Close

CISA Releases Best Practice Guidance to Help Organizations Map Adversary Behavior to MITRE ATT&CK Framework



By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency

Over the last decade, the cybersecurity community has steadily adopted, embraced, and matured the concept of cyber threat intelligence–or CTI–to better support operational and executive decision-making. When optimized, CTI provides the community—from network defenders to C-Suite executives—with timely, accurate, objective, and relevant analysis that creates a better understanding and appreciation of the risks from malicious cyber activity.

Today’s release of the Best Practices for MITRE ATT&CK® Mapping guide supports robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks and data. This guide—developed by CISA in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI), which worked with the MITRE ATT&CK team—is an example of a successful collaboration by committed partners with a shared mission.

The guide provides analysts detailed step-by-step instruction to best map adversary behavior to the MITRE ATT&CK framework. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is freely open and available to any person or organization in the hopes of bringing communities together to develop more effective cybersecurity.

The MITRE ATT&CK framework can be used to align resources and exchanged across the public and private sectors. Specifically, it provides improved CTI analysis through better, more informed use of the MITRE ATT&CK framework—a robust knowledge base of adversary tactics and techniques based on real-world observations. To that end, the guide includes a recent CISA-FBI Joint Cybersecurity Advisory as an example of how this framework can be used in practice.

The better we understand adversary behavior, the better we are at guarding our systems, networks and data and building increased resilience. By providing clear guidance and examples, Best Practices for MITRE ATT&CK® Mapping shows network defenders how to utilize ATT&CK in both analysis of raw data and finished reporting more fully. This enhanced understanding will improve their ability to proactively detect adversary behavior.

Finally, today’s release takes an important step toward bridging a CTI communications gap that has constrained the cybersecurity community. It is essential for the cyber defense community to rally around a common lexicon of adversary behavior. Such an evolution would be a major step forward, and CISA is proud to be part of this important work.

####

Best Practices for MITRE ATT&CK® Mapping

For the Cybersecurity and Infrastructure Security Agency (CISA), understanding adversary behavior is often the first step in protecting networks and data. The success network defenders have in detecting and mitigating cyberattacks depends on this understanding. The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is freely open and available to any person or organization in the hopes of bringing communities together to develop more effective cybersecurity.

CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. ATT&CK provides details on 100+ threat actor groups, including the techniques and software they are known to use. (Note: Not every adversary behavior is documented in ATT&CK.) ATT&CK can be used to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls.

This Best Practices for MITRE ATT&CK® Mapping guide provides network defenders with clear guidance, examples, and step-by-step instructions to make better use of MITRE ATT&CK as they analyze and report on cybersecurity threats. This will improve defenders’ ability to proactively detect adversary behavior and supports robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks, and data. CISA developed this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), which worked with the MITRE ATT&CK team.

Leave a Reply

0 Comments
scroll to top