Organizations need visibility to achieve cybersecurity effectiveness. They need visibility into (1) the threats they face and (2) how well they perform against those threats. These two needs for visibility – of the threat and security program performance – are closely related. Both hinge on knowledge of the attacker. When the MITRE Corporation published the ATT&CK® framework in 2015, it became a single source of visibility into attacker behaviors. Through ATT&CK, the MITRE team tracks known threat actors and maps their behaviors into a single periodic table of tactics and techniques. This framework is now used by governments all over the world to communicate about, analyze, and mitigate cyberattacks.
The ATT&CK framework thus helps solve the first problem of visibility. But it also helps solve the second problem, of performance. Using the threat intelligence provided by ATT&CK, organizations can run automated adversary emulations to assess how well their security programs perform against real-world attack campaigns. A good automated breach and attack simulation (BAS) platform uses the behaviors in ATT&CK to determine whether security controls detect and prevent attacks, solving the second problem of visibility by generating what we at AttackIQ call “performance data.” This data measures how well the total security program performs against known threat behaviors. And it is is why the MITRE ATT&CK framework serves as such a vital foundation of our business at AttackIQ.
In our work, we always hear questions from our customers about how to get started. That is partly why we wrote the Dummies Guide to MITRE ATT&CK, in partnership with the MITRE Engenuity team. But we also hear calls for greater granularity and greater visibility.
Defenders want to know: What techniques should they prioritize? Which are most prevalent in their industry? What techniques might be early warnings of a broader campaign?
To help our customers answer these and other questions, AttackIQ is proud to partner with MITRE Engenity and others at the Center for Threat-Informed Defense on a new project to gain greater visibility into threat behaviors in the wild. “Sightings” will track ATT&CK techniques observed in the wild, in production environments, to give defenders granular data about attacker technique prevalence and co-occurrence. We are sponsoring this research and development project with several other Center participants.
The goal, as MITRE’s Jon Baker and Mike Cunningham said in a blog post about the project last week, is to increase the cybersecurity community’s collective ability “to see threat activity across organizational, platform, vendor, and geographic boundaries.” The net result will be increased visibility into how adversaries attack and how organizations defend themselves.
To achieve the goals set out in the Sightings project, the Center for Threat-Informed Defense welcomes contributions from across the cybersecurity community. “The more contributors, the larger the data set, the better and more useful the results,” as they said. The project will be executed in four phases: contributor engagement, data transformation and analysis, reporting, and process establishment.
So what can you do to help? It’s simple.
Defenders, operators, security researchers, analysts: If you have a sighting contribution to make, please follow the format that the Center outlines in this GitHub post and submit it via email at [email protected].
Once the project is complete and the resulting data is made public, we at AttackIQ will leverage this data in our engineering and research to ensure that we help our customers validate their cyberdefense effectiveness in the best way possible.
And to get a demonstration into how AttackIQ can test your security program’s effectiveness using multi-stage adversary emulations, please sign up here.