More Threat-Informed, In More Ways, With More Defenders

Published in

MITRE-Engenuity

12 min readMay 2, 2024

The Center for Threat-Informed Defense released five new projects in the first quarter of 2024, and this momentum will carry through the calendar year. You can use our latest research to advance your understanding of insider threats, make data driven decisions about your defenses, search and explore a rich corpus of security capabilities mapped to MITRE ATT&CK®, and measure your threat-informed defense. Through the rest of 2024, we will conduct and publish research in cyber analytics, artificial intelligence (AI), threat intelligence, and threat-informed resources for everyone on your team, from developer to director.

Within the Center, our most impactful work comes from enabling innovation across the industry, and we do so in our three Key Problem Areas:

Cyber Threat Intelligence: Increase the operational effectiveness of threat-intel products and advance the global understanding of adversary behaviors.
Test & Evaluation: Bring the adversary perspective to cybersecurity test and evaluation to understand true defensive posture.
Defensive Measures: Systematically advance our ability to detect and prevent adversary behaviors.

Figure 1. Threat-Informed Defense feedback loop

What have we done for threat-informed defense in 2024?

One part of our Center roadmap in 2024 and beyond is to deliver our research in a format that is easily and widely usable for the global community of defenders. Each of the Center’s 2024 project releases has a dedicated project website that maintains the comprehensive set of project resources.

In March 2024, we expanded the Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base. We began our insider threat research with members in 2022, ultimately sharing 31 techniques and 20 sub-techniques used by insiders against IT systems. Now we are up to 47 techniques and 29 sub-techniques, as well as 36 unique mitigations for these documented insider behaviors. We also introduced Observable Human Indicators to the knowledge base; these are objective, quantifiable attributes of insiders that complement the cyber observables. Utilizing the Knowledge Base, cyber defenders across organizations will identify insider threat activity on IT systems and limit the damage.

Figure 2. Insider Threat TTP Knowledge Base

We also continued development of the Sightings Ecosystem. The ecosystem fundamentally advances the collective ability to see threat activity across organizational, platform, vendor, and geographical boundaries. Voluntarily contributed raw “sightings” — observations of specific adversary TTPs — are anonymized and aggregated to produce insights into the most commonly used attacker techniques. The Sightings data feeds our own Center research as well, providing evidence of adversary activities that fuels the Top ATT&CK Techniques Calculator, Summiting the Pyramid, and upcoming Technique Inference Engine. Please share with us how you use the Sightings Ecosystem. See the data and analysis and become a contributor here.

In March 2024, the Center undertook the ambitious effort to Measure, Maximize, and Mature Threat-Informed Defense (M3TID). M3TID created an actionable definition of threat-informed defense and its associated key activities, and a formalized approach to measure your threat-informed defense. This maturity model complements existing cybersecurity maturity models by incorporating a measure of how well threat information is leveraged.

Figure 4. Threat-Informed Defense: Dimensions and Components

Security capability mappings correlate the defensive measures you have procured to the threats that keep you awake. Mappings Explorer is a hub for defenders to explore security capabilities mapped to MITRE ATT&CK®. This singular resource enables cyber defenders to understand how various security controls and capabilities protect against the adversary behaviors catalogued in the ATT&CK knowledge base in easily accessible and customizable ways.

Figure 5. Capabilities that protect against Exfiltration over USB from Mappings Explorer

Our latest addition to the Center mappings program and likewise included in Mappings Explorer is Security Stack Mappings — Microsoft 365 (M365). Here we share native security capabilities available as part of Microsoft 365 mapped to the ATT&CK techniques that those capabilities can detect, protect, or respond to. End users will make threat-informed decisions about which capabilities mitigate common attacker techniques.

And as always, these resources are available to all on the Center for Threat-Informed Defense website.

What’s next?

For 2024, we are committed to extending and expanding on Center products that the community has embraced and deemed impactful.

Detection Engineering

In September 2023, the Center released Summiting the Pyramid to exceptional community reception, including conference talks, podcasts, and especially its inclusion as a Sigma rules tag.

Figure 6. Create more robust detections with Summiting the Pyramid

In gratitude, the Center will further the research in three ways:

Analytic precision and recall will create more precise, less false-positive prone analytics without sacrificing robustness.
Network robustness scoring. Most defensive evasion techniques focus on the host. We will expand robustness to network-focused data sources.
ATT&CK Data Source Scoring and Analysis. We will catalog and score known data sources associated with ATT&CK techniques to provide an initial basis for automated scoring. These data sources also expand the number of observables in the analytic and event observables categories in the STP scoring methodology.

