Building a Threat-Informed Defense at ATT&CKcon 3.0
Written by Kellyn Wagner Ramsdell and Ingrid Skoog.
The Center for Threat-Informed Defense (Center) produces research and tools for the public good. We love to hear how people use our projects to protect themselves and their customers because the public good is only accomplished if people use our work. When we see you highlighting Center projects, we like to do the same so more people can understand how they can build a threat-informed defense. So, how are people using our projects?
At MITRE ATT&CKcon 3.0, Siemplify* and VMWare highlighted their use of Center projects to reduce the barriers to creating a threat-informed defense for themselves and their customers.
- Siemplify’s Ivan Ninichuck and Andy Shepherd used ATT&CK Workbench to create a truly orchestrated security program. They further discussed their current work using the Sightings Ecosystem to create templates of adversary attacks by which to compare adversary activity observed on customer networks.
- VMWare talked about using the Insider Threat TTP Knowledge Base to create a lasting insider threat detection program based on industry-accepted investigative standards.
ATT&CK Workbench has since been transitioned to the MITRE ATT&CK® team but started out as a Center project that allows organizations to build a local version of ATT&CK. Ivan discussed how Siemplify uses the tool to help customers align the threats they see in their networks with defenses, while leveraging the larger ATT&CK knowledge base.
The Insider Threat Tactics, Techniques, and Procedures (TTP) knowledge base has 54 ATT&CK techniques commonly used by insiders. VMWare’s Matt Snyder walked conference attendees through how the knowledge base provides investigators a measurable and repeatable way to conclude that an insider took malicious actions in a network.
Several ATT&CKcon presenters also released tools that leverage Center projects.
Recorded Future’s Lindsay Kaye and Scott Small announced the release of the Control Validation Compass at ATT&CKcon 3.0, which references the Center’s Azure and AWS security stack mappings. The Compass helps organizations align security controls to ATT&CK techniques in order to understand specific measures they can use to defend themselves against specific attacks.
Lacework released WhaleHoney, a Flask application which helps create honeypots that mock API endpoints detailed in the Docker Engine API guide. Researchers can use this tool to observe actions taken by adversaries targeting Docker containers. This data can then be directly mapped to ATT&CK by leveraging ATT&CK for Containers, another Center project that addresses a community need.
With growing adoption of Center projects, the Center’s Assistant Director of Research and Development Ingrid Skoog talked through several use cases for Center projects including the FIN6 and menuPass Adversary Emulation Plans, ATT&CK to CVE mappings, NIST 800–53 to ATT&CK mappings, and ATT&CK Workbench. She also talked about the Center’s next steps which include building new adversary emulation plans, mapping Google Cloud Platform’s controls to ATT&CK, and strategically focusing on improving cyber threat intelligence, defensive measures, and test and evaluation.
Missed ATT&CKCon and want to watch the sessions? You can view all the sessions on demand here: https://mitre.brandlive.com/mitre-attackcon-3/en/home.
Have a similar use case or tool, but didn’t get a chance to present at ATT&CKcon? Reach out to the Center at ctid@mitre-engenuity.org. We want to highlight your work on our blog and engage in public forums to share how Center projects can be used to build a threat-informed defense. Not sure if your content is ready for publication? Please still reach out! We regularly work with organizations to get their ideas into public channels. Building a threat-informed defense requires all of us working together, and we look forward to working with you.
Center projects discussed in this blog: ATT&CK Workbench, the Sightings Ecosystem, Insider Threat TTP Knowledge Base, Azure and AWS security stack mappings, ATT&CK for Containers, FIN6 and menuPass Adversary Emulation Plans, ATT&CK to CVE mappings, and NIST 800–53 to ATT&CK mappings. The full list of Center projects is on our website here: https://ctid.mitre-engenuity.org/our-work/.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
*Siemplify was acquired by Google in January 2022. Ivan and Andy presented as Siemplify at ATT&CKcon, so we went with the affiliation the presenters said. If you want to learn more about the acquisition, Google’s announcement is here: https://cloud.google.com/blog/products/identity-security/raising-the-bar-in-security-operations.
© 2022 MITRE Engenuity. Approved for Public Release. Document number CT0046.
