MITRE ATT&CKcon 3.0, the conference dedicated to the ATT&CK community, returned at MITRE headquarters in Virginia last month. As a refresher, MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations.
In this article, I’m excited to share insights that I gathered from both speakers and conversations with global defenders at ATT&CKcon 3.0. These insights are about community involvement, tailoring cybersecurity data to the right audience, linking disparate events together to accelerate identification, and capitalizing on the untapped opportunity to educate small-to-medium-sized businesses (SMBs).
1. Community Involvement with MITRE ATT&CK Remains Strong
The ATT&CK community has formed to discuss, exchange, and improve the use of adversarial tactics, techniques, and procedures (TTPs) in practical use cases. The record-high 155 global submissions and contributions made to ATT&CK last year exemplify how the community is committed to cybersecurity threat sharing and analysis. In turn, MITRE enhanced the ATT&CK framework by adding coverage for areas such as cloud and Industrial Control Systems (ICS).
This vendor-neutral collaboration continues to evolve in the ever-changing threat landscape. Enterprises and government entities continue to learn about ATT&CK and are in various stages of adoption and day-to-day utilization.
2. Lead with the Data and User Stories
ATT&CKcon 3.0 speakers highlighted lessons learned in communicating with data. It’s crucial to tailor technical content and messaging to each audience, such as conveying risk and outcomes to executives and more operational details to technical professionals. Many presenters took their own advice and put the bottom-line up front (BLUF) in a concise summary. Avoid the HiPPO effect where a High Paid Person’s Opinion (HiPPO) weighs more than data and facts in driving cybersecurity decisions. Finally, research has shown that human beings relate to and recall more when storytelling and emotion are used in communication, so work to weave in use cases and examples where feasible.
3. Optimize Analyst Efficiency with a Threat-Informed Defense
Many red team analysts and threat hunters experience alert fatigue in dealing with today’s expanding volume of cybersecurity alerts. Limited context and threat enrichment make it challenging to distill actual adversary actions and outcomes. Presenters at the ATT&CK conference spoke about threat-informed defense and risk-based alerting to better prioritize and correlate insights. Connecting the dots on seemingly unrelated or innocuous security events in your environment, especially using ATT&CK tactics and techniques, enables faster incident response. Risk prioritization and threat automation also improve Security Operations Center (SOC) analyst efficiency and effectiveness in a world of limited resources.
4. Cybersecurity is Human-centric Security
Over three million unfilled cybersecurity job openings necessitate even smarter cyber threat detection and incident prioritization to enhance the efficiency and effectiveness of limited resources. There is no silver bullet in cybersecurity; it takes a balance of people, process, and technology. Devices alone are insufficient to create actionable threat intelligence. It requires hands-on expertise from humans in the form of SOC analysts, threat intelligence analysts, and threat hunters.
Cybersecurity teams are spread thin, so it’s even more crucial to automate routine tasks and prioritize how human experts, like SOC analysts, can address more stealthy and dangerous threats. The TTPs of ATT&CK enable smaller teams with finite staff and expertise to understand adversaries and better defend themselves. On a different note, it was encouraging to meet the all-female team of cyber analysts from Temple University who presented at ATT&CK regarding how students map social engineering techniques to the ATT&CK matrix. For many of us, myself included, it was the first face-to-face conference and training attended in more than 20 months. With in-person attendance limited, the ATT&CK team plans to post all the conference’s video presentations online.
5. Continue to Educate SMBs
Larger organizations and vendors were first to embrace ATT&CK and integrate it into their tech stack and product portfolios. It was exciting to see ATT&CK users and presenters sharing insights and collaborating for a more robust global defense. But with over 80 percent of organizations deemed SMBs, it’s crucial that they be educated and involved in adopting the standard terminology and TTPs. As a master Managed Security Service Provider (MSSP), Netsurion is focused on arming IT service providers and end customers with up-to-date means to defend against advanced persistent threats.
Final Thoughts for Optimizing Cybersecurity
Whether you are just starting your cybersecurity career or looking to enhance your capabilities and efficiencies, the ATT&CK framework improves outcomes and fosters information sharing. It also simplifies Cybersecurity Threat Intelligence (CTI) for global defenders, collecting and analyzing current and future attacks to enhance decision making. We have led the way with ATT&CK’s integration in Netsurion’s Managed Threat Protection solution to help organizations of all sizes better prepare for today’s advanced cyber criminals.
Join us as we explore how evolving threats bypass legacy defenses.
Date: December 5th, 2024
Time: 11:30AM MST