Projects to Impact- Operationalizing Work from the Center

Projects to Impact:
Operationalizing Work from the Center
© 2022 MITRE Engenuity. Approved for public release. Document Number CT0043
Ingrid Skoog
March 30, 2022

The Center for Threat-Informed Defense conducts collaborative R&D projects that
improve cyber defense at scale
+
Members as of November 2021
Membership is:
❑ Highly-sophisticated
❑ Global & cross-sector
❑ Non-governmental
❑ Committed to collaborative R&D in the public interest
29
1
28
32 4
24

Our Focus:
R&D
The outputs of all Center R&D projects
are made freely-available globally

Our repeatable,scalable,agile researchprojects are built on
member-powered collaboration
Flexibility Collaboration
Openness Leadership
Our values drive our research process
Ideas submitted to
the idea market
Idea Market
Based on priorities,
insights, and funding
Selection
Member-funded projects
assigned to dedicated
MITRE experts
Research
R&D projects
outputs released
freely-available
Completed Project

Selected R&D Projects
ctid.mitre-engenuity.org/our-work

Adversary Emulation Library
Problem
Understanding defenses from the perspective
of the adversary is critical, but often teams
lack the resources (expertise and funding) to
conduct adversary emulation exercises.
Solution
Impact
Establish a library of standardized intelligence
driven adversary emulation plans that can be
easily leveraged by cyber defenders.
Accelerate research into automated TTP
identification in threat intel reports to greatly
reduce the time and effort required to
integrate new intelligence into cyber
operations.
FIN6
menuPass

Use Case: Red and Purple Team
Operations
Planning
Implementing
TTPs
Execution
Rewards
Scope
questions and
metrics to
of interest
Explore and
document
findings
Exploit results
for innovations/
improvements
Prepare
emulation
content from
library

CVE-2018-17900
(Unsecure Credentials)
allows
T1190
(Exploit Public-Facing
Application)
enables T1552
(Unsecure Credentials)
leads to T1078
(Valid Accounts)
Vulnerability Adversary Behaviors from MITRE ATT&CK®
Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior,
have Unsecure Credentials which could allow an attacker to gain access to Valid Accounts by
Exploiting the Public-Facing Application.
CVE® + MITRE ATT&CK®
=
Mapping ATT&CK to
CVE for Impact
Problem
Defenders struggle to integrate vulnerability
and threat information and lack a consistent
view of how adversaries use vulnerabilities to
achieve their goals. Without this context, it is
difficult to appropriately prioritize
vulnerabilities.
Solution
Impact
Develop a repeatable methodology to use the
adversary behaviors described in ATT&CK to
characterize the impact of CVEs, providing
much-needed context.
CVEs linked to ATT&CK TTPs form a crucial
contextual bridge between vulnerability and
threat management, empowering defenders
to better assess the true risk posed by specific
vulnerabilities in their environment.

NIST 800-53 Controls to
ATT&CK Mappings
Problem
Large and complex security control
frameworks such as NIST 800-53 do not relate
to actionable TTPS in ATT&CK.
Solution
Impact
Create a comprehensive and open, curated
set of mappings between 800-53 controls and
ATT&CK techniques.
Defenders can quickly focus on understanding
how the controls in use in their environment
relate to adversary TTPs of interest to them.
https://ctid.mitre-engenuity.org/our-
work/nist-800-53-control-mappings/

Cloud Security Stack Mappings
Problem
Defenders lack a comprehensive view of how
native cloud security controls defend against
real-world adversary TTPs.
Solution
Impact
Map the effectiveness of each AWS and Azure
security control against specific ATT&CK
techniques.
Empowers defenders with independent
assessments of which AWS and Azure security
controls are effective to mitigate relevant
adversary TTPs.
Amazon Web Services
Microsoft Azure

Use Case: Bridging Teams
Protect
Detect
Respond
Controls

ATT&CK Workbench
Problem
Defenders struggle to integrate their
organization’s local knowledge of adversaries
and their TTPs with the public ATT&CK
knowledge base.
Solution
Impact
Build an open-source software tool that
allows organizations to manage and extend
their own local version of ATT&CK and keep it
in sync with MITRE’s knowledge base.
Drastically reduces the barriers for defenders
to ensure that their threat intelligence is
aligned with the public ATT&CK knowledge
base. Allow users to explore, create, annotate, and share
extensions of MITRE ATT&CK.

Use Case: Expanded Group Tracking
and/or
ATT&CK New Objects
ATT&CK with modified objects
APT3+
FIN6+
MimiKatz+
Credential Dumping+
New Objects Are Added
Existing objects within
ATT&CK are updated
+
Fill in gaps in open-source reporting by creating new groups.
Map new groups to new and existing techniques.

Cyber Threat Intelligence
Test & Evaluation
Defensive Measures

Spread the word to help us increase the impact of our work. Use our work and tell us about it.
Share your ideas and they may become Advance the research program by joining us.
part of the research program.
Check out the Impact Report Follow our R&D
https://ctid.mitre-engenuity.org/impact-report/ https://ctid.mitre-engenuity.org/#keep-me-informed
Advance threat-informed defense with us

Projects to Impact- Operationalizing Work from the Center

In this document

More Related Content

What's hot

Similar to Projects to Impact- Operationalizing Work from the Center

More from MITRE ATT&CK

Recently uploaded

Projects to Impact- Operationalizing Work from the Center