints for actionable reporting, TRAM for automated collection, and Workbench for shared analysis, the Center continues in our mission to advance all CTI teams.

You are Part of the Center’s Threat-Informed Defense Mission

Two projects demonstrate the Center’s role as a focal point for the threat-informed defense community, driving applied research and advanced development to improve cyber defense at scale for the global community. The Center has moved forward with our goal of creating a global view of threat activity mapped to ATT&CK. We create this Sightings Ecosystem by collecting and analyzing data to give defenders a data driven view of adversary activity. In Sightings, the Center is a trusted aggregator of observed adversary data mapped to ATT&CK, which we then analyze for activity visibility, and release to the community. Similarly, we have built on the success of our 2022 Insider Threat TTP Knowledge Base to collect additional techniques used by insiders on IT systems, to map insider actions to mitigations, and to identify distinguishing features of insiders that are observable and measurable regardless of the insider threat’s intent. Both Sightings and Insider Threat Knowledge Base welcome your contributions.

Test and Evaluation

Welcome Mac and Linux to the Adversary Emulation Library!

One of the first Center projects was the emulation plan for the FIN6 adversary group. In devising that first Center release, we envisioned and committed to lower the barrier of entry to purple teams, and to set a reliable standard for plans in the Adversary Emulation Library. Our plans were all Windows focused, until recently when the Center published its first Mac and Linux focused emulation plan for the OceanLotus APT group. Intelligence reporting tells us that adversaries target Mac and Linux, not just Windows. Now, our Adversary Emulation Library does too.

The Center has committed to support purple teams through its emulation plans. So When you see the OceanLotus plan in the Adversary Emulation Library, you will see notes and suggestions for defenders.

To complement the full-scope breach scenarios of OceanLotus and other emulation plans, the Center observed in 2022 the need for easy-to-execute emulation content that targets specific behaviors and challenges facing defenders. In 2023 we added six additional plans to the Adversary Emulation Library.

Defensive Measures

Detection and Analytics That Will Infuriate Adversaries

The Center’s mission is to advance the state of the art and the state of the practice of threat-informed defense. In the area of detection engineering, our Summiting the Pyramid project gives all detection engineers the means to write analytics that are difficult to evade. We approached this research effort with the acknowledgment that “it’s too easy for adversaries to avoid or circumvent many common detections today.” This assertion is based on our observation that in open-source repositories, there are plenty of analytics mapped back to ATT&CK. However, those detections often end up firing on ephemeral items like file names or hashes. With Summiting the Pyramid, we created a framework for evaluating a detection, and a methodology to systematically move it up the Pyramid of Pain. Furthermore, like any great research project, this one begat more questions than answers. We will continue our detection engineering research to other platforms and automated scoring of analytics against the Pyramid of Pain.

Bring Mappings Together

The Center will publish Sensor Mappings to ATT&CK in December 2023. This work fulfills our promise to determine what observables are produced by common logs, sensors, and other defensive capabilities.

The Center has advanced our Mappings program in 2023. We updated and released the NIST 800–53 rev4 and rev5 to ATT&CK v12. Looking forward, the Center began a project to map the native security controls in M365 to adversary techniques which will publish in Q1 2024. All the Center’s Mappings will be normalized and integrated with Mappings Explorer. This project standardizes mappings to a single data format and aligns tools and processes for usability and future growth. Defenders will access and explore mapped security controls from the perspective of the ATT&CK techniques they mitigate. It will be available to the public in March 2024.

Active Research to be Released in 2024

Heat Maps Leave Us Cold

How defended am I against adversary TTPs? A way not to answer this question is by counting detections for a given TTP. We have embarked to create a measurement standard for defensive posture in our Measure, Maximize, and Mature Threat-Informed Defense (M3TID) project. This effort unites the community’s practices to measure threat-informed defense and will share the best practices for defining coverage against TTPs. There is plenty of experience and knowledge within our project team and sponsors, and there is even more among the community. We look forward to engaging with threat-informed defenders across the world to improve and mature our understanding of threat-informed defense.

AI Systems are Cyber Systems Too

Threat-informed defense is more than cyber defense, and so we have partnered with MITRE ATLAS™ in our Secure AI focus area. We will build upon the knowledge and experience we have within the ATT&CK community to understand threats against AI systems and use that knowledge to red team AI systems, ultimately to develop mitigations to protect those AI systems. We are confident that we can make an impact in this area, bolstered by our work to apply threat-informed defense to OT systems, threat modeling, and insider threat.

Globalize Threat-Informed Defense

The Center’s prior impact and current effort is possible only with your engagement. To extend that engagement, we share two initiatives. First, the Benefactor Program invites organizations to financially support the continued research of the Center for Threat-Informed Defense and ATT&CK. The contributions of our first Benefactors Coalfire and Acalvio Technologies enable us to scale. Second, we build on the camaraderie of the EU ATT&CK Community Workshop by hosting the first Asia-Pacific ATT&CK Community Workshop in Singapore. This will happen in 2024, and we request threat-informed defenders in the Asia-Pacific region to join us for this inaugural event.

As we enter our fifth year of operations, we are more energized and committed than ever to work in collaboration with you and our Participants to change the game on the adversary.

Get Involved

The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. We aim to create widely used, easily accessible, and practical resources through our R&D program. That is only possible with community support and engaged Center Participants. Your feedback is key to evolving our work and maximizing its impact. Your hard problems and ideas inform our R&D program.

Stay informed — Be the first to know about R&D project releases by signing up for our newsletter and following us on LinkedIn.

Use Center R&D and share your feedback — Using our work to advance threat-informed defense in your organization goes a long way to ultimately changing the game on the adversary. Letting us know how you are using Center R&D allows us to continually refine our work, making it more accessible and impactful.

Join us to advance Threat-Informed Defense — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of ATT&CK. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.