MITRE ATT&CK (noun) [Word Notes]

A

You're listening to the Cyberwire network. Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at.

B

The word is mitre, ATT and CK spelled Mitre as in an American quasi governmental nonprofit that manages several U.S. government federally funded research and development centers, or FFRDCs and for attack A for adversaries, T for tactics, T for techniques, the ampersand, C for common and K for knowledge. Definition A knowledge base of adversary tactics, techniques and procedures established and maintained by the Mitre Corporation. Example Sentence the Security Operations Team used the mitre, ATT and CK framework to determine the attack sequence for the adversary group. Fancy bear origin and context Some say that the mitre, ATT and CK framework is just another threat model, in the same vein as the Lockheed Martin intrusion kill chain model or the Department of Defense's diamond model. The framework does extend the original Lockheed Martin model and corrects for some of the limitations. It eliminates the recon phase and clarifies and extends the actions on the objective stage. But the framework's significant innovation is an extension of the list of things intelligence analysts collect on adversary group attack sequences, in other words, their adversary playbooks. Before the framework, cyber intelligence teams would collect indicators of compromise without any relation to known adversary behavior, like IP addresses to known bad guy locations, strange DNS requests, and network traffic on unusual ports. These are not bad per se, but they are ephemeral, and hackers can easily change them at the drop of a hat, and did. By the time infosec teams deployed countermeasures, the bad guys had already changed their behavior. Mitre's extension to the kill chain model includes the grouping of tactics, the techniques used the how and the specific implementation the adversary groups use to deploy the tactic that intelligence is not ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures. Where the Lockheed Martin Killchain model is conceptual, the MITRE Attack framework is operational, and the diamond model is specifically designed for intelligence analysts as a way to think about both. But the real power of the mitre, ATT and CK framework is an intelligence product that I call the ATTCK Framework Wiki. It's a globally accessible knowledge base of known adversary behavior. It's derived from the real world observations from both MITRE intelligence analysts and from the cybersecurity intelligence community at large. In other words, it's the most complete, free, open source, standardized database of adversary offensive playbook intelligence. Although the wiki tracks several crime groups, that's not the focus. It primarily covers how apt groups, nation state groups traverse their version of the intrusion kill chain. Most importantly, the framework standardizes the taxonomy vocabulary for both offense and defense. Before the framework, each vendor and government organization had their own language. Any intelligence product coming out of those organizations couldn't be shared with anybody else without a lot of manual conversion grunt work to make sense of it all. Talk about the Tower of Babel. We were all looking at the same activity and couldn't talk about it collectively in any way that made sense. MITRE fixed that by releasing the first version of the framework in 2013 and has made significant improvements to the model almost every two years since. The bottom line is that the mitre, ATT and CK framework has become the industry's de facto standard for representing adversary Playbook Intelligence Nerd Reference Professor Messer is a small cybersecurity training company that produces excellent YouTube educational content to prepare IT and security professionals for CompTIA, a CompTIA network, and CompTIA Security plus certifications. In this clip, he describes the MITRE, ATT and CK Framework.

C

One place to begin gathering this type of information is through the mitre, ATT and CK framework. This comes from the Mitre Corporation. They are based in the Northeast United States and they primarily support U.S. governmental agencies. Their entire framework is available for you to view online. You can go to attck.mitre.org and view the entire framework from that website. Using this framework, you can identify broad categories of attacks. You can find exact intrusions that could be occurring, understand how those intrusions are occurring and how attackers move around after the attack, and then identify security techniques that can help you block any future attacks.

B

Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.