These results will broaden the impact of Summiting the Pyramid, creating more robust detections, and further increase cost to the adversary.

In 2024 the Center will embark on new research into detecting Ambiguous Techniques used by adversaries; that is, techniques whose observables are not sufficient to determine malicious intent such as System Network Configuration Discovery. We will detect malicious implementation of ambiguous techniques by creating Ambiguous Technique Analytics with low false positive rates.

This research will have three steps:

identify which techniques can be categorized as benign techniques;
search Attack Flows to identify co-occurring techniques either before or after ambiguous techniques; and
identify core behaviors and observables associated with those techniques for building robust detections.

Threat-Informed AI and AI-Informed Defense

Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. The principles of threat-informed defense apply beyond traditional enterprise cybersecurity. In acknowledgement of that, we expand to threat-informed defense for AI. We must take a holistic view of AI threats and vulnerabilities within the context of the larger system, rather than vulnerabilities of a particular AI model or isolated data. MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) is modeled after and complementary to MITRE ATT&CK. This project will raise awareness of the rapidly evolving vulnerabilities of Al-enabled systems as they extend beyond cyber.

ATLAS is broadly scoped to cover the landscape of threats and vulnerabilities introduced into AI-enabled systems, including adversarial machine learning and elements of cybersecurity. The Center’s Secure AI project will expand the knowledge base of adversary tactics, techniques, and case studies for AI-enabled systems built from real-world observations and red team demonstrations against current systems. In particular, this project will

Increase the knowledge base and understanding of real-world threats through incident sharing metrics and mechanisms. This incident sharing effort would include incidents beyond security into equitability, interpretability, robustness, resilience, and privacy.
Extend the data-driven generative AI (GenAI) focus of MITRE ATLAS by documenting new case studies that address the vulnerabilities of systems that incorporate generative AI.
Align the ATLAS Tactics Techniques and Procedures (TTPs) with the current version of ATT&CK TTPs and implement a plan to keep the TTP versions in sync.

The Secure AI research will be released to the public in September 2024. The results of Secure AI will form the foundation for future Center work in Securing AI-Enabled Systems. We will continue by:

Developing and publishing strategies to mitigate relevant (high likelihood, high impact) threats to AI-enabled systems.
Developing tools and playbooks to emulate threats to AI-enabled systems, allowing defenders to test AI-enabled system defenses against known threats.

Our Secure AI proposal inspired our members to propose an orthogonal use case GenAI for Threat-Informed Defense: a threat-informed AI-enabled partner for defenders. We will build a chatbot tailored to support the needs of cybersecurity analysts implementing threat-informed defense. In our small-scale proof-of-concept, we see the capability to accelerate the analysis of cyber threat intelligence (CTI) as well as related tasks such as attribution, reformatting data for ingestion into threat intelligence platforms, building Attack Flows, and visualizing data.

Technique Inference Engine and Adversary Capability Calculator

When investigating an attack chain, organizations need to prioritize which adversary behaviors to address first. Our Technique Inference Engine (TIE) project creates a model usable by both human analysts and automation platforms to investigate attack chains. Given two or more observed techniques in sequence, TIE will recommend a likely next technique or previous technique. TIE guides analysts, threat hunters, red teamers, investigators, and threat modelers from what technique is seen to what is not-yet-seen. Similarly, the Adversary Capability Calculator (ACC) will infer what an adversary could do (capability) from what an adversary has done (ability). This will more accurately calculate risk, both proactively and during a live incident.

Understand Adversary Behaviors Through ATT&CK

As part of our research to understand adversary behaviors, we have partnered with Center members to extend ATT&CK’s knowledge bases. We seek to collect evidence of adversarial activities in the telecommunications space for inclusion in ATT&CK for Mobile. Furthermore, the absence of preparatory (PRE) tactics in ATT&CK for Mobile hinders our ability to track, understand, and communicate adversaries’ preparation. So we will research preparatory tactics for mobile and integrating the tactics into ATT&CK for Mobile and across ATT&CK domains.

Currently all ATT&CK technology domains use sub-technique objects except ATT&CK for Industrial Control Systems (ICS). To bring sub-techniques into ICS, we must evaluate the technique overlap between ATT&CK for ICS and ATT&CK for Enterprise and realign techniques under the same sub-technique names. This effort further builds the Center’s operational technology (OT) research. In July 2024, the Center will release a customized collection of MITRE ATT&CK techniques tailored to the unique attack surface and threat model for OT as Defending Operational Technology with ATT&CK. Defenders will use the collection to plan and evaluate security controls for organizations that use OT.

