[{"banner":"img/events/apac-2027.png","categories":["Events"],"contents":"In Spring 2027, hundreds of regional cybersecurity practitioners and avid users of the MITRE ATT\u0026amp;CK® framework will convene in-person and virtually at Changi Business Park Singapore for two days of practitioner-led lightning talks, networking, experiential learning, and more at the third annual Asia-Pacific ATT\u0026amp;CK Community Workshop!\nEvent Schedule Call for speakers to be announced. Check out our 2025 and 2024 agendas.\nEvent Sponsors Sponsorships are designed to showcase your organization as a thought leader and investor in the MITRE ATT\u0026amp;CK Community in the Asia-Pacific Region. The Center for Threat-Informed Defense is actively recruiting sponsors who are motivated to support and grow the regional community of security operations practitioners and threat-informed defenders. Sponsorship opportunities are limited and will be assigned on a first-come, first-served basis.\nReview Our 2027 Sponsorship Package To secure your preferred sponsorship and join us in advancing threat-informed defense across the Asia-Pacific Region, email CTID@mitre.org.\n","link":"/events/apac-2027/","tags":["Workshops"],"title":"Asia-Pacific ATT\u0026CK Community Workshop","type":"events"},{"banner":"img/events/eu-2026.png","categories":["Events"],"contents":"The 2026 EU ATT\u0026amp;CK Community Workshop will be hosted in Brussels by EUROCONTROL, in collaboration with the Centre for Cybersecurity Belgium (CCB) and the Center for Threat-Informed Defense. The event features a full day workshop.\nParticipation is free of charge, but registration is mandatory. Register and pitch your lightening talk at the link below.\nRegister Today Event Schedule Coming Soon\n","link":"/events/eu-attack-2026/","tags":["Workshops"],"title":"EU ATT\u0026CK Community Workshop 2026","type":"events"},{"banner":"img/banners/secure-ai.png","categories":["Blog"],"contents":" Artificial intelligence systems have quickly moved from experimental to personal tasks, and now full-on operational platforms that perform business processes, decision-making, and customer-facing services. As adoption accelerates, so does the need to understand how adversaries may target, abuse, manipulate, or exploit these systems. Traditional cybersecurity models remain essential, but they do not fully capture the unique attack paths introduced by AI. This is why MITRE ATLAS™ was created. ATLAS is the definitive knowledge base for adversary tactics, techniques, and mitigations targeting AI-enabled systems.\nOur members recognized early on that AI security would require the same rigor, shared language, and operational focus that transformed traditional cybersecurity. They sit at the forefront of AI adoption and research, giving them a direct view of both the opportunity and the emerging risk. We created the Secure AI project in 2024 so our members could have the opportunity to strengthen ATLAS. The initial effort was such a successful partnership that we committed to making Secure AI an enduring effort. With the April updates of ATLAS, we conclude this phase of research and are grateful for the contributions from AttackIQ, Inc, Booz Allen Hamilton Inc, CitiGroup, CrowdStrike, Ensign InfoSecurity, Fortinet, Fujitsu, HCA Healthcare, JPMorganChase, Lloyds Banking Group, Microsoft Corporation, National Australia Bank, Siemens AG, Sopra Steria, Standard Chartered, and Verizon Business.\nA major area of progress during this phase was the continued evolution of the ATLAS Matrix and supporting website. Secure AI delivered new submissions and contribution workflows that make it easier for the community to propose techniques, mitigations, case studies, and broader updates across the knowledge base.\nTechnique Maturity Filter The team added a new Technique Maturity filter within the ATLAS Matrix, allowing users to better prioritize emerging versus mature threats. Additional website and tooling improvements strengthened usability and access for defenders who rely on the framework. The team also transitioned ATLAS to a monthly release cadence to deliver faster updates.\nSecure AI also helped produce the first ATLAS Rapid Response Report, establishing a faster model for analyzing emerging AI security incidents and adversary tradecraft. As major AI events occur, this process enables quicker investigation and more timely defensive guidance.\nAnother accomplishment was expanding ATLAS coverage for Agentic AI and Large Language Model threats. Agentic systems can independently make decisions, take actions, and interact across environments with reduced human oversight, creating new opportunities for adversaries and introduces new risks to an organization\u0026rsquo;s threat landscape.\nThrough Secure AI, we helped develop, update, and expand the ATLAS matrix through:\n45+ new Techniques and Sub-Techniques 10+ new Mitigations 20+ new Case Studies Secure AI also supported the development of the ATLAS Knowledge Graph, which provides a new interactive way to explore and query the ATLAS Knowledge Base. The Knowledge Graph will also serve as the knowledge source for the planned ATLAS AI Agent.\nATLAS Knowledge Graph The project also advanced threat emulation for AI systems, helping defenders move from theory to practice. Secure AI supported the creation of guidance, best practices, and playbook structures for emulating threats against AI-enabled environments. Initial scenarios included prompt injection against organizational chatbots, with supporting code written in Ansible playbooks to allow flexible model selection.\nTo support broader adoption, the team developed an initial codebase planned for public release through the ATLAS GitHub environment, with planned integration into MITRE Caldera™ through new emulation plugins. This work will continue into Secure AI 2026.\nSecure AI strengthened ATLAS as both a knowledge base and an operational resource. By expanding threat content, improving community workflows, accelerating rapid response reporting, and enabling practical threat emulation, defenders can prepare for the next generation of adversary behavior targeting AI.\n","link":"/blog/2026/05/06/secure-ai-v2-release/","tags":[],"title":"MITRE ATLAS Grows through Collaboration with CTID and Industry","type":"blog"},{"banner":"img/banners/secure-ai.png","categories":["Published Projects"],"contents":"A collaboration with MITRE ATLAS™ to advance security for AI–enabled systems that takes a threat-informed approach, enables rapid exchange of new threat information, and provides mitigation strategies.\n","link":"/projects/secure-ai/","tags":["Artificial Intelligence"],"title":"Secure AI","type":"projects"},{"banner":"img/2025_impact_report.png","categories":[],"contents":"2025 Impact Report Read the Impact Report Download the 2025 Impact Report Our Impact “The CTID’s work showcases the power of a unified approach, where red teams, researchers, and defenders work together to accelerate innovation and operationalize security at scale.”\nSee Our Work Our Community “What an honor to be part of this groundbreaking community, contributing research and real-world testing strategies that help push threat-informed defense from concept to standard practice.” See Our Community Get Involved “When we joined our first research project, we didn’t know what to expect. The level of knowledge and expertise from the MITRE CTID team and other industry partners made engaging in this project quite a learning experience.”\nLearn More Become a Member If your organization is interested in becoming a member of the Center for Threat-Informed Defense, complete the form below and we will follow up by email. First Name Last Name Email Job Title Organization Sign up for the \"Stay Informed\" newsletter See Other Annual Impact Reports 2022 Impact Report 2023 Impact Report 2024 Impact Report ","link":"/resources/2025-impact-report/","tags":["Impact Reports"],"title":"2025 Impact Report","type":"resources"},{"banner":"img/banners/fight-fraud.png","categories":["Published Projects","Fraud"],"contents":"The Fight Fraud Framework strengthens fraud analysis by giving teams a clear behavioral structure to identify risks, focus investigations, and stop fraud before the threat actor cashes out.\n","link":"/projects/fight-financial-fraud/","tags":["Financial Fraud"],"title":"Fight Financial Fraud","type":"projects"},{"banner":"img/banners/fight-fraud.png","categories":["Blog","Fraud"],"contents":" Fraud actors do not operate within the boundaries of organizational charts. They move seamlessly across cyber systems and fraud channels, combining techniques to steal your money and the bank\u0026rsquo;s money. Fraud analysts see part of the activity and react. Cyber defenders see another and engage in proactive defense. If defenders remain separate, organizations struggle to connect signals, understand incidents, and prioritize defenses. That gap slows response, precludes prevention, and drives ever-increasing losses.\nMITRE Fight Fraud Framework™ (F3) changes that.\nMITRE F3™ is a behavior-based model of fraud actor tactics and techniques, developed by cyber and fraud analysts together and derived from real-world fraud incidents. It gives fraud and cyber defense a common structure to describe what happened, relate events, and disrupt fraud outcomes through their combined strengths.\nDeveloped in collaboration with CTID members including A-ISAC, Citigroup, CrowdStrike, FS-ISAC, JPMorganChase, Lloyds Banking Group, Marsh, National Retail Federation, RH-ISAC, Standard Chartered, and Verizon Business, F3 reflects how fraud occurs, not how organizations are structured.\nFinancial fraud hurts us all. The U.S. Federal Bureau of Investigation reports over $50 billion in losses from more than 800,000 complaints across 2020 to 2024. And the quantity of loss increases year-over-year. Worldwide, this multiplies to $580 billion lost to fraud scams and bank fraud schemes in 2025 alone.\nInternet Crime Complaint Center loss data over 2020-2024 A Model Built on Real Fraud Behavior Like MITRE ATT\u0026amp;CK®, F3 organizes fraudster behavior into Tactics - the why of the fraudster - and techniques - the how. However, fraud introduces behaviors that are absent in ATT\u0026amp;CK, such as how adversaries prepare accounts, manipulate transactions, and extract value. F3 addresses this gap by introducing two fraud-specific tactics:\nPositioning: the adversary\u0026rsquo;s actions in a selected environment, after initial access, to collect or manipulate data or otherwise prepare for execution. Monetization: the adversary\u0026rsquo;s actions to convert assets, often stolen, into usable funds or value in their possession. These additions capture the uniqueness of fraud where success depends on moving and extracting value, not just gaining access. By capturing those stages, F3 allows defenders to trace fraud activity from initial compromise through financial impact.\nWhere a tactic or technique already exists in ATT\u0026amp;CK, F3 uses those directly. Most F3 tactics will be familiar to threat-informed defenders, though F3 modifies their definitions to the specific fraud outcomes:\nReconnaissance: the adversary\u0026rsquo;s actions to gather information they can use to plan future operations, including both cyber intrusions and attempted fraud. Resource Development: the adversary\u0026rsquo;s actions to establish resources they can use to support both cyber and fraud activities. Initial Access: the adversary\u0026rsquo;s actions to gain a foothold in a selected environment. Defense Evasion: the adversary\u0026rsquo;s actions to avoid being detected. Execution: the adversary\u0026rsquo;s actions to perform behaviors that directly advance the fraud operation. This structure creates a shared language that allows cyber and fraud defenders to enumerate the material events in a fraud incident, connect cyber activity to financial outcomes, and align detection, prevention, \u0026amp; response strategies.