2015 was a landmark year for the global cybersecurity profession. That year, MITRE Corporation published the first edition of its MITRE ATT&CK® framework. This repository of adversary tactics and techniques, based on real-world observations, has since become a vital weapon in the armories of enterprise cybersecurity teams worldwide.
To mark seven years of MITRE ATT&CK, Jonathan Baker, Director of R&D at MITRE Engenuity’s Center for Threat Informed Defense, and Cat Self, Lead Adversary Emulation Engineer on ATT&CK Enterprise and ATT&CK Evaluations at MITRE Corporation, got together to discuss some of the key developments in the framework’s history. They spoke exclusively at the AttackIQ Purple Hats Conference 2022.
In this blog, I’ve drawn on their discussion to highlight seven key milestones in the story of MITRE ATT&CK that helped turn the framework into the vital security tool it is today.
1. MITRE ATT&CK is born
The framework has its roots in work MITRE was carrying out for a sponsor organization. The company had asked MITRE to help improve its ability to detect adversaries within its IT environment, which, the MITRE team realized, would require understanding of how adversaries behave once they breach the enterprise perimeter.
MITRE was able to use the company’s network environment to run adversary emulation tests that mimicked the behaviors cybercriminals had undertaken in historic attacks. This testing environment was named the Fort Meade eXperiment (FMX), and the resulting intelligence became the foundation for the ATT&CK framework. As Baker explained: “there was an ‘aha’ moment when we realized that the list of things we were focusing on would be really helpful to others.”
2. Grassroots adoption gathers pace
From the outset, MITRE ATT&CK was created by practitioners for practitioners. Because of this, the framework has always been highly accessible, and it was quick to gather strong grassroots support. Industry acceptance has caused the framework to become a highly democratized document. Practitioners have taken it to heart, taken ownership of it, feeling free to collaborate with MITRE and help inform its development.
As Self puts it: “MITRE is not an organization that can mandate things. Instead, we have practitioners talking about their successes and challenges, and helping us improve the framework. ATT&CK is community driven. It wouldn’t exist without the community.”
3. The framework becomes more granular
From its beginnings as a humble spreadsheet, the framework has evolved to become an increasingly deep source of cyber threat intelligence. Driven by user demand for more granular information, the framework now also covers sub techniques — an important evolution. Thanks to sub techniques, security teams now have greater choice and control over how to implement given adversary behaviors when configuring their defense systems.
4. MITRE ATT&CK Evaluations launch
Recognizing that every organization has different needs when it comes to cybersecurity, MITRE ATT&CK launched its evaluations program. This detailed “report card” provides visibility into the vendor landscape so that enterprises of all sizes can make better-informed purchasing decisions. The evaluations are having a significant effect on the security landscape. Not only do they help customer businesses make better purchases, but they also provide vendors with useful intelligence around how to improve their products, thereby helping to lift the efficacy of endpoint detection and response systems.
5. The Center for Threat-Informed Defense is formed
The Center for Threat-Informed Defense (CTID) was established to help organizations operationalize the ATT&CK framework. Operated by MITRE Engenuity, this privately funded R&D organization brings security teams together to advance threat-informed defense. The center runs research projects to solve problems raised by member organizations, such as AttackIQ, openly publishing its results to meet its public interest mandate.
6. The framework keeps developing
Although MITRE ATT&CK is now seven years old, it’s still improving as new needs emerge and MITRE identifies new opportunities. Currently, Baker and his team are working on a document that will list top attack techniques, with the aim of helping organizations start out on the threat-informed defense journey. Acknowledging that such a list will never be 100% accurate for every organization, Baker believes it will nevertheless be a helpful entry point into threat-informed defense, and one that can be built upon.
7. Community outreach gathers pace
Finally, as MITRE ATT&CK gathers pace, so too does its approach to working across the security community. MITRE ATT&CK’s work group is currently carrying out extensive community engagement, particularly when it comes to garnering feedback and intelligence from Mac and Linux users. MITRE is listening to all the feedback it receives and is working hard to act as a good steward of the framework.
For seven years, MITRE ATT&CK has been helping blue and red teams better protect their organizations. What’s clear from this year’s AttackIQ Purple Hat event is that the framework is going from strength to strength and will only become more valuable to practitioners.