MITRE’s inaugural ATT&CKcon wrapped up this week at the nonprofit research group’s headquarters in Tysons, Virginia, and, by nearly all accounts, it was a major success. With one keynote and a single track, the event bucked the industry trend toward overwhelming and all-encompassing mega-cons, setting its focus instead on a singular topic—the ATT&CK™ framework—and emphasizing quality and depth over quantity and variety. From John Lambert of Microsoft’s emphasis on the importance of community knowledge to Neelsen Cyrus and David Thompson of USAA’s reliance on open-source tooling, the clearest theme throughout the conference was that community may be the best weapon we have as an industry to combat an array of threats that seem to be ever increasing in magnitude and occurrence.
“A lot of this world was a very secretive world,” Lambert explained in his opening keynote address. “And then defenders realized that they face common threats. They face common adversaries, and they were willing to put their people forward and talk and build networks of trust and learn to communicate with each other about very sensitive incidents because the reality is that this security community is one that is built on trust in people.”
Learning, Lambert ultimately concluded, was what these companies really wanted to do. “They were optimizing to learn; not optimizing to keep things secret.”
Throughout his talk, Lambert focused on four ideas that we can advance to accelerate learning and improve information security:
- Promoting community
- Organized knowledge
- Executable know-how
- Repeatable analysis
On a practical level, we can promote community by attending conferences, by sharing expertise on blogs and Twitter, by creating shared tools, and by mentoring one another. Organized knowledge, he said, was perhaps best exemplified by the ATT&CK framework and by tools like ATT&CK Navigator, which maps the techniques of prominent threat groups to the ATT&CK matrix. Executable know-how is essentially about taking that organized knowledge and finding ways to make it actionable and run tests that are actually tactical and useful. Sigma, for example, offers a generalized, tool-agnostic way of matching techniques against event data to uncover evidence of attacks. Red Canary’s Atomic Red Team is another good example that lets you create synthetic test-cases to determine whether or not your detections are actually working. Finally, repeatable analysis, which he described as the “GitHubification of Infosec,” lets us start from existing expertise, learn and iterate from it, and conduct derivative works to improve or advance foundational research.
MITRE ATT&CK lead Blake Strom carried the community torch a bit further. He explained that, at its core, ATT&CK is a repository of collective red and blue team knowledge about TTPs and adversarial behaviors drawn from decades of experience responding to incidents. Cyrus and Thompson of USAA claimed that industry innovations and open-source tooling—Sigma and Atomic Red Team, in particular—have played a critical and major role in shaping the way they detect attacks on their network and, more generally, defend USAA against attacks. Scott Lundgren of Carbon Black challenged the audience to build a framework for reference detections in the coming years, one that we can all use to ensure that we’re properly configuring our testing systems—to make sure that the tests we’re running are actually working. To close out Day 1, our own CEO, Brian Beyer, explained that Atomic Red Team has a test behind 40 or 50 percent of the ATT&CK techniques, with the potential to cover maybe 75 percent of the attacks.
“Atomic Red Team and MITRE and everything you guys have done only works because of the community,” Beyer said. “The thing I’d love you to do is come and contribute additional tests to Atomic Red Team, and tell other red teams and blue teams that they can use it too to keep moving security forward.”
Practical Applications of ATT&CK
Of course, ATT&CK isn’t just a theoretical community dumping ground for the things we know: it is, as MITRE’s Richard Struse would later point out, practical. If community and sharing was a common thread throughout the event, so too was security practitioners sharing practical advice about how they’ve employed the ATT&CK framework to improve security within their organization. Emma MacMullen, a cyber threat intelligence analyst at General Electric, noted that, after aligning a large swathe of their alerting to the ATT&CK framework, they found that their ATT&CK alerts had a 124 percent higher true-positive rate than their non-ATT&CK alerts. Matthew Stiak of Delta Dental and Jason Sinchak of Level Nine Group described how the adoption of ATT&CK helped codify their defense, empowering them to generate understandable metrics that have served as a bridge to educate the people in their organizations who are less well-versed in security. Travis Smith of Tripwire said that his team has used ATT&CK to comprehend a vast amount of knowledge and apply it to the systems they are trying to protect. And Kyle Rainey, a lead detection engineer here at Red Canary, warned the audience of potential problems security teams can experience if they aren’t careful about the ways they use the ATT&CK framework, a talk we’ll be exploring in greater detail on this blog next week. Subscribe to receive the article.
In his closing remarks, MITRE’s Struse floated the possibility that the work being done by the speakers at the conference, as well as the hundreds of attendees and thousands of live-streamers, could eventually have a measurable and significant impact on the state of cybersecurity. Figuring out how to build and foster the community around ATT&CK, he suggested, is what’s next for the framework.
“There are some very practical things that we can do as a community,” suggested Struse. “We can continue to improve and expand and evolve the ATT&CK knowledge-base—because, ultimately, that is what it is: it’s a curated body of knowledge that comes increasingly from all four corners of the world. We can promote the sharing of actual real data about what adversaries are doing based on ATT&CK. If we can start to collect that data in an efficient and structured way and share it out to the community, [then] we can actually start to make decisions and prioritizations based on what adversaries are actually doing and watch what adversaries change over time. That would be an amazing thing to have access to as a community.”
MITRE took a major risk when it released the ATT&CK framework, and its decision to do so was seen as a controversy by some. After all, the non-profit corporation largely operates in the federal spaces that require secrecy and classification. And, of course, its decision to release ATT&CK was criticized by many who believed that the framework would offer adversaries a means for circumventing the very protections it was designed to inform.
In the end, it seems that its proponents have spoken louder than its detractors. And like the conference that was named for it, ATT&CK has been a wild success. At the risk of speaking on behalf of a vast and diverse assortment of people, my experience with ATT&CK—both before, during, and after ATTACKcon—is that it’s highly regarded among those who spend their days defending against the very adversaries that the critics of ATT&CK were concerned might benefit from its release. It will be fascinating to watch as the ATT&CK framework matures and grows to incorporate information about new techniques and systems, as people map real-world attacks to it, and as the community finds innovative ways of deploying the framework to protect information systems.