\nWhere F3 introduces unique techniques, we extend ATT\u0026amp;CK\u0026rsquo;s model with F1XXX-series techniques that capture fraud-specific actions while remaining compatible with the ATT\u0026amp;CK schema.\nDesign Principles on the Bleeding Edge of Fraud Our guiding light for F3 was simple: accurately represent how fraud actors operate, in a way that helps institutions defend against them. To do that, we adopted design principles modeled on MITRE ATT\u0026amp;CK and tuned them for financial fraud:\nInstitutions must see the effects of a technique during the fraud incident. If you cannot observe how an action impacts the incident, you cannot detect it, measure it, or use it to improve your strategy. Visibility into what the fraud actor does at each step is essential for evaluating effectiveness, limitations, and side effects and for shaping future fraud strategies, rules, and processes. The fraud incident must contain a cyber-based technique. Every incident represented in F3 includes at least one digital or technological method, such as phishing, malware, or unauthorized access, rather than being purely physical or paper-based. This keeps F3 actionable for cyber threat intelligence, detection engineering, and security control design. Techniques must describe the behavior of the adversary. Techniques represent how a fraud actor achieves a tactical goal by performing an action. They focus on distinct, observable behaviors, not on entities or tools, so that defenses, detection logic, and controls map directly to what the actor does. Behaviors with the same how but performed in different ways use technique and sub-technique relationships. Not all techniques have sub-techniques, but when a single behavior appears in multiple concrete forms, we capture those variations as sub-techniques. This keeps techniques at a consistent level of abstraction, reduces overlap, and lets F3 show both the high-level behavior and its detailed variants. These principles keep F3 tightly aligned to fraud behavior and ensure that the framework remains usable for categorizing, detecting, and preventing fraud incidents. The F3 Design Principles and Methodology are available here and as a standalone publication (PDF).\nFrom Fragmentation to Fusion Fraudsters have evolved from smash-and-grab check washers to scammers with spoofed credentials, social engineering savvy, and software manipulation. Fraud prevention requires coordination across teams that traditionally operate in silos. F3 is the universal translator that enables that coordination.\nWith F3:\nFraud analysts describe incidents using consistent behaviors Cyber teams detect and validate adversary techniques Security leaders assess risk based on how fraud unfolds This shared foundation enables organizations to move from fragmented visibility to coordinated, threat-informed defense against fraud.\nA Living Framework for an Evolving Problem Fraudsters are not slowing down. New schemes will emerge, and adversaries will adapt their techniques. F3 is designed to keep pace with new techniques so that threat-informed fraud defenders can stay ahead.\nThe framework is a living knowledge base, continuously updated with new techniques, refinements, and community input. It reflects real-world observations and grows alongside the fraud-fusion community. As we grow F3, we will include more resources for threat-informed fraud defenders such as data sources to detect fraudster techniques and recommended mitigations to counteract them.\nYou can explore the framework, suggest edits to techniques, and contribute improvements on the F3 website.\nGet Involved F3 improves through community use and contribution. There are several ways to get involved:\nReview and apply the framework. Use F3 in your environment and provide feedback on its structure, techniques, and methodology. Prioritize future content. Identify fraud behaviors and scenarios that should be incorporated into future updates. Contribute new techniques or refinements. Submit gaps, corrections, or examples from real-world incidents. We welcome your input to help refine F3 and strengthen its value to the fraud and cybersecurity communities. Submit feedback or contact us directly for collaboration opportunities.\n","link":"/blog/2026/04/09/fraud-fighters-unite-with-mitre-f3/","tags":["Financial Fraud"],"title":"Fraud Fighters United with MITRE F3","type":"blog"},{"banner":"img/events/rsac-2026.png","categories":["Events"],"contents":"If you plan to be in San Francisco, please join MITRE Center for Threat-Informed Defense, MITRE ATT\u0026amp;CK, and ATT\u0026amp;CK Evaluations to learn what’s new, where we’re going, and how to participate.\nAll events listed below will be held at 490 Post Street on the 15th floor. This is a 15-minute walk from the Moscone Center.\n","link":"/events/rsac-2026/","tags":["Workshops"],"title":"RSAC Conference 2026","type":"events"},{"banner":"img/banners/ambiguous-techniques-featured-image.png","categories":["Blog"],"contents":" An ambiguous technique is a MITRE ATT\u0026amp;CK® technique whose observable characteristics are insufficient to determine intent. Typical observable data does not allow us to confidently ascertain whether the intent behind the activity is malicious or benign. These techniques sit in the gray space between malicious and benign, but we do not have to treat that gray space as a black box.\nIn our first Ambiguous Techniques release, we showed how context \u0026ndash; peripheral, chain‑level, and technique‑level \u0026ndash; helps defenders determine intent when a ATT\u0026amp;CK technique looks benign on the surface. In this phase of research, we move from context to confidence and identify the minimum telemetry requirements needed to detect a technique. Our project participants, Citigroup, CrowdStrike, Fujitsu, Fortinet, HCA Healthcare, Lloyds Banking Group, and Microsoft Corporation, battled-tested and validated our confidence scoring algorithm.\nWith this latest Ambiguous Techniques release, MITRE Center for Threat-Informed Defense is confident that adversaries won\u0026rsquo;t stand a chance against threat-informed defenders.\nNot All Data Sources Are Created Equal Our first goal in this follow‑on effort was to identify minimum telemetry requirements for detecting ambiguous techniques in a way that actually helps defenders. We did not want a theoretical superset of every log that could apply. We wanted the smallest set of log sources and fields that still support robust, high‑value detections.\nTo get there, we decomposed our initial set of techniques by applying a three‑pronged research process. We started from the ATT\u0026amp;CK technique page to enumerate relevant data components, then pivoted our Sensor Mappings to ATT\u0026amp;CK database to discover concrete log sources for each component, and finally cross‑checked those candidates against public analytic repositories such as Sigma and Elastic to see which sources practitioners already rely on.\nThis iterative cycle produced much richer log source catalogs than any single source alone and helped us distinguish which fields matter most when you want to reduce false positives instead of just collecting more data.\nMinimum Telemetry in Practice Minimum Telemetry Requirements During this analysis, we realized that minimum telemetry cannot ignore quality. Some log sources technically see the behavior but do so in brittle, noisy, or delayed ways that will not support effective detections against ambiguous techniques.\nWe therefore treated minimum telemetry as the intersection of two conditions:\nThe log source must provide the necessary observables to distinguish malicious from benign activity It must do so with enough fidelity, timeliness, and robustness to justify the cost of collection. Our methodology documents which log sources to prioritize for a given technique, as well as their dependencies, useful fields, and the role of each source (e.g. primary detection signal vs supporting role). The result is a repeatable process defenders can use to build or refine their own minimum telemetry sets instead of relying on trial and error.\nDefining minimum telemetry is necessary, but it still leaves an important question: if you cannot collect everything, then which log sources do you choose? To answer that, we developed a confidence scoring approach that ranks log sources relative to one another for a given technique or use case.\nSix Metrics That Matter Confidence Metrics Our confidence scoring model rests on six metrics, plus an optional one. Three metrics describe intrinsic log source quality:\nFidelity \u0026ndash; how rich and precise the data is Noise \u0026ndash; how much telemetry volume it generates Timeliness \u0026ndash; how quickly telemetry is reported after the activity These characteristics hold largely independent of the specific technique and help you understand whether a source can ever support high‑quality detections.\nThe other three metrics depend on the technique or use case:\nRobustness \u0026ndash; how hard it is for an adversary to evade detection Coverage \u0026ndash; how broadly a log source can detect multiple implementations of a technique or use case Context \u0026ndash; measures whether a source contributes peripheral, chain, or technique‑level insight into intent. Together, these metrics translate familiar qualitative discussions \u0026ndash; \u0026ldquo;this log seems useful\u0026rdquo; \u0026ndash; into structured, comparable scores.\nWe also list cost as a metric, but we kept it separate from the formal confidence score. Cost is inherently team‑specific, yet it often drives real‑world deployment decisions, so we designed the model to support local tuning without diluting the underlying measures of detection value.\nFrom Techniques to Use Cases and Automation We started by scoring log sources for individual ambiguous techniques, but that approach did not reflect how attackers actually operate. As a result, security teams must design detections and telemetry strategies for broader objectives \u0026ndash; like credential abuse or command‑and‑control over legitimate channels \u0026ndash; rather than one technique at a time.\nTo align with that reality, we expanded our process to use cases: groupings of ambiguous techniques that share an adversary objective. We then trained an AI model to scale the scoring process across all identified use cases. By supplying the model with clear objectives, background documents, technique lists, log source candidates, and detailed scoring rubrics, we were able to reproduce and extend our manual analysis while constraining drift and hallucinations. That pipeline gave us a practical way to evaluate many more combinations of techniques and telemetry than would be feasible by hand.\nWe cover concrete use cases \u0026ndash; such as execution via scripting languages, native OS feature abuse, and command‑and‑control over legitimate channels \u0026ndash; in our project materials. You can explore those examples, including full scoring tables and key design takeaways on our detection engineering page.\nNext Steps We built this phase of ambiguous techniques research to help you move from intuition to evidence when you design detection strategies. The minimum telemetry methodology and confidence scoring model provide a data‑driven, repeatable way to prioritize log sources, close visibility gaps, and justify investments to your leadership.\nNow we want to see how this work performs in your environment. Put our detection strategies to use.\nStart with one or two ambiguous techniques or use cases that matter most to your program, apply the minimum telemetry and confidence scoring guidance, and observe how your false positives, analyst workload, and missed detections change over time. Then tell us what you learned by emailing us at ctid@mitre.org.