The document presents a talk by Gert-Jan Bruggink on the ATT&CK framework in the context of cybersecurity, emphasizing its evolution, adoption, and usage among organizations. It highlights the disparities in how different sectors utilize the framework, identifies common usage challenges, and suggests methods for enhancing its application to improve storytelling and risk management. The future of ATT&CK relies on community involvement, feedback, and technological support to refine its effectiveness and relevance.

1. @gertjanbruggink
ATT&CK ‘Metaverse’
Exploring the limitations of applying ATT&CK
Gert-Jan Bruggink
ATT&CKCON 3.0
29 & 30 March 2022

2. @gertjanbruggink 2
Why am I here?
§ A cyber security ‘metaverse’
§ Lessons from the limitations
§ Practitioner feedback

3. @gertjanbruggink 3
Who am I?
Gert-Jan Bruggink
cyber threat cartographer
&
founder Venation
10+ InfoSec.
High tech, manufacturing, financial services, governmental.
Cyber threat intelligence (CTI) based risk management.
Intelligence-led Red Teaming.
Capability building & leadership.
Strategic change through (CTI, SOC & Cyber) transformation programs.
Father x 2, Entrepreneurship, Gaming, Painting, Lego, Meme’s.
@gertjanbruggink
github.com/gertjanbruggink
/gertjanbruggink

4. @gertjanbruggink 4
What am I going to talk about?
ü Evolution & lessons learned
ü Adoption & lessons learned
ü Usage & lessons learned

5. @gertjanbruggink
Evolution

6. @gertjanbruggink
The terrifying ‘first look’ at ATT&CK
🌱
~2015
🧰
188 techniques,
379 sub
(Enterprise)
📈
~2022
🔨
Many supporting
tools
6
🧰
96 techniques
👨‍
Matrix
expansions
🔮
~2025?

7. @gertjanbruggink
Constant expansion and structuring
☁
Cloud
🏭
ICS
📱
Mobile
💕
Base set
(Enterprise)
7
📷
PRE
(*RIP* - still love you!)

8. @gertjanbruggink 8
Storytelling using ATT&CK
🎣
Freshness of new content
📖
Narrative
🧠
Required
comprehension of the
framework
🧩
Assumption of completeness

9. @gertjanbruggink
adoption

10. @gertjanbruggink 10
‘how-many-teams-actually-use-ATT&CK’ bias
Perceived & assumed true adoption
Perceived
true
adoption
~ Enterprise sized
companies
~ Small-medium
sized companies
Do not assume everyone is using the
framework - or uses it in the intended way
Research paper
“ABC”: 80-100%
companies use
ATT&CK
🤨

11. @gertjanbruggink
Where is the adoption (more-or-less)
🏦
Private sector
🤝
Vendor &
consulting
🎱
🏀
Company size
matters
🏫
Public sector
11
👩🏭
‘Business as
usual’ vs
ad-hoc

12. @gertjanbruggink 12
Applications outside of operations
🧱
Basics vs
details
🤯
Rethinking risk
management
🎯
Not everyone
can work with
minute details
🔬
Granular risk
management

13. @gertjanbruggink 13
Main motivation usecase: prioritization
🧭
Left-or-right?
🧙
Other ways of telling
the story
(ATT&CKonomics)
✅
Scoping
🚦
Navigator

14. @gertjanbruggink
Usage

15. @gertjanbruggink
Setting the scene:
example starting points
Teams new to ATT&CK
§ How does the framework help me tell a better story
to my leadership?
§ Can we use the framework to help us do basics
better?
§ Will using it save us costs along the way?
15
Teams seasoned in using ATT&CK
§ Where will the framework give better context/nuance
in attacks against similar companies?
§ What test scenarios should be prioritized when
validation controls with our capabilities (e.g. hunting,
red teaming)?
§ Can you prepare a cost-effectiveness assessment of
our controls, compared to adversaries (and
techniques) targeting our vertical?

16. @gertjanbruggink 16
The dreaded ‘bingo card’ visuals
🌄
Happy
little threat
landscapes
📊
ATT&CK
is
not
sexy
👨‍
First
impressions do
matter
🎨
Creative
coverage
reporting

17. @gertjanbruggink
Consolidation…
💩
(Dreaded) local
customizations
🧼
Staying
relevant
🍎🍐
Relationship to
other
frameworks
🧬
Maintaining
a central
data model
17

18. @gertjanbruggink
The ‘TTP’* discussion
🎭
Biases & logical
fallacies
🧠
General
understanding of
the ‘TTP’
concept
⌚
‘Procedure’
catch 22
🧭
Staying high-
level
18
*Tactics, Techniques and Procedures

19. @gertjanbruggink 19
Engineering your hypotheses
🧫
Success: lab vs
real world
💡
Creation and
prioritization
🚵
Behavioral
engineering
vs …
🧗
Context
matters!
🔊
Data sources

20. @gertjanbruggink
Building scenarios to provide context
🌐
ATT&CK as a
metaverse?
👾
Adversary playbooks
🕑
Timing &
timestamping
📍
Scenario
sequencing
20
🎣
Fresh

21. @gertjanbruggink
Validating scenarios
21
🎠
Automatically
✅
Validation
🎨
Creativity
🧤
Manually
🥇
Value of
testing
specific
techniques
📑
Reporting
added value

22. @gertjanbruggink
The future of ATT&CK remains the community
👬
People
(e.g. continue
expanding the
education the
‘adopting’
community)
🎢
Process
(e.g. sharing
feedback)
🦾
Technology
(e.g. vendor
ecosystem)
22

23. @gertjanbruggink 23
Recap & course of action
§ Don’t complain, just provide feedback.
§ Contribute == getting creds
§ The community decides ATT&CK
direction: this is widely underestimated.
If you would revisit our ATT&CK usage today:
ü What is our level of (true) adoption of the
framework?
ü How are we telling the right, nuanced,
story - from procedure- to board room?
Consider today

24. @gertjanbruggink
Let’s continue expanding the ATT&CK ‘metaverse’!
Gert-Jan Bruggink
gertjanbruggink@venation.digital
@gertjanbruggink
/gertjanbruggink