Good Work Becomes Better Work – 2024 R&D Roadmap Update – Part One

By Suneel Sundar • November 22, 2024

“Threat-Informed Defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.”

It identifies known adversary behavior, relevant to an organization’s threat model, and fosters a community-driven approach to enable an organization to proactively defend, self-assess, and improve defenses against those known threats.

Good work becomes better work

The three dimensions of threat-informed defense are:

1. Cyber Threat Intelligence: knowing the adversary, their objectives, and their tactics, techniques, and procedures (TTPs).
2. Defensive Measures: implement prevention, detection, and mitigation tailored to known threats.
3. Testing & Evaluation: assess defenses by emulating realistic adversary behaviors and TTPs.

We observed which prior Center publications are impactful to the community, and we heard from you how our research can provide further solutions. Some of our 2024 projects build upon Summiting the Pyramid, Security Capability Mappings, and Attack Flow.

Summiting the Pyramid — detection that resists adversary evasion

Many analytics depend on specific tools or artifacts, making them susceptible to low-cost evasion techniques by adversaries. In September 2023, we published the Summiting the Pyramid (STP) methodology that defines and quantifies robustness, or how difficult it is for adversaries to evade certain detections. Practically the project resources include a framework for scoring robustness and a repository of scored analytics, including analytic improvements.

Since that release, we have observed community adoption and application of STP including a “STP score” field in SIGMA analytics, and real-world assessments that evaluate and improve threat detection rule resilience by applying the STP framework at scale.

Motivated by your use of STP, we extended our research into analytic precision and recall with robustness, and network observables. Now STP provides guidance on how to build robust detections, focusing on precision, accuracy, and resistance to adversary evasion. These materials will be available to all in December 2024. In addition to the practical guidance, you will also find visuals to break down technique implementations and identify observables for detections, and frameworks to score both host-based events and network traffic observables.

This is ongoing research, and your examples will drive us to our next solution. Please stay involved with Summiting the Pyramid by:

• Sending additional observables to add to our Model Mapping Pages, both for our host-based and network traffic models
• Providing your worked examples to add to our scored analytics repository

Security Capability Mappings

Over the Center’s five years, the mappings program has grown to represent one-fourth of all Center research with over half our members participating across cloud platforms, security controls, incident sharing, and more. We have united these individuated efforts and our future work into Mappings Explorer.

ATT&CK is updated to a new major version twice per year, and security vendors constantly change their offerings. As a result, the snapshots of capabilities contained in the mappings projects do not reflect current adversary techniques or defensive measures. Now we update all the mapping resources to reflect the most current version of adversary techniques, in perpetuity.

Security capability mappings correlate the defensive measures you have procured to the threats that keep you awake. You will see updated mappings resources released to the community about every six weeks, starting in December 2024 with an update to our AWS mappings from ATT&CK v9 to ATT&CK v16.

We previously created a methodology to map Common Vulnerabilities and Exposures (CVEs) to ATT&CK. Now we focus on CVEs that the Cybersecurity and Infrastructure Security Agency has confirmed as being exploited in the wild: the Known Exploited Vulnerabilities (KEVs) Catalog. The Prioritize Known Exploited Vulnerabilities with ATT&CK project bridges threat management and vulnerability management by connecting CVEs that have been exploited to the impact of exploitation, and will be available to you in February 2025.

We also endeavor to map security capabilities in hardware to adversary behaviors in Security Stack Mappings — Hardware-Enabled Defense. In this project we will extend our mappings methodology to determine how hardware capabilities, in tandem with an operating system, can:

• identify the potential occurrence of a (sub-)technique,
• limit the impact of a (sub-)technique, or
• provide actions to take for detected (sub-)technique.

Such integration is essential for proactive and robust threat-informed defense for enterprise environments. We will include emulation plans to demonstrate the effectiveness of the hardware capability with anti-virus or endpoint detection and response software features. These results will be published in January 2025 and affect billions of enterprise-class systems worldwide.

The Cyber Risk Institute (CRI) built a financial sector profile of the NIST Cyber Security Framework, tailoring the framework to financial sector needs. Our Threat-Informed Defense for the Financial Sector project will map the CRI profile to adversary behaviors giving cyber defenders in financial services organizations resources for threat-informed analysis and decision-making.

In addition to mappings that are tailored to sector specific needs, we will map adversary behaviors to a technology platform. Threats to cloud computing cover multiple security domains, objectives, and aspects of cloud technology. Our Threat-Informed Defense for Cloud research will create a common technical foundation for implementing cloud-native capabilities to mitigate threats to cloud environments.

See Adversary Behaviors in Attack Flow

We built Attack Flow as the data model for representing sequences of adversary behaviors.

To defend against the adversaries’ attacks, we must understand the sequence of behaviors. We have a data model with a web application that allows you to build and visualize those attack flows. But Attack Flow as it stands today has left some users wanting to get started faster, and our Flow Visualization project will remedy that. Flow Visualization will reap the benefits of this powerful data model by providing a new users’ guide to Attack Flow Builder and template visualizations for important use cases. We will also build more flows into our set of examples.

In the next part of this 2024 Center Roadmap update, please read about our second guiding principle: Share the How.

This is Part One of the Center’s 2024 R&D Roadmap Update. Please read Part Two and Part Three and then…

Join us to advance Threat-Informed Defense — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of ATT&CK. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.

© 2024 MITRE. Approved for Public Release. Document number CT0132.

---