# MITRE ATT\&CK Defender™ (MAD) ATT\&CK® Fundamentals Badge Training Cybrary course on [MITRE ATT\&CK Defender Fundamentals](https://www.cybrary.it/course/mitre-attack-defender-mad-attack-fundamentals/) by Jamie Williams approx 1 hr long By the end of this course, students should be able to: * Understand the structure and philosophy that continually shapes ATT\&CK® * Identify the available ATT\&CK® resources and operational use cases * Recognize how ATT\&CK® empowers defenders through understanding threats **Module 1: Understanding ATT\&CK** * MITRE ATT\&CK matrix captures relationship between, tactics (headers), techniques (columns) and sub-techniques * 14 Enterprise tactics with mobile and ICS domains * ATT\&CK tactic is why adversary perform an action and the intermediate objective of adversary * Each tactic is assigned unique IDs and leads to more specific techniques * Technique is how adversary perform each action, means which adversaries achieve tactical goals * Sub-technique is more specific description of adversarial behavior to achieve a goal, with single technique parent * Technique IDs represented by T###, sub-technique by T###.### * Other technique metadata connecting to rest of ATT\&CK model include mitigations,data sources, prevention and procedure examples * Mitigation - configuration, tools, or processes that prevent technique from working * Mitigations are mapped to specific techniques and displayed on the pages and own mitigation page * Data sources is source of information collected by sensor/logging system * Data sources used to collect information relevant to identify adversary actions * Detection is high level analytic process, sensors, data and detection strategies * Detection is used to identify technique used by adversary ie. how to interpret collected data * Data sources and detection are specific to each technique * Procedure is specific implementation adversary uses for technique/sub-technique * Groups are related intrusion activity tracked by common name * Software are tools/malware used by adversary during intrusions * Techniques are mapped to groups and software via procedure examples, or specific ways techniques have been performed * Over 500 techniques with 14 tactics as of 2021 and is constantly evolving **Module 2: Benefits of using ATT\&CK** * Grounded to publicly available intelligence as it is referenced to sources * Diverse perspective as it is contributed by community * Common language to share ideas about adversary behaviors and used to connect adversary perspective to defensive countermeasurs * Operational level language which can be used by defenders, red teams, intelligence analysts and executives * ATT\&CK can be used as quantitative scorecard for informed decision making e.g. important techniques, defenses for which techniques, improvement areas * ATT\&CK Navigator provides basic navigation and annotation of ATT\&CK matrices, visualize defense coverage, save and share customized views of ATT\&CK **Module 3: Operationalizing ATT\&CK** * Perform threat-informed defense: systematic application of deep understanding of adversary tradecraft and technology to prevent, detect and/or respond to cyber attacks * CTI is critical for threat-informed defense and ATT\&CK allows intelligence to be captured and shared in the matrix * CTI can priortize building of detection analytics, which tactics and techniques are critical to defend * Behavior-based analytics using pyramid of pain * Build detection analytics using ATT\&CK knowledge to provide defensive suggestions for detections, highlight variances in how adversaries executed target behavior and explain the technical details of the target behavior * Intelligence-driven emulation allows operationalizing intelligence by scoping and priortizing threats and behaviors tested * Threat-informed assessments show quantitatively how defenses fare against specific threats * Threat emulation addresses unlimited number of procedures, or variations of how an ATT\&CK technique can be executed * Use ATT\&CK to measures and track progress as we assess coverage, prioritize gaps and tune defenses * Determine critical risks to address and risks to tolerate * Measurements identify where and how to make improvements * ATT\&CK is a quantifiable way to understand, track, communicate and address what threats are doing * Use this knowledge to gain strategic and operational advantage *