Many analytics are dependent on specific tools or artifacts. Adversaries can easily evade these with low-cost changes that exploit the dependencies. This project developed a method to evaluate analytics relative to the adversary’s cost to evade. We further created approaches and tips for defenders …
Defenders typically track adversary behaviors atomically, focusing on one specific action at a time. While this is a good first step toward adopting a threat-informed defense, adversaries usually use multiple actions in sequence—we call these sequences attack flows. Toward the goal of visualizing, …
This project provides cybersecurity defenders and researchers with critical insight into real-world, in the wild adversary behaviors mapped to ATT&CK. The ecosystem aims to fundamentally advance the collective ability to see threat activity across organizational, platform, vendor and …
The Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base aims to advance our collective understanding of the technical mechanisms that insider threats have used. With this knowledge, Insider Threat Programs and Security Operations Centers will detect, mitigate, and emulate insider …
TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CK®. TRAM enables researchers to test and refine Machine Learning (ML) models for identifying ATT&CK techniques in prose-based threat intel reports and …
This project created a mapping and translation layer between VERIS and ATT&CK that allows ATT&CK to describe the adversary behaviors that were observed in an incident coded in VERIS. This creates the opportunity for a joint analysis of the information that ATT&CK describes well (the …
Cyber threat detection starts with understanding the data sources and sensors that can be used to detect a given adversary TTP. Motivated by a lack of detailed data source definitions in MITRE ATT&CK® to support defensive cyber operations use cases, we wanted to greatly expand the set of data …
This project investigated the viability of adding container-related techniques into MITRE ATT&CK, leading to the development of an ATT&CK for Containers matrix. This work covers both orchestration-level (e.g., Kubernetes) and container-level (e.g., Docker) adversary behaviors in a single …
This project refined and expanded MITRE ATT&CK’s coverage of adversary behaviors in cloud environments. Through our research, we refactored and consolidated the cloud platforms into IaaS, SaaS, Office365, and Azure AD. Next, we overhauled cloud data sources to better align with enterprise …