\nShare with us what matched your experience, where the model diverged, and what additional telemetry or metrics you needed and we will refine this framework together for the broader community of defenders.\n","link":"/blog/2026/02/19/ambiguous-techniques-extension/","tags":["Blog","Detection Engineering"],"title":"Context to Confidence: The Next Phase of Ambiguous Techniques Research","type":"blog"},{"banner":"img/banners/ambiguous-techniques-featured-image.png","categories":["Published Projects"],"contents":"With Ambiguous Techniques, you will reduce false positives, focus on the highest‑value log sources, and uncover adversarial use of living‑off‑the‑land activity with an evidence‑driven detection design process.\n","link":"/projects/ambiguous-techniques/","tags":[],"title":"Ambiguous Techniques","type":"projects"},{"banner":"img/banners/2026_roadmap.png","categories":["Blog"],"contents":"Center for Threat-Informed Defense 2026 R\u0026amp;D Roadmap Threat-informed defense changes the game on the adversary. Threat-informed defenders read their adversaries’ playbooks and then orchestrate a defense based on that knowledge. MITRE ATT\u0026amp;CK® is the core of threat-informed defense as our framework of adversary tactics, techniques, and procedures (TTPs). From this foundation, we build detection rules that find and security controls that mitigate adversary actions. From this inspiration, we defend AI-enabled systems and document the playbooks of insider threats and fraud actors. In 2026, the MITRE Center for Threat-Informed Defense (CTID) continues to bring tradecraft out of the shadows and deliver tailored practical, research-driven defenses for the global cybersecurity community.\nExecutive Summary A threat-informed community is essential for effective cyber defense. In 2026, the MITRE Center for Threat-Informed Defense (CTID) will focus its R\u0026amp;D program on a clear set of outcomes that help defenders operationalize adversary behavior at scale. Our 2026 roadmap centers on six lines of effort:\nSummiting the Pyramid: Increase detection robustness by advancing methodologies, scoring, and telemetry analysis that raise adversary costs and make evasion measurably harder. Insider Threat: Apply Ambiguous Techniques methods to insider TTPs so programs can distinguish benign from malicious use of common behaviors. Security Capability Mappings: Expand and modernize mappings between ATT\u0026amp;CK and leading control frameworks, using AI-enabled processes to keep mappings current with ATT\u0026amp;CK v18 and evolving vendor capabilities. Program Maturity (INFORM): Provide a strategic model to measure and mature threat-informed defense across the entire security program, complementing tactical capability maturity models. Fight Fraud: Extend the Fight Financial Fraud framework with additional techniques, datasets, and mitigations, connecting cyber detections with material fraud events in more sectors. Attack Flow and AI Security: Evolve Attack Flow, Technique Inference Engine, and ATLAS to cover more domains and AI-enabled systems, integrating ML and automation to speed emulation design defenses. This roadmap is designed to guide defenders toward capabilities to adopt, integrate, and scale—so organizations can start quickly, then continuously get better at threat-informed defense.\nSummiting the Pyramid: Detect Adversary Behaviors David Bianco\u0026#39;s Pyramid of Pain David Bianco’s Pyramid of Pain introduced the defenders to the idea that by identifying and detecting adversary tactics, techniques, and procedures (TTPs), it would be harder for adversaries to evade detection. The higher up the Pyramid a defender can detect, the greater the cost imposed on the adversary. Many detection analytics are vulnerable to low-cost adversary evasion. CTID’s Summiting the Pyramid (STP) methodology defines and quantifies detection robustness—how difficult it is for adversaries to evade a detection.\nSummiting the Pyramid Levels Building on this work, CTID advanced detection engineering through its Ambiguous Techniques research. Because many ATT\u0026amp;CK techniques are living-off-the-land and not inherently malicious, this work focused on determining the telemetry required to distinguish benign from malicious behavior. We grouped ambiguous techniques into adversary use cases, analyzed the log sources required to detect those use cases, and moved detection analysis beyond individual techniques to the telemetry needed to observe real adversary behavior.\nAmbiguous Techniques exposes a critical reality: modern adversaries deliberately operate in the gray space between benign behavior and malicious action.\nDouglas Jose Pereira dos Santos: Director, Advanced Threat Intelligence, Fortinet\nWe then introduced a confidence score to identify which log sources consistently produce high fidelity detections. By evaluating confidence across use cases we identified the log sources that consistently produce high-fidelity detection, which justifies data collection and detection investment. We further scaled this using LLM-driven Retrieval-Augmented Generation to automate confidence scoring across telemetry sources.\nIn 2026 CTID’s research will answer questions in detection that are operationally relevant now to threat-informed defenders:\nHow to measure the completeness of telemetry using ATT\u0026amp;CK v18 data and field-level mappings How compound detections increase robustness and raise the cost of evasion What it means to have “coverage” of an ATT\u0026amp;CK technique, including required log sources and context to classify activity with confidence Insider Threat: If You’ve Seen One Insider Threat Program, You’ve Seen Exactly One Insider Threat Program MITRE CTID’s Insider Threat research began with acknowledgement that insider threat practitioners did not have a common language to share non-attributable observation of insider techniques. So we published the first evidence-based, cross-sector, community-sourced, and openly accessible knowledge base of the TTPs used by insiders in the enterprise environment: the Insider Threat TTP Knowledge Base. MITRE CTID then expanded the techniques of the Insider Threat KB, prescribed detection tools and preventative measures for insider techniques, and defined Observable Human Indicators (OHIs): qualitative and objective attributes of insider threat actors that add context to the TTPs.\nConsider now these dozens of sequences of seemingly benign techniques that were used maliciously by insider threat actors. In 2026 our Insider Threat research will apply CTID’s Ambiguous Techniques methodology to the InT KB data set and derive context and observational principles to distinguish when possibly benign techniques (such as zipping files or utilizing ipconfig) are used by insider threat actors for malicious ends.\nFinally, we will demonstrate how an insider threat program can avail itself of CTID research and results. We will define pre-requisites for insider threat programs to use the InT KB, OHIs, and the Ambiguous Techniques methodology. For organizations that are building an insider threat program, we will document technology, policy, and governance best practices. These recommendations will demonstrate the necessary conditions to implement the detection and mitigation results derived in the Insider Threat TTP Knowledge Base.\nThe Best Defense is a Security Capability Mapping to ATT\u0026amp;CK Security capability mappings connect the defenses you’ve invested in to the specific threats that keep you up at night. In January 2026, we mapped adversary behaviors to the Cloud Security Alliance Cloud Controls Matrix (CCM), a set of cloud security controls that address technical and operational aspects of cloud computing across shared responsibility models. The mappings demonstrate how these industry-recognized cloud controls can mitigate specific adversary behaviors. The mappings establish a shared foundation across teams so that organizations will apply threat-informed defense consistently across cloud environments.\nCTI analysts produce ATT\u0026amp;CK-based threat intelligence Offensive SecOps teams identify and validate ATT\u0026amp;CK-based detections in use Detection engineers implement CCM countermeasures for observed threats Security officers align threat management with business objectives ATT\u0026amp;CK updates to a new major version twice a year, and security vendors constantly change their offerings. Continuing in 2026, CTID’s Mappings Program will deliver new collections for threat-informed defensive measures and update the existing mappings collection to reflect techniques in ATT\u0026amp;CK v18. These and our continual updates are available on the Mappings Explorer platform. This year, we will scale the Mappings Program by using an AI-enabled process to align security capability mappings with the latest versions of ATT\u0026amp;CK.\nSome mappings relate adversary behaviors documented in ATT\u0026amp;CK to security controls or compliance frameworks. For example, the NIST 800-53 mappings enable cybersecurity architects to cross walk between adversary behaviors and defensive posture. CTID will grow the corpus of mappings in 2026 by:\nAligning ATT\u0026amp;CK techniques with ISO/IEC 27001 to incorporate real-world threat information into information security and the risk management process Mapping CIS Controls to ATT\u0026amp;CK techniques to enhance the design and implementation of a threat-informed operational cybersecurity program Connecting ATT\u0026amp;CK threat information to cyber resiliency constructs for secure system design like NIST 800-160 and CSEIG Cyber Survivability Attributes Build, Measure, and Mature Threat-Informed Defense In 2024, MITRE CTID undertook the effort to Measure, Maximize, and Mature Threat-Informed Defense (M3TID) by advising organizations on incremental efforts to implement and improve their threat-informed defense. Our 2026 research publication INFORM retains that core intent and sharpens it to address how organizations operate today.\nMITRE INFORM Assessment INFORM builds upon the M3TID model and evaluates threat-informed defense as holistic practice rather than a series of initiatives. Key advances include:\nRebalanced scoring algorithm and components that acknowledge that some security decisions have greater impact than others Levels that reflect operational urgency and cross-functional teams because progress relies on coordination across intelligence, operations, engineering, and leadership Personalized recommendations that balance Impact - the defensive value of implementation against Complexity - the organizational and technical effort required to enact it. A web-based assessment tool designed for repeated use to: Track progress over time. Download an executive summary INFORM provides a program-level view and complements models that focus on specific teams and functions. For example, capability maturity models such as CTI-CMM, SOC-CMM, and Red Team-CMM, typically operate at the tactical level, driving depth within a function. INFORM tells leaders whether the overall program consistently applies threat-informed defense and where coordinated investment will improve outcomes.\nFight Fraud The problem of financial fraud is prime for the application of threat-informed defense. When we address financial fraud at the time of the material event, we react. It would be like placing our controls for intellectual property theft exclusively in the exfiltration stage.\nOur Fight Financial Fraud (F3) framework enables fraud defenders by codifying the tactics and techniques used in fraud events. Fraud actors use some ATT\u0026amp;CK techniques with traditional fraud techniques, making cyber-fraud fusion framework necessary. After initial publication in March 2026, we will add additional fraudster techniques, data sources that detect the techniques, and mitigations to reduce harm from fraud.