Scott J. Roberts, head of threat research at Interpres, discusses the integration of MITRE ATT&CK with their custom threat intelligence system to optimize defense readiness while managing limited resources. The presentation outlines goals related to depth, breadth, speed, and accuracy of threat research, addressing challenges with STIX2 compatibility. Future plans involve leveraging STIX2 while enhancing automation and developing a more effective code-based intelligence framework.

1. Scott J Roberts
Head of Threat Research
2023-10-25
Leveraging Limited Resources to Build an
Evolving Threat Repository
Driving Intelligence with
MITRE ATT&CK

2. Scott J Roberts
Head of Threat
Research at Interpres

3. What Interpres Does
Defense
Readiness
01
Defense
Surface
Optimization
02
Prioritize
Vulnerabilities
03
Stack &
Product
Rationalization
04

4. The Goal

5. MITRE ATT&CK for Internal Customers
Interpres is Intel driven from the core.
Built originally on public threat intelligence data
straight from mitre/cti.
Needed custom threat data to keep up.

6. Metrics for Threat Research at Interpres
Depth Breadth Speed Accuracy

7. Goals
• Code First: git push or bust
• Depth: Collection Requirements
• Breadth: Collection Requirements
• Speed: Automation
• Accuracy: Automation & Manual
Review
• Compatibility: Output to STIX2

8. The Problem (Well… 3!!!)

9. STIX2 != ATT&CK &&
ATT&CK != STIX2

10. We want MITRE
Intelligence & Interpres
Intelligence… with as little
duplication as possible!

11. Tooling is Limited

12. The Solution

13. STIX2 != ATT&CK && ATT&CK != STIX2
ATT&CK Tactics Techniques Groups Software Campaigns
STIX2 Attack-
Pattern
Attack-
Pattern
Intrusion-Set Malware
(Usually…)
Campaigns
ATT&CK to STIX2

14. STIX2 != ATT&CK && ATT&CK != STIX2

15. We want MITRE Intelligence & Interpres Intelligence…
with as little duplication as possible!

16. We want MITRE Intelligence & Interpres Intelligence…
with as little duplication as possible!
• Wherever possible we use MITRE ATT&CK Content
- Exclusively using MITRE ATT&CK Techniques
- Leverage MITRE ATT&CK Groups, Malware, Campaigns, & Relationships
• Build custom Groups, Malware, Campaigns & Relationships
- Based on internal research, RFIs, etc
- More on that a bit later
• Relationships are intelligently divided between MITRE/CTI & Intrepres/CTI
• DANGER (But Available): All lookups prioritize Interpres/CTI

17. An Aside for a Good Name™

18. Tooling is Limited
• All content is code (STIX2) and created with code
- Automated: Custom Automapper (Let computer do what computers are good at)
- By Hand Creation & Curation: Jupyter Notebooks + STIX2 Library
• Actively working on STIX2 Helper Library
- Merging, Bulk Actions, etc
- Testing Mapping Scenarios
• Git is workflow management
• Yes, we looked at Decider, TRAM, & ATT&CK Workbench

19. Advantages of Intelligence As Code: CI Error

20. Advantages of Intelligence As Code: CI Error

21. Advantages of Intelligence As Code: Solutions as Code

22. Advantages of Intelligence As Code: CI

23. Advantages of Intelligence As Code: CI

24. The Future
There are
limitations of STIX2
Library & Jupyter
Notebooks
Synapse is code for
Intelligence &
Easier to Extend
Continue
leveraging STIX2
for Compatibility &
Tooling

25. Salvador Dali
“Have no fear of perfection –
you’ll never reach it.”

26. Thank you!

27. InterpresSecurity.com