MITRE ATT&CKcon 3.0, the conference dedicated to the ATT&CK community, returned at MITRE headquarters in Virginia last month. As a refresher, MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations.
In this article, I’m excited to share insights that I gathered from both speakers and conversations with global defenders at ATT&CKcon 3.0. These insights are about community involvement, tailoring cybersecurity data to the right audience, linking disparate events together to accelerate identification, and capitalizing on the untapped opportunity to educate small-to-medium-sized businesses (SMBs).
1. Community Involvement with MITRE ATT&CK Remains Strong
The goal of the ATT&CK community is to discuss, exchange, and improve the use of adversarial tactics, techniques, and procedures (TTPs) in real-world scenarios. Last year’s 155 global submissions and contributions to ATT&CK set a new high, demonstrating the community’s dedication to cybersecurity threat sharing and analysis. As a result, MITRE improved the ATT&CK framework by including coverage for cloud computing and industrial control systems (ICS).
This vendor-neutral collaboration continues to evolve in the ever-changing threat landscape. Enterprises and government entities continue to learn about ATT&CK and are in various stages of adoption and day-to-day utilization.
2. Lead with the Data and User Stories
Speakers at ATT&CKcon 3.0 focused on data communication lessons learned. Technical content and messaging must be tailored to each audience, such as communicating risk and outcomes to executives and more operational details to technical professionals. Many presenters followed their own advice and summarized the bottom line up front (BLUF). Avoid the HiPPO effect, in which a High Paid Person’s Opinion (HiPPO) influences cybersecurity decisions more than data and facts. Finally, research has shown that when storytelling and emotion are used in communication, people are more likely to relate to and remember it, so try to incorporate use cases and examples whenever possible.
3. Optimize Analyst Efficiency with a Threat-Informed Defense
When dealing with today’s growing volume of cybersecurity alerts, many red team analysts and threat hunters experience alert fatigue. It’s difficult to separate actual adversary actions and outcomes due to a lack of context and threat enrichment. Threat-informed defense and risk-based alerting were discussed by speakers at the ATT&CK conference in order to better prioritize and correlate insights. Using ATT&CK tactics and techniques, you can connect the dots on seemingly unrelated or innocuous security events in your environment, allowing for faster incident response. In a world of limited resources, risk prioritization and threat automation help Security Operations Center (SOC) analysts be more efficient and effective.
4. Cybersecurity is Human-centric Security
Over three million unfilled cybersecurity job openings necessitate even smarter cyber threat detection and incident prioritization to enhance the efficiency and effectiveness of limited resources. There is no silver bullet in cybersecurity; it takes a balance of people, process, and technology. Devices alone are insufficient to create actionable threat intelligence. It requires hands-on expertise from humans in the form of SOC analysts, threat intelligence analysts, and threat hunters.
Because cybersecurity teams are stretched thin, automating routine tasks and prioritizing how human experts, such as SOC analysts, can address more stealthy and dangerous threats is even more important. The ATT&CK TTPs allow smaller teams with limited resources and expertise to better understand and defend themselves. On a different note, meeting the all-female Temple University team of cyber analysts who presented at ATT&CK about how students map social engineering techniques to the ATT&CK matrix was encouraging. It was the first face-to-face conference and training for many of us, including myself, in more than 20 months. Because in-person attendance is expected to be limited, the ATT&CK team intends to make all of the conference’s video presentations available online.
5. Continue to Educate SMBs
Larger companies and vendors were among the first to adopt ATT&CK and incorporate it into their technology stacks and product portfolios. It was inspiring to see ATT&CK users and presenters sharing their knowledge and working together to build a stronger global defense. With over 80% of businesses classified as SMBs, it’s critical that they are educated and involved in the adoption of standard terminology and TTPs. CYB3R-X’s mission as a master Managed Security Service Provider (MSSP) is to provide IT service providers and end customers with the most up-to-date tools for defending against advanced persistent threats.
Final Thoughts for Optimizing Cybersecurity
Whether you are just starting your cybersecurity career or looking to enhance your capabilities and efficiencies, the ATT&CK framework improves outcomes and fosters information sharing. It also simplifies Cybersecurity Threat Intelligence (CTI) for global defenders, collecting and analyzing current and future attacks to enhance decision making. We have led the way with ATT&CK’s integration in CYB3R-X’s Managed Threat Protection solution to help organizations of all sizes better prepare for today’s advanced cyber criminals.