\nWith our members we seek to expand the Fight Fraud research area to additional sectors like retail fraud, health benefits, and aviation. The foundation remains to unite the events detected through cyber means with the material fraud event via data fusion and analysis.\nPrioritizing Adversary Techniques That Matter Most Top ATT\u0026amp;CK Techniques provided defenders with a structured, transparent approach to prioritize ATT\u0026amp;CK techniques. That work established a practical starting point for defensive effort and enabled organizations to align resources against the techniques most relevant to themselves. Since then, adversary behavior has expanded and defensive practice has evolved. Notably in 2025, ATT\u0026amp;CK v18 introduced Detection Strategies and overhauled Analytics. In 2026 our Top ATT\u0026amp;CK Techniques renewal (TAT2) will evaluate, score, and prioritize techniques with empirical grounding and alignment to defensive action.\nThe TAT2 project will produce a prioritization methodology for ATT\u0026amp;CK techniques, supported by a fully documented scoring model. One component is prevalence data aggregate from public vendor threat reports. Another component is actionability, scored using ATT\u0026amp;CK v18 Detection Strategies and the mitigations contained in Mappings Explorer. The result is no fixed list. With TAT2, organizations will evaluate relative importance and apply the results in a way that reflects their own threats, environments, and defensive maturity.\nThreat-Informed Defenders Think in Attack Flow. As the saying goes, Defenders think in lists. Attackers think in graphs. But threat-informed defenders look at adversary behavior as sequences of actions rather than isolated TTPs. By looking at combinations of behaviors, defenders learn the relationships among them: how some techniques set up other techniques, or how adversaries handle uncertainty and recover from failure. Attack Flow is the language to describe how cyber adversaries combine and sequence various offensive techniques to achieve their goals.\nAttack Flow Builder Our research in Attack Flow has produced an on-demand training series and innovation from industry partners. In 2026 we will make it faster for you to build a flow by releasing an updated AI-enabled Attack Flow Builder.\nWe will also integrate the predictive model from Technique Inference Engine (TIE) into Attack Flow. TIE uses a machine learning model trained on cyber threat intelligence to recommend likely TTPs based on a set of known input TTPs. This project will modernize TIE’s dataset to include techniques tagged to ATT\u0026amp;CK for Enterprise v18.\nWith TIE, analysts discern what is likely to have happened given the evidence of what did happen. Cyber defenders use TIE’s recommendations to prioritize specific techniques for threat hunting; incident responders use this information to highlight lateral movement and persistence behaviors. Merging TIE into Attack Flow will:\nImprove post-mortem incident analysis by highlighting inferred sensing, detection, and reporting gaps Recommend similar or related attack vectors as part of cyber assurance Accelerate the creation of Adversary Emulation plans Another highlight of Attack Flow in 2026 is the addition of TTP frameworks such as MITRE ATLAS or ATT\u0026amp;CK for ICS to Attack Flow Builder. Adversaries execute across platforms and Attack Flow will map their journey wherever it may lead.\n[Attack Flow] makes it easier than ever to quickly document chains of actions and choke points in adversary activities and show that information in easily consumed visualizations for different stakeholders.\nDavid Vasil: Security Threat Architect, HCA Healthcare\nSecure AI with Threat-Informed Defense AI-enabled systems are susceptible to traditional cybersecurity vulnerabilities and new attacks. As consumers and organizations integrate AI-enabled systems into their business, adversaries exploit them. Defenders must unite to thwart these new threats.\nOpenClaw attack pathways mapped to ATLAS CTID applies a threat-informed approach to AI security that enables rapid exchange of new threat information, develops approaches to emulating those threats, and provides comprehensive and effective mitigation strategies. Moreover, we acknowledge that there is no pause in real-world attack observations and realistic demonstrations from Al red teams and security groups. In our research we must continually add to the knowledge base of adversary tactics and techniques against Al-enabled systems. In 2026 we will:\nExpand the ATLAS Knowledge Base. Capture and characterize threats to AI-enabled systems by collecting empirical data from real-world observations and incorporate findings as structured updates to ATLAS. Furthermore in 2026 this research will identify data sources, analytics, and detection for threats to the AI-enabled system attack surface. Operationalize ATLAS through Threat-Informed Security Tooling. Develop a set of operational tools to enable security teams to test, detect, mitigate, and respond to adversarial threats grounded in MITRE ATLAS TTPs. These tools will span across activities such as adversarial threat emulation, adversarial effects sample generation, vulnerability analysis, and proactive threat hunting, aligned to a set of operationally relevant test harness and simulated environments. Identify Malicious Use of AI in Cyber. Identify AI-enabled adversary behaviors, such as attacks accelerated by GenAI. Our R\u0026amp;D program has evolved in our consideration of AI. It is not practical to silo our AI research into a single AI project. So CTID will incorporate AI, ML, or automation as appropriate into each threat-informed defense project. Here are some examples:\nAmbiguous Techniques: Incorporate LLM RAG to automate confidence scoring metric for telemetry sources. (releases Feb 19) Flow Visualization 2026: Integrate the predictive model from Technique Inference Engine into Attack Flow Mappings Omnibus 2026: Develop an AI-enabled process for performing mapping updates If You’re Not Communicating, You’re Not Practicing Threat-Informed Defense Threat-informed defense will always be a team sport. We are grateful for your feedback on the products of our research, on how you use CTID resources, and the content of our trainings, workshops, and other engagements. We aim to create widely-used, easily accessible, and practical resources through our R\u0026amp;D program. That is only possible with community support and engaged CTID Research Participants. Your feedback is key to evolving our work and maximizing its impact. Contact us here.\nJoin us to advance Threat-Informed Defense — CTID Research Participants are thought leaders with sophisticated security teams, advanced practitioners of threat-informed defense, and users of ATT\u0026amp;CK. With the understanding that the cyber challenges we face are bigger than ourselves, our members join CTID prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, become a CTID Participant.\nStay informed — Be the first to know about R\u0026amp;D project releases by signing up for our Stay Informed newsletter and following us on LinkedIn.\nUse CTID R\u0026amp;D and share your feedback — Let us know how you are using CTID R\u0026amp;D and allow us to continually refine our work, making it more accessible and impactful.\n","link":"/roadmap/","tags":["R\u0026D Roadmap"],"title":"A Threat-Informed Community is Necessary for Defense to Function","type":"blog"},{"banner":"img/banners/secure-ai.png","categories":["Blog","Cyber Threat Intelligence"],"contents":"MITRE ATLAS™ analyzed OpenClaw incidents that showcase how AI-first ecosystems introduce new exploit execution paths. OpenClaw is unique because it can independently make decisions, take actions, and complete tasks without continuous human oversight.\nBy mapping the patterns and behaviors to ATLAS Tactics, Techniques, and Procedures (TTPs) and visualizing the attack flow, the team deduced chokepoint techniques that adversaries rely on. See the Investigation Report here:\nIncident Report CTID is grateful for the contributions of our Secure AI Project Lead and CTID Research team members.\nMITRE’s Center for Threat Informed Defense welcomes collaboration from the entire AI security community to inform defenders of threats introduced by open-source agentic systems like OpenClaw. Join MITRE and industry researchers to grow the ATLAS matrix and develop community tools, resources, and guidance.\n","link":"/blog/2026/02/09/mitre-atlas-openclaw-investigation/","tags":["Artificial Intelligence"],"title":"MITRE ATLAS OpenClaw Investigation Discovers New and Likeliest Techniques","type":"blog"},{"banner":"img/banners/csa-ccm.png","categories":["Blog","Cyber Threat Intelligence","Mappings"],"contents":" Threats to cloud computing span multiple security domains, objectives, and layers of technology. Defenders must protect dynamic, shared environments while adversaries actively exploit misconfigurations, weak controls, and gaps between responsibility boundaries. To keep up, security cannot just focus on how controls are documented. It has to focus on how real adversaries operate in cloud environments.\nMITRE\u0026rsquo;s Center for Threat-Informed Defense (CTID) applies a threat-informed approach that aligns organizations\u0026rsquo; security capabilities to real adversary behaviors, connecting specific security controls to adversary tradecraft. As a result, defenders prioritize investments, validate defensive coverage, and assess risk based on observed attack activity.\nWith CTID members Citigroup, Cloud Security Alliance, CrowdStrike, Fortinet, and JPMorgan Chase Bank N.A., we mapped cloud-native security controls and capabilities to adversary techniques and behaviors documented in MITRE ATT\u0026amp;CK® to design and assess cloud defenses.\nWe used the Cloud Security Alliance Cloud Controls Matrix (CCM) as the control framework in this effort. The CCM provides a comprehensive set of cloud security controls that address technical and operational aspects of cloud computing across shared responsibility models. By mapping the CCM to ATT\u0026amp;CK techniques, we demonstrate how these industry-recognized cloud controls can mitigate specific adversary behaviors.\nThe CCM mapping resources, including the mappings themselves, ATT\u0026amp;CK Navigator layers, and the mapping methodology, are all available on our Mappings Explorer website. With these mappings, users will:\nIdentify which ATT\u0026amp;CK techniques are mitigated by specific CCM controls. Align control design and implementation with adversary behaviors documented in ATT\u0026amp;CK. Reference relevant ATT\u0026amp;CK techniques when building, validating, or testing CCM-based security controls. Apply a structured, threat-informed foundation to cloud-native mitigations, threat modeling, and security assessments. Our Approach We followed our established methodology to connect security capabilities to ATT\u0026amp;CK. This methodology reflects our experience mapping multiple security frameworks and provides a repeatable way to use ATT\u0026amp;CK to understand how security capabilities mitigate adversary behavior. Using this methodology, we mapped the CCM v4.1 controls to ATT\u0026amp;CK v17.1 techniques and sub-techniques. We identified more than 200 controls across 17 cloud security domains as providing in-scope capabilities, including Application and Interface Security (AIS), Data Security and Privacy Lifecycle Management (DSP), Infrastructure Security (I\u0026amp;S), and Threat and Vulnerability Management (TVM). This work resulted in more than 900 mappings connecting the CCM to ATT\u0026amp;CK techniques and sub-techniques those controls can help mitigate.