Security Capability Mappings

Over the Center’s five years, the Mappings Program has grown to represent one-fourth of all Center research with over half our members participating across cloud platforms, security controls, incident sharing, and more. We will unite these individuated efforts and our future work into a Mappings Omnibus. ATT&CK is updated to a new major version twice per year, and security vendors constantly change their offerings. As a result, the snapshots of capabilities contained in the mappings projects do not reflect current adversary techniques or defensive measures. With Mappings Omnibus, we update all the mapping resources to reflect the most current version of adversary techniques, in perpetuity.

We previously applied the mappings methodology to Common Vulnerabilities and Exposures (CVE). Now we focus on CVEs that the Cybersecurity and Infrastructure Security Agency has confirmed as being exploited in the wild: the Known Exploited Vulnerabilities (KEVs) Catalog. The Prioritize Known Exploited Vulnerabilities with ATT&CK project will bridge threat management and vulnerability management by connecting CVEs that are actively exploited by adversaries to the impact of exploitation. We also endeavor to map security capabilities in hardware to adversary behaviors in Security Stack Mappings — Hardware-Enabled Defense. This will require us to extend our mappings methodology. In this project we will determine how hardware capabilities, in tandem with an operating system,

identify the potential occurrence of a (sub-)technique,
limit the impact of a (sub-)technique, or
provide actions to take for detected (sub-)technique.

Such integration is essential for proactive and robust threat-informed defense for enterprise environments.

Threat-Informed Defense for Developers, Modelers, and Deciders

In the course of our M3TID research, we concluded that threat-informed defense can only be maximized and matured when all security practitioners in an organization have committed to it. The Center conducts three projects to extend the principles of threat-informed defense. For the threat modelers, we will publish Threat Modeling with ATT&CK in July 2024. It makes adversary techniques in ATT&CK actionable to those who threat model or conduct assessments to enumerate potential threats for systems by using ATT&CK and popular threat modeling methodologies to enumerate threat scenarios for practitioners who are developing systems or applications.

Next, we turn to the software developers, especially those who are faced with managing large numbers of software weaknesses, identified using Common Weakness Enumeration (CWE), alongside large numbers of software vulnerabilities (CVEs). These weaknesses and vulnerabilities sit across many assets with differing security requirements. We developed the CWE with Environmental CVSS Calculator to compare and prioritize across weaknesses and vulnerabilities. Software development teams can rank discovered weaknesses based on an expected Common Vulnerability Scoring System score, if the weakness is ever exploitable.

Third, we consider the threat-informed decision maker. Start with our 2022 resource Attack Flow as a graphical approach to understanding sequences of adversary behaviors.

Figure 8. Attack Flow of breach at Uber by Lapsus$ group

The Center’s upcoming Flow Visualization project builds the business case for cyber visualization and contributes new idioms that are relevant industry-wide. This project identifies decision makers, the cognitive tasks carried out by those decision makers, and designs data visualizations to support decision making.

Globalize Threat-Informed Defense

We are grateful to the global community that has joined us in our mission to advance the state of the art and the state of the practice in threat-informed defense. We highlight the sponsors and participants of our Asia-Pacific ATT&CK Community Workshop: our host Citigroup, and sponsors Acronis, Deloitte, SOC Prime, Lloyds Banking Group, and Fortinet. This event in Singapore anchors the Asia-Pacific region into our global series of community events with EU ATT&CK in Belgium, and ATT&CKcon in the U.S. Global adoption leads to impact and community feedback that enhances Center R&D.

Second, the Benefactor Program enables the global community to advance critical, public interest cybersecurity programs such as MITRE ATT&CK®, Caldera™, MITRE Engage™, and the Center for Threat-Informed Defense through charitable giving. Our benefactors are support independent research in the public interest. We thank Acalvio, Coalfire, NVISO, SOC Prime, Tidal Cyber, and Zimperium for financially supporting our research to change the game on the adversary.

Figure 9. We scale threat-informed defense through whole community engagement.

Get involved

The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. We create widely usable, easily accessible, and practical resources for all. That is only possible with community support and engaged Center Participants. Your operational challenges, shared across organizations, sectors, and across regions, incite our impactful solutions. You’ve now read our plans for 2024; tell us what you need most from the Center.

Stay informed — Be the first to know about R&D project releases by signing up for our newsletter and following us on LinkedIn.

Utilize Center R&D and share your feedback — Using our work to advance threat-informed defense in your organization goes a long way to ultimately changing the game on the adversary. Tell us how you use Center R&D, and we will refine our work to be more accessible and impactful.

Join us to support and advance the R&D program — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of MITRE ATT&CK®. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.