MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training

Cybrary course on MITRE ATT&CK Defender Fundamentals by Jamie Williams approx 1 hr long

By the end of this course, students should be able to:

  • Understand the structure and philosophy that continually shapes ATT&CK®

  • Identify the available ATT&CK® resources and operational use cases

  • Recognize how ATT&CK® empowers defenders through understanding threats

Module 1: Understanding ATT&CK

  • MITRE ATT&CK matrix captures relationship between, tactics (headers), techniques (columns) and sub-techniques

  • 14 Enterprise tactics with mobile and ICS domains

  • ATT&CK tactic is why adversary perform an action and the intermediate objective of adversary

  • Each tactic is assigned unique IDs and leads to more specific techniques

  • Technique is how adversary perform each action, means which adversaries achieve tactical goals

  • Sub-technique is more specific description of adversarial behavior to achieve a goal, with single technique parent

  • Technique IDs represented by T###, sub-technique by T###.###

  • Other technique metadata connecting to rest of ATT&CK model include mitigations,data sources, prevention and procedure examples

  • Mitigation - configuration, tools, or processes that prevent technique from working

  • Mitigations are mapped to specific techniques and displayed on the pages and own mitigation page

  • Data sources is source of information collected by sensor/logging system

  • Data sources used to collect information relevant to identify adversary actions

  • Detection is high level analytic process, sensors, data and detection strategies

  • Detection is used to identify technique used by adversary ie. how to interpret collected data

  • Data sources and detection are specific to each technique

  • Procedure is specific implementation adversary uses for technique/sub-technique

  • Groups are related intrusion activity tracked by common name

  • Software are tools/malware used by adversary during intrusions

  • Techniques are mapped to groups and software via procedure examples, or specific ways techniques have been performed

  • Over 500 techniques with 14 tactics as of 2021 and is constantly evolving

Module 2: Benefits of using ATT&CK

  • Grounded to publicly available intelligence as it is referenced to sources

  • Diverse perspective as it is contributed by community

  • Common language to share ideas about adversary behaviors and used to connect adversary perspective to defensive countermeasurs

  • Operational level language which can be used by defenders, red teams, intelligence analysts and executives

  • ATT&CK can be used as quantitative scorecard for informed decision making e.g. important techniques, defenses for which techniques, improvement areas

  • ATT&CK Navigator provides basic navigation and annotation of ATT&CK matrices, visualize defense coverage, save and share customized views of ATT&CK

Module 3: Operationalizing ATT&CK

  • Perform threat-informed defense: systematic application of deep understanding of adversary tradecraft and technology to prevent, detect and/or respond to cyber attacks

  • CTI is critical for threat-informed defense and ATT&CK allows intelligence to be captured and shared in the matrix

  • CTI can priortize building of detection analytics, which tactics and techniques are critical to defend

  • Behavior-based analytics using pyramid of pain

  • Build detection analytics using ATT&CK knowledge to provide defensive suggestions for detections, highlight variances in how adversaries executed target behavior and explain the technical details of the target behavior

  • Intelligence-driven emulation allows operationalizing intelligence by scoping and priortizing threats and behaviors tested

  • Threat-informed assessments show quantitatively how defenses fare against specific threats

  • Threat emulation addresses unlimited number of procedures, or variations of how an ATT&CK technique can be executed

  • Use ATT&CK to measures and track progress as we assess coverage, prioritize gaps and tune defenses

  • Determine critical risks to address and risks to tolerate

  • Measurements identify where and how to make improvements

  • ATT&CK is a quantifiable way to understand, track, communicate and address what threats are doing

  • Use this knowledge to gain strategic and operational advantage

PreviousSANS OSINT Summit 2022NextMITRE ATT&CK Defender™ (MAD) ATT&CK® Cyber Threat Intelligence Certification Training

Last updated