\nThe methodology is iterative and consists of four steps, shown in the diagram below. Each step builds on the previous one, allowing analysts to understand a control\u0026rsquo;s mitigating capabilities and then map those capabilities to relevant ATT\u0026amp;CK techniques and sub-techniques.\nWe first identified security capabilities in scope. We then examined the in-scope controls in the context of ATT\u0026amp;CK mitigations and specific techniques and sub-techniques. From that analysis, we created mappings that connect each control to the ATT\u0026amp;CK techniques it helps mitigate.\nOur 4 step mapping methodology Threat Mitigation Through Cloud Security Controls By applying CTID\u0026rsquo;s mapping methodology alongside the CCM documentation and its threat-focused implementation guidance, we mapped the CCM to specific adversary behaviors documented in ATT\u0026amp;CK.\nAs an example, the CCM control Automated Application Security Testing (AIS-05) requires both cloud service providers and customers to implement testing strategies for their applications. The AIS-05 implementation guidance explicitly describes the types of threats these testing strategies should address, including:\nUse automated scanners to detect hardcoded or default secrets, keys, and credentials. Run vulnerability scanners to identify issues in third-party libraries. Apply dynamic application security testing methods for session hijacking and injection attacks. Perform input validation to detect SQL injection and command injection. AIS-05 focuses on testing for different types of attacks and aligning with industry standards to improve application security. Following this guidance can mitigate up to 20 ATT\u0026amp;CK techniques and sub-techniques, including Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) for Initial Access and Command and Scripting Interpreter: Cloud API (T1059.009) for Execution.\nExample mappings for AIS-05. Threat-Informed Defensive Countermeasures These mappings align the CCM with cloud exploitation techniques and adversary operations. Use them and your organization will identify effective countermeasures and improve its cloud security posture.\nFor example, Pacu is an open-source AWS exploitation framework used by both red teams and threat actors to exploit cloud misconfigurations. Pacu exercises multiple ATT\u0026amp;CK techniques, including Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) and Account Manipulation: Additional Cloud Credentials (T1098.001).\nBy using Mappings Explorer to examine the CCM to ATT\u0026amp;CK mappings, defenders identify controls that prevent or disrupt the capabilities used in Pacu. The mappings also provide rationale that explains how each control mitigates the associated adversary technique, as shown below.\nCCM for Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006). CCM controls for Account Manipulation: Additional Cloud Credentials (T1098.001). Speak a Common Language By connecting the CCM to ATT\u0026amp;CK, organizations gain a common language that enables teams to work together, like the following scenarios:\nCTI analysts produce ATT\u0026amp;CK-based threat intelligence. Offensive SecOps teams identify and validate ATT\u0026amp;CK-based detections in use. Defensive detection engineers implement CCM countermeasures for observed threats. Security officers assess risk and align threat management with business objectives. This shared foundation strengthens coordination across teams and helps organizations apply threat-informed defense consistently across cloud environments.\nGet Involved We welcome your feedback and contributions. There are several ways that you can get involved with this and other mapping projects to help advance threat-informed defense:\nReview the mappings, use them, and tell us what you think. We welcome your review and feedback on CSA CMM mappings, our methodology, and resources. Prioritize additional platforms to map. Let us know what platforms you would like to see mapped to ATT\u0026amp;CK. Your input will help us prioritize how we expand our mappings. Share your ideas. Share your ideas or suggestions for additional tools and resources for helping the community to understand and make threat-informed decisions. You are also welcome to submit issues for any technical questions or concerns, or contact us directly for more general inquiries.\n","link":"/blog/2026/01/28/cloud-security-built-with-attck/","tags":["Cloud","Mappings","Cloud Security Alliance (CSA)","Cloud Controls Matrix (CCM)","Threat-Informed Defense"],"title":"Cloud Security Built with ATT\u0026CK","type":"blog"},{"banner":"img/banners/csa-ccm.png","categories":["Published Projects","Cyber Threat Intelligence","Mappings"],"contents":"Use our latest mappings to replace assumption-driven cloud defense with evidence-based decisions to stop cloud adversaries in their tracks. With this latest research, you will turn cloud security from a checklist exercise into a threat-informed discipline grounded in real attacks.\nThe CSA CCM mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/tid-for-cloud/","tags":["Cloud","Mappings","Threat-Informed Defense"],"title":"Threat-Informed Defense for Cloud Security","type":"projects"},{"banner":"img/logos/tid-circle.png","categories":["Blog"],"contents":" From Insight to Impact: INFORM your Defense Threat-informed defense only works when adversary knowledge shapes decisions across the entire security program. Many organizations have adopted ATT\u0026amp;CK-based practices, invested in cyber threat intelligence, and expanded their testing and evaluation. The challenge lies in addressing two remaining questions: how well-informed is your defense about current threats today, and how can you improve it?\nTo answer those questions, MITRE CTID evolved its original M3TID research into INFORM, a practical, measurable approach for assessing and maturing threat-informed defense at the strategic level. We built INFORM with CTID members AttackIQ, Fortinet, HCA Healthcare, Infineon, and Lloyds Banking Group. Their expertise kept us anchored to what teams need to operate threat-informed programs at scale.\nOur First Attempt at Measuring TID Two years ago, we created Measure, Maximize, Mature Threat-Informed Defense (M3TID) to help teams determine whether their defense was truly threat-informed. M3TID defined threat-informed defense as a continuous loop across three dimensions:\nCyber Threat Intelligence (CTI): Information about cyber adversaries and their behaviors, used to identify and mitigate risks to systems and data. Defensive Measures (DM): Preventions, detections, and mitigations that protect against threats or attacks. Test and Evaluation (T\u0026amp;E): Continuous assessments, based on threat knowledge, that examine security controls and how well those controls are implemented. M3TID gave teams a way to assess maturity and identify gaps, delivered via the tried-and-true method of an Excel spreadsheet. Over time, practitioner feedback and real-world use showed us where we had gaps of our own. We needed to align M3TID with strategic operations, replace the spreadsheet with a professional UI, and make it more actionable for program leaders. Threat-informed defense works best when it is a program-wide practice instead of a set of disconnected initiatives, so we set out to accurately capture that.\nINFORM: The Evolution of M3TID INFORM retains the core intent of M3TID and sharpens it to address how organizations operate today. INFORM improves upon our original model in the following ways:\nRebalanced scoring algorithm and components. Levels that reflect operational urgency and cross-functional teams. Integration with other maturity models and programs. Web-based assessment tool. Personalized recommendations. Rebalanced Scoring Algorithm and Components M3TID defined the three dimensions of TID (CTI, DM, and T\u0026amp;E) with each dimension containing five components and 25 levels. Our original scoring algorithm weighed each of the components and levels evenly. While this was good for a first effort, it ignored the larger significance that some security decisions can have over others. For instance, tracking IOCs is not as significant as tracking adversary behaviors because IOCs are often temporary and reactive, while adversary behaviors provide deeper insights into tactics, techniques, and procedures that are more consistent and predictive of future attacks. To account for this, we assigned points to each level based on its significance relative to its dimension.\nWe also examined our component list and noticed that while our dimensions had different weights (CTI at 35%, DM at 40%, and T\u0026amp;E at 25%), components were evenly distributed. This was incongruous, so we dug into each dimension to see if we were accurately capturing the important aspects of them. Our research identified several gaps so we expanded the dimensions, which neatly coincides with the dimension weights.\nComponents listed by dimension. Levels That Reflect Urgency and Accommodate Cross-Functional Teams Another piece of feedback we received on M3TID was that the levels do not represent the speed at which operational information needs to move across an organization. This requires accounting for speed of dissemination, as well as an organization\u0026rsquo;s ability to work across teams. We created new levels to reflect this reality. As programs mature, progress increasingly depends on quick cooperation across threat intelligence, engineering, operations, and leadership. This shifts maturity from \u0026ldquo;one team improved\u0026rdquo; to \u0026ldquo;the program improved,\u0026rdquo; which reflects how threat-informed defense succeeds.\nINFORM Works with Your Existing Models and Programs INFORM is strategic. It provides a program-level view and complements tactical models that focus on specific teams and functions. For example, capability maturity models such as CTI-CMM, SOC-CMM, and Red Team-CMM typically operate at the tactical level, driving depth within a function. INFORM operates at the strategic level, helping leaders understand whether the overall program consistently applies threat-informed defense and where coordinated investment will improve outcomes.\nINFORM also fits naturally alongside Continuous Threat Exposure Management (CTEM) programs. CTEM weaves threat-informed thinking throughout its five-step cycle. Both CTEM and INFORM provide a way to measure whether threat-informed defense is consistently applied across a program, and how it changes over time. Threat-informed defense should span the entire program and INFORM is designed to help teams make that measurable.\nWeb-Based Assessment INFORM is delivered through a user-friendly web tool located at ctid.mitre.org/inform. The assessment is designed for repeated use that allows you to:\nTrack progress over time. Download an executive summary suitable for leadership briefings and stakeholder alignment. Receive recommendations for next steps. Users can upload up to four past results to see trends over time, and more specifically, how program-wide decisions affect threat-informed defense. Teams can revisit past results as their environment, threats, and capabilities evolve.\nExample inputs for INFORM assessment. Personalized Recommendations Teams often know they want to be more threat-informed, but they struggle to choose which actions will deliver real value quickly. INFORM addresses that with recommendations driven by an impact vs. complexity model.\nEach level in INFORM is scored on:\nImpact: The defensive value gained if you implement it. Complexity: The organizational and technical effort required to enact it. The tool represents these scores in a matrix that is personalized based on the user\u0026rsquo;s inputs. This matrix helps teams prioritize work that will deliver high value with manageable effort and supports longer-term planning for high-impact changes that require more coordination.\nImpact/complexity matrix results. Put INFORM to Work Start by running the assessment and sharing the PDF summary with stakeholders. Then pick one or two high-impact, low-complexity improvements to pilot. Reassess after each cycle to show progress and maintain alignment across CTI, defensive measures, and test and evaluation.\nThreat-informed defense is not a one-time project. It is a continuous cycle of understanding threats, improving defenses, and validating results. INFORM provides a practical way to measure that cycle and mature it across the entire program.\n","link":"/blog/2026/01/08/inform-your-defense/","tags":["Threat-Informed Defense","INFORM","M3TID"],"title":"From Insight to Impact: INFORM your Defense","type":"blog"},{"banner":"img/logos/tid-circle.png","categories":["Published Projects","Cyber Threat Intelligence","Defensive Measures","Test and Evaluation"],"contents":"MITRE INFORM is a program-level assessment designed to show how threat-informed your organization is and where to improve next across cyber threat intelligence, defensive measures, and test and evaluation. Turn insight into action and see your threat-informed posture at a glance and know exactly where to invest next.\n","link":"/projects/inform-your-defense/","tags":["Cybersecurity Tools"],"title":"INFORM Your Defense","type":"projects"},{"banner":null,"categories":null,"contents":" The Center for Threat-Informed Defense is a privately funded research and development organization that brings together the highly sophisticated cybersecurity teams from around the world for one cause and one purpose … to change the game on the adversary. Membership that leverages the diverse cyber community Center Participants are industry thought leaders with highly sophisticated security teams that are advanced practitioners of threat-informed defense and users of MITRE ATT\u0026CK®. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. Become A Member Collaborative R\u0026D that's focused on impact Our work is the result of the Center's unique environment: Repeatable, scalable, and agile to allow us to tackle the most pressing challenges in a timely and efficient manner. Research projects are built on member-powered collaboration and guided by our core principles.\nOpenness Members propose ideas\nFlexibility Members choose projects\nCollaboration Members share ideas, research, and funding\nLeadership Members gain key expertise\nOur collaborative approach to R\u0026D results in increased impact. Our work benefits from the unique perspectives and contributions of our participants. Our participants create greater impact with their R\u0026D funding through R\u0026D cost sharing.\nLevels of Participation Research Partner As top tier participants, Research Partners contribute significant resources to the Center's R\u0026D program and, indeed, the future direction of threat-informed defense. Your organization will take a hands-on approach to changing the game on the adversary and improving the state of the art and the state of the practice in threat-informed defense. Research Sponsor Research Sponsors make up the largest segment of the Center's membership and are the backbone of our work. Your organization will have the opportunity to contribute expertise, staff, and resources to advance the Center's research program in the public interest.\nNon-Profit Participant Non-Profit Participants are the grass roots of the Center for Threat-Informed Defense working hand-in-hand to advocate for the cyber defender and expand the reach of our work. Non-Profit Participants are a unique level of membership open by invitation only.\nBenefits at a Glance Participant Benefits* Research Partner Research Sponsor Non-Profit Participant Propose \u0026 Sponsor R\u0026D Projects Propose collaborative R\u0026D projects. Non-profit participant may be invited to participate.\nEarly Access to R\u0026D Project Results Prior to the public release of each Center R\u0026D project, meet with the project team of MITRE SMEs and Center Participants who shaped, created, and developed the project.\nTechnical Roundtables Monthly roundtable discussions open to all Center Participants featuring MITRE SMEs addressing hot topic industry issues.\nMITRE ATT\u0026CK® Updates Semi-annual briefings from the MITRE ATT\u0026CK team on the most recent updates and how those updates benefit your organization and further industry defenses.\nMITRE ATT\u0026CK® Evaluations Briefings In-depth briefings from the experts on the results of each round of ATT\u0026CK Evaluations.\nCollaboration Platform Accounts Secure platform for participants and staff to communicate and collaborate in real time, which provides access to the trusted Center community.\n16 8 3 ATT\u0026CKcon Complimentary conference seats to the premiere MITRE ATT\u0026CK annual event at no additional cost.\n4 2 1 Joint Promotions Eligible to promote joint webinars \u0026 podcasts highlighting sponsored R\u0026D projects, as well as appear on “Center Conversations” with the Center Director.\nRecognition Participant logo showcased on the Center web site and marketing materials; Center logo and digital badge available for Participant use.\nDigital Badge Post this shareable badge on your web site, email signature block, social media and anywhere else your marketing team chooses to showcase your participation in the Center.\nLeadership Spotlight For Research Participants Only. Leadership Spotlights provide a platform for demonstrating your organization as a thought leader and cybersecurity innovator.\nAdvisory Council Senior executives from Participant organizations serve a strategic role in defining long-range plans, priorities, and initiatives to ensure the success of the Center and generate impact at scale.\n1 Seat *Benefits subject to change\tBecome a Member If your organization is interested in becoming a member of the Center for Threat-Informed Defense, complete the form below and we will follow up by email. First Name Last Name Email Job Title Organization Sign up for the \"Stay Informed\" newsletter ","link":"/membership/","tags":null,"title":"Membership","type":"page"},{"banner":"img/banners/mappings-editor-attck-sync-update.png","categories":["Blog","Mappings"],"contents":" Cybersecurity is built on MITRE ATT\u0026amp;CK®. Threat-informed organizations map security control frameworks to ATT\u0026amp;CK techniques (e.g., the NIST 800-53 Controls to ATT\u0026amp;CK Mappings). Intelligence analysts, threat hunters, and incident responders communicate amongst themselves in the words and pictures of ATT\u0026amp;CK (e.g., Attack Flow). These tools that operationalize the ATT\u0026amp;CK framework are typically tethered to the version of ATT\u0026amp;CK that was current at the time of development. But adversaries keep innovating and MITRE responds by updating the ATT\u0026amp;CK knowledge base twice per year. As new versions of ATT\u0026amp;CK come out, once-fresh applications become out-of-date with stale data.\nIn partnership with the Center for Internet Security, Citigroup, HCA Healthcare, JPMorgan Chase Bank N.A., Lloyds Banking Group, Microsoft Corporation, and Verizon Business, we have upgraded our resources that keep you up-to-date with ATT\u0026amp;CK. Even with the significant updates to the ATT\u0026amp;CK framework in version 18, these tools will show you exactly what changed between versions to keep your threat-informed defense current.\nATT\u0026amp;CK Sync Website Use ATT\u0026amp;CK Sync to understand exactly what has changed between versions of ATT\u0026amp;CK. The web interface allows you to select the version you are currently using and the version you want to upgrade to, and then view a detailed changelog to guide your updates.\nWhat’s New ATT\u0026amp;CK Sync Use ATT\u0026amp;CK Sync to update your solutions to new versions of ATT\u0026amp;CK efficiently and effectively. ATT\u0026amp;CK Sync is up to date with the major changes announced for version 18, listing all Detection Strategies and Analytics. Threat-informed organizations stay on top of ATT\u0026amp;CK releases to maintain timely and relevant defense.\nATT\u0026amp;CK Sync updates existing workflows to newer versions of ATT\u0026amp;CK. We use it too in our R\u0026amp;D program. Our Mappings Editor is a practical example of how.\nMappings Editor If you need to produce or update your own security control mappings to ATT\u0026amp;CK, Mappings Editor is a tool to do just that. We use the Mappings Editor to produce our repository of security capabilities mapped to the ATT\u0026amp;CK knowledge base, centralized for you in Mappings Explorer. Mappings Editor streamlines the creation of mapping files. It brings you away from spreadsheets to a web-based interface that we engineered to accelerate the mapping process.\nWe have made the Mappings Editor available as a public beta with usage documentation – including step-by-step instructions for updating mappings in the Editor – via the project’s GitHub repository and the live Mappings Editor site.\nThe Mappings Editor now has built-in ATT\u0026amp;CK Sync functionality. You can now easily answer the important question “how does this new version affect my existing ATT\u0026amp;CK mappings?”. This means that you can upload your existing mappings and see which mappings include ATT\u0026amp;CK objects that have changes across versions of ATT\u0026amp;CK, including the recently released v18.\nTo use the new ATT\u0026amp;CK Sync in Mappings Editor:\nSelect the ATT\u0026amp;CK version you want to update to. The Editor will flag each mapping that contains an ATT\u0026amp;CK object that has changed in the selected ATT\u0026amp;CK version. Then use Mappings Editor to customize your display, such as showing only mappings with version-related changes. See what changed in the Editor’s new Problem Pane. The Editor can show changes to: Technique ID Name Description Mitigations Once you’ve synced the existing mapping with the changes affecting the mapped ATT\u0026amp;CK object, update the status of the mapping and move on to the next.\nMappings Editor ATT\u0026amp;CK Sync Features The new ATT\u0026amp;CK Sync capabilities in Mappings Editor help you quickly identify, review, and update mappings affected by changes across ATT\u0026amp;CK versions, keeping your threat-informed defense current. By combining the detailed version-to-version changelogs from ATT\u0026amp;CK Sync with the streamlined mapping workflows in Mappings Editor, defenders can reduce the time and effort required to keep their mappings in sync with ATT\u0026amp;CK.\nMappings Editor ATT\u0026amp;CK Sync Features Get Involved We welcome your feedback and contributions to continue to advance ATT\u0026amp;CK Sync and the Mappings Editor. You are also welcome to submit issues for any technical questions/concerns via the Mappings Editor GitHub repository or contact ctid@mitre.org directly for more general inquiries.\n","link":"/blog/2025/11/15/get-in-sync-with-attack-ctid/","tags":[],"title":"Get in Sync with ATT\u0026CK and CTID","type":"blog"},{"banner":"img/events/attack-con-6.png","categories":["Events"],"contents":"The conference brought to you by the MITRE ATT\u0026amp;CK team returns in 2025! Join us on October 14-16, 2025, at MITRE headquarters in McLean, VA, for MITRE ATT\u0026amp;CK® and threat-informed defense.\nConnect with fellow cyber professionals, hear from expert speakers, and dive into engaging content.\nEverything is designed to help you make the most of the ATT\u0026amp;CK framework and advance threat-informed defense. Whether you\u0026rsquo;re starting your cybersecurity journey or aiming to boost your skills and network, ATT\u0026amp;CKcon is the place for cybersecurity leaders and practitioners.\nIn addition the the main event on October 14 and 15, the Center will host its advisors and members for strategic discussions of the Center and our roadmap. Then on Thursday, the Center will host a training session, open to all, to drive community-wide advancement to threat detection capabilities.\nGet Involved ","link":"/events/attack-con-6/","tags":["ATT\u0026CKCon"],"title":"Center for Threat-Informed Defense at MITRE ATT\u0026CKcon 6.0","type":"events"},{"banner":"img/banners/attack-flow-cti.png","categories":["Video"],"contents":"This video discusses the recent ToolShell vulnerability. We show how to use Attack Flow to communicate about threats with your colleagues and management team, including the source selection process and as well as how to present a threat narrative that is visually rich. The flow conveys a high degree of technical information but also depicts the threat in an appealing way for less technical audiences who may be risk managers or decision makers.\n","link":"/videos/attack-flow-cti/","tags":["Attack Flow"],"title":"Using Attack Flow for CTI","type":"videos"},{"banner":"img/banners/sharepoint-matrix.png","categories":["Blog",""],"contents":"Why Detections Rooted in Behaviors Can Help Anticipate Misuse The exploitation of critical zero-day vulnerabilities in Microsoft SharePoint highlights that adversaries don’t always need new tools to succeed. By chaining familiar techniques with newly discovered flaws, they can bypass defenses without deploying novel malware or infrastructure. Sometimes, all it takes is a gap in how defenders prioritize or perceive risk. Vulnerable organizations should review CISA’s alert and Microsoft’s customer guidance to mitigate potential attacks. But even with patches available and visibility in place, adversaries can still exploit overlooked system behavior, leading defenders to ask a hard question:\n“How do we detect and stop this kind of attack at scale?”\nIn many cases, by the time there’s a signature, it’s already too late – and that’s why this post isn’t another write-up about a zero-day. It’s a conversation about a practical approach to detection, one that’s rooted in behavior and not just signatures. When defenders understand how adversaries think, move, exploit trust, and chain behaviors, they can actively build strategies that surface real threats, even without knowing the exploit.\nWe hope this approach supports fellow defenders in building a proactive, flexible detection strategy that surfaces adversary activity even when the vulnerability is new or unknown.\nNote: Please look towards the end of the blog for the list of MITRE ATT\u0026amp;CK® techniques discovered from the vulnerability.\nZero-Days Bypass Signatures. Behavior Doesn’t Lie When CVE-2025-53770 was initially exploited, there weren’t indicators of compromise (IOCs), YARA rules, and or pre-packaged signatures. But the adversary behavior still left a trail, just not one that most defenses were tuned to follow. The challenge wasn’t due to a lack of tools, but a focus on the wrong signals. Zero-days don’t look like known vulnerabilities, but the behaviors they unlock often do.\nExploits may be novel, but adversaries usually follow predictable patterns once they’ve gained entry. From abusing system trust, executing commands from unexpected services, dropping files to gain persistence, or making outbound connections, behavior-based detections are critical because they work, even when the initial entry point is unknown. These behaviors form a causal chain of activity, a connected chain of observable events that tell the story of the compromise.\nCVE-2025-53770 allowed the unauthenticated adversaries to trigger remote code execution in Microsoft SharePoint by sending a crafted request to the ToolPane.aspx endpoint. While the initial vector was new, the attacker’s post-intrusion behavior wasn’t:\nA service process (w3wp.exe, which runs SharePoint sites) launches PowerShell or .NET assemblies. A new file (e.g., a web shell) is dropped in a system directory. Outbound connections or discovery begins. Unlike static IOCs, causal chains help detect the “what” and “why” of an attack, not just “which tool”. That’s why behavior-first detection engineering is no longer optional, it’s a requirement. It allows defenders to move from: “Do we recognize this payload?” to “Do we recognize what adversaries do, no matter how they get in?”\nDetection Engineering: Patterns Over Products Even with skilled teams and advanced security solutions, many organizations miss behaviors that don’t match known signatures. Why? Because they focus on specific tools or payloads rather than behavioral intent.\nWhat if the payload wasn’t PowerShell? What if the web shell dropped somewhere else? What if the adversary obfuscated VIEWSTATE tokens to look completely different? Detection strategies should be aligned with how real adversaries operate. That means pulling behaviors from threat intelligence, modeling attack chains, and creating logic that shines light on intent rather than artifacts.\nBehavioral Anchoring: Recognizing adversary intent (e.g., deserialization leading to command execution), not just payload. Causal Correlation: Linking file access + process execution + network activity into a timeline of malicious activity. Flexible Logic: Supporting detection of variations across scripting languages, execution methods, and access patterns. Hypothesis Testing: Asking “Would we catch this?” and proving it in safe, controlled scenarios. Threat-Informed Hypothesis Testing Hypothesis testing isn’t just a theoretical exercise; it’s a practical way to simulate how trusted features might be misused and explore what those actions would look like in your environment. Blending adversary behavior with a clear understanding of how systems work, enables a shift from assumed visibility to proven detection helps you validate detection coverage in realistic terms.\nFor example, defenders might ask:\nWhat if a web service spawns a shell? What if someone drops a file into SharePoint’s layouts directory? What if config data is accessed or altered? What would spoofed or malformed traffic look like in our logs? Threat-informed hypothesis testing helps teams move beyond static rules and signature dependence by turning threat intelligence into action. It blends insight into adversary behavior with a deep understanding of system internals, so you can proactively validate whether you’re truly prepared for real-world tradecraft. A core element of threat-informed hypothesis testing is defensive curiosity, the drive to ask, “What if?” before an adversary answers it for you.\nResources like Summiting the Pyramid, Technique Inference Engine, and Attack Flow offer different ways to reason about adversary behavior, from forming hypotheses at the behavioral level to mapping raw data to techniques and visualizing how those techniques unfold over time.\nWalking through CVE-2025-53770, Differently CVE-2025-53770 abused trusted services in an unexpected way, and that’s exactly the kind of scenario hypothesis testing is designed for.\nIn the following four examples, we walk through four hypotheses that model how an attacker might move through the environment after exploiting this vulnerability. Each test is grounded in some of the real techniques observed in recent intrusions and are meant to help you think through current visibility and detection logic.\nHypothesis 1: What happens if a web service spawns a shell? T1059.001: Command and Scripting Interpreter: PowerShell\nObserved: ToolShell accepted a forged VIEWSTATE, leading w3wp.exe to execute PowerShell. System assumption: Web services don\u0026rsquo;t run command interpreters. Baseline question: Does w3wp.exe ever launch child processes in our environment? Test it: Run a harmless PowerShell command via w3wp.exe in a dev or purple team environment.\nCheck: Is it logged? Alerted on? Does it match baselines?\nDetection goal: Flag non-standard interpreter launches by service processes, regardless of payload content.\nHypothesis 2: What if someone drops a file into the SharePoint layouts directory? T1505.003: Server Software Component: Web Shell\nObserved: The attacker deployed spinstall0.aspx to _layouts/15/, a path that auto-serves content System assumption: Only trusted updates write to app directories. Baseline question: Who writes to that folder normally? Test it: Drop a benign .txt or .aspx file into _layouts/15/ using different accounts.\nMonitor: file creation, access logs, and application behavior.\nDetection goal: Alert on unexpected file writes to web-exposed directories by unusual users or processes.\nHypothesis 3: Can VIEWSTATE or config data be abused? T1552.001: Unsecured Credentials: Credentials In Files\nObserved: The attacker stole MachineKey values from web.config and machine.config to forge tokens. System assumption: Only the application reads these files. Baseline question: Who accesses these config files? Is it ever w3wp.exe outside of startup? Test it: Access the files manually using PowerShell or a service account.\nMonitor: file read events, Windows Security logs, or EDR telemetry.\nDetection goal: Detect rare or first-time access to sensitive config files by unexpected accounts or services.\nNote: This hypothesis is scoped to file access detection. Some variants may access cached configuration via memory using .NET APIs, which would require separate instrumentation.\nHypothesis 4: What does spoofed traffic look like? T1071.001: Application Layer Protocol: Web Protocols\nObserved: POST requests to ToolShell endpoints included forged headers (Referer: /_layouts/SignOut.aspx) to bypass filters. System assumption: Internal apps rely on trusted headers to validate the origin or authenticity of requests. Baseline question: Are we logging Referer headers? What are normal patterns? Do certain applications or paths rely on header-based validation? Test it: Replay POST requests with alternate Referer values (e.g., /error.aspx, /login.aspx, or nonexistent pages) in a dev/test environment.\nReview: WAF, IIS, or proxy logs for abnormal header use targeting known admin endpoints.\nDetection goal: Monitor for forged or unusual Referer headers in application POST traffic, especially those imitating legitimate navigation paths to subvert validation logic.\nA Process for Threat-Informed Hypothesis Testing Behavior-driven testing doesn’t need a major program. It just requires a structured way to explore how adversary behavior would unfold in your own environment. The following five-step process offers a practical method to move from assumed coverage to proven detection.\nStep 1: Identify Access or Function Class “What does this system or feature allow an attacker to do if misused?”\nStart with a category of access (e.g., unauthenticated HTTP access, config file read, interpreter execution) or a system feature (e.g., VIEWSTATE, ToolShell, SMB access). Don\u0026rsquo;t wait for the CVE, look at the design assumptions.\nStep 2: Form a Hypothesis Around Misuse “If an attacker had this access, what could they do next?”\nUse ATT\u0026amp;CK for inspiration. Frame the behavior chain as a realistic misuse of system trust boundaries, even if no known exploit exists. E.g., “If the web service runs deserialized code, could it launch PowerShell?”\nStep 3: Design and Execute a Safe Test “Can I emulate this behavior safely to validate logging and detection?”\nEmulate the behavior (not the exploit). Examples:\nDrop a file in a protected directory. Access a config file from an unusual process. Send a spoofed Referer header to a known endpoint. Use purple team infrastructure or pre-production where possible.\nStep 4: Observe Telemetry and Analyze Gaps “What logs are generated? Do existing rules catch it? What’s missing?”\nCorrelate logs across time, identity, system, and activity:\nWas the event captured? Was it alerted on? Did it blend in? Document blind spots, noise, or places where causality is lost.\nStep 5: Refine Detection and Baselines “What detection goals should we create? What baseline is normal?”\nTurn insights into flexible, behavior-based detection logic. Flag anomalies based on:\nRare combinations of process, file, and network activity Unexpected parent-child process relationships Abnormal file access patterns Then, monitor those baselines over time. Re-test regularly. Continuous Emulation as Detection Validation Building a sustainable detection strategy rooted in adversary behavior means treating emulation as a regular practice, not a one-time or even periodic red team event. Continuous emulation takes the behaviors observed in the wild and safely replicates them in your own environment to see what is observable, what gets missed, and what could be improved (people, processes, and technology). When defenders understand how adversaries think, move, and chain together behaviors to exploit trust and gain control, they can emulate that tradecraft to test their own readiness.\nAdversary emulation is exactly what it sounds like: mirroring the types of behaviors adversaries have used in the wild, but in a safe and controlled way. Instead of focusing on recreating specific exploits or only relying on known malware, defenders can walk through how adversaries operate, from misusing legitimate tools, escalating access, or quietly moving through systems. These realistic drills help answer the core question: Would we catch this if it happened here?\nRather than asking, “Would we detect CVE-2025-53770?” a more useful question that emulation could help answer is:\n“Would we detect any web service executing unauthorized commands?”\nUsing adversary emulation tools like MITRE Caldera, Atomic Red Team, or the free resources in the ATT\u0026amp;CK Evaluations Adversary Emulation Library can help teams safely replicate core behaviors (e.g., PowerShell spawning from w3wp.exe) without knowing the exact exploit. Taking this approach, early signs could have surfaced and alerted on:\nVIEWSTATE parsing was not logged or analyzed. PowerShell spawns from w3wp.exe were never profiled. Config file access by service accounts wasn’t monitored. Proxy infrastructure did not log or inspect Referer headers. In Conclusion CVE-2025-53770 is a SharePoint vulnerability, but more than that, it’s a lesson in how assumptions about system behavior can be exploited, even in mature environments. Strong tooling is important, but operational readiness depends on the questions we’re willing to ask ahead of time:\nWould we detect this behavior? Would we understand it? Would we act on it? You can’t predict the next zero-day, but you can build a process that helps you detect the behaviors behind it. That starts by turning threat intelligence into hypotheses and making continuous emulation a regular part of your detection engineering process.\nThe next attack may not look exactly like this one, but the behavior patterns will feel familiar, especially if you’ve practiced for it.\nAppendix: Observed MITRE ATT\u0026amp;CK Techniques The ATT\u0026amp;CK Tactics, Techniques, and Procedures (TTPs) outlined below reflect the initial observed activity associated with the exploitation of the SharePoint vulnerabilities. These mapped behaviors provide an early view of adversarial operational flows but should not be considered comprehensive. This view will continue to evolve as more technical reporting and analysis become available.\nID Technique Name Procedure Resource Development T1583.001 Acquire Infrastructure: Domains The adversary established command and control that typo squatted or spoofed Microsoft through STORM-2603 use of the C2 domain update[.]updatemicfosoft[.]com Initial Access T1190 Exploit Public-Facing Application The adversary sends a crafted POST request to /_layouts/15/ToolPane.aspx exploiting a deserialization flaw(CVE-2025-53770) and bypassed authentication through CVE-2025-53771, allowing unauthenticated RCE. Other adversaries sent variations of .aspx files. Execution T1059.001 Command and Scripting Interpreter:PowerShell The w3wp.exe process invokes PowerShell via the deserialized payload (System.Diagnostics.Process), executing attacker-controlled encoded commands. T1059.003 Command and Scripting Interpreter: Windows Command Shell The attackers utilized cmd.exe and batch scripts within the victim environment. T1569.002 System Services: Service Execution The adversaries used services.exe to disable Defender via registry keys. The adversaries also leveraged PsExec for execution of commands. T1047 Windows Management Instrumentation The adversary used WMI to execute commands. Persistence T1505.003 Server Software Component: Web Shell Malicious .aspx web shell(spinstall0.aspx) is written to the _layouts/15/ directory, granting persistent HTTP-based access to the SharePoint server. T1053.005 Scheduled Task/Job: Scheduled Task The adversary (STORM-2603) created schedule tasks to establish persistence. T1505.004 Server Software Component: IIS Components The adversary (STORM-2603) modifiedInternet Information Services (IIS) components to load suspicious .NET assemblies to maintain persistence. Collection T1005 Data from Local System The attackers extract information from the compromised system. Defense Evasion T1027.010 Obfuscated Files or Information: Command Obfuscation The adversaries encoded PowerShell commands in Base64. T1620 Reflective Code Loading The attackers reflectively loaded payloads using “System.Reflection.Assembly.Load”. T1070.004 Indicator Removal: File Deletion Temporary files or logs may be deleted bythe attacker to cover traces post-deployment of the web shell or PowerShell scripts. T1484.001 Domain or Tenant Policy Modification: Group Policy Modification The adversary (STORM-2603) modified group policy to distribute ransomware within compromised environments. T1562.001 Impair Defenses: Disable or ModifyTools The attacker (STORM-2603) disabled security services via registry to include Microsoft Defender. T1112 Modify Registry The attacker (STORM-2603) disabled security services by modifying the registry keys. T1036.005 Masquerading: Match Legitimate ResourceName or Location The spinstall0.aspxfile mimicked installer naming conventions, and debug_dev.js resembled legitimate dev assets to avoid suspicion. T1140 Deobfuscate/Decode Files or Information The attacker decoded the contents of the files created Credential Access T1552.001 Unsecured Credentials: Credentials in Files The attacker accesses web.config and machine.config to extract MachineKey values, enabling them to forge legitimate VIEWSTATE tokens for future deserialization payloads. T1003.001 OS Credential Dumping: LSASS Memory The attackers used Mimikatz to retrieve credentials from LSASS memory. Command and Control T1071.001 Application Layer Protocol: Web Protocols The attacker issues HTTP POST requests to the web shell with spoofed or empty Referer headers, circumventing authorization controls. T1090 Proxy The attacker utilized a Fast Reverse Proxyto connect to C2. T1572 Protocol Tunneling The attacker utilized NGROK tunnel todeliver PowerShell to C2 Discovery T1082 System Information Discovery The attacker uses command execution to fingerprint the SharePoint system (e.g., OS version, running processes). T1083 File and Directory Discovery Commands are run to locate accessible fileshares, backup paths, or SharePoint content. T1033 System Owner/User Discovery The attacker executed the “whoami” commandon the victim machine to enumerate user context and validate privilege levels. Exfiltration T1041 Exfiltration Over C2 Channel Stolen credentials or internal data is encoded and exfiltrated over HTTPS to the attacker's infrastructure. Lateral Movement (Post-Intrusion) T1021.001 Remote Services: SMB/Windows Admin Shares Adversary uses stolen credentials or tokens to pivot to additional internal systems. T1570 Lateral Tool Transfer The adversary (STORM-2603) leveraged Impacket to leverage WMI and execute payloads. Impact T1486 Data Encrypted for Impact The attacker (STORM-2603) deployed Warlock ransomware on victim environments via GPO. ","link":"/blog/2025/08/04/lessons-from-sharepoint-vulnerability-cve-2025-53770/","tags":[],"title":"Can You Detect What You Can’t Predict? Lessons from SharePoint Vulnerability CVE-2025-53770","type":"blog"},{"banner":"img/banners/member-voices.png","categories":["Video"],"contents":"Joel Spurlock from Crowdstrike discussed his favorite CTID project and how it addresses two critical problems in cybersecurity today.\n","link":"/videos/member-voices-joel-spurlock/","tags":["Member Voices"],"title":"Member Voices: Joel Spurlock","type":"videos"},{"banner":"img/banners/attack-flow-training.png","categories":["Video"],"contents":"Attack Flow online training provides everything you need to get up to speed. The training includes 5 sections that start with an overview of Attack Flow, work through hands-on examples of building flows, and dives into the visualization tools.\nInstructions Play the video training above. The 5 sections will automatically play in consecutive order, or you can click the playlist icon in the the top right of the video to jump ahead to another section.\nDownload the training slides and sample files so that you can follow along with the training yourself and participate in the hands-on exercises: Attack Flow Training.zip\nAgenda Section 1 – Introduction to Attack Flow\nProvides an overview for Attack Flow: why we created it, who\u0026rsquo;s it for, and what you can do with it.\nSection 2 – Using Attack Flow Builder\nIntroduces Attack Flow Builder, which is the tool for creating and editing flows. This section also starts walking through the basic building blocks of flows.\nSection 3 – Building an Attack Flow\nWalks through a real-world example of building a flow around publicly available cyber threat intelligence. We cover the strategy for building flows and then walk through a detailed example together. Use the sample files linked above to follow along on your own.\nSection 4 – Visualization\nWhat you can do with your flows after you have built them? This section describes the suite of visualization tools that automate tedious work and/or generate insights into threats and cyberdefense.\nSection 5 – What\u0026rsquo;s New in v3\nFor users who have experience with Attack Flow v2, you will find this short video help for learning about all the great improvements and new features in v3.\nLive Training If you are interested in live (virtual or in-person) training: we offer live training to all CTID Participants throughout the year. If you would like to attend one of these training, reach out to your organization\u0026rsquo;s CTID point of contact.\nWe are also available for conducting live training at conference venues. Contact us to request training.\n","link":"/videos/attack-flow-training/","tags":["Attack Flow"],"title":"Attack Flow Training","type":"videos"},{"banner":"img/banners/attack-flow-3.png","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"With Attack Flow, you will capture the entire attack and communicate what matters!\n","link":"/projects/attack-flow/","tags":["Cyber Tools"],"title":"Attack Flow v3","type":"projects"},{"banner":"img/banners/flow-viz-featured-image.png","categories":["Blog"],"contents":" From large multinationals with mature cybersecurity programs to small startups, organizations around the globe use Attack Flow to track the APTs that are tracking them. Excitement and adoption of Attack Flow has been growing as evident by the numerous presentations given at security conferences around the world, including Blackhat and FIRSTCON. Users embrace Attack Flow in a variety of job roles, from CTI to cyber defense to red teaming.\nMITRE’s Center for Threat-Informed Defense (CTID) has updated Attack Flow in collaboration with our participants AttackIQ, Inc., Citigroup, Fortinet, HCA Healthcare, JPMorgan Chase Bank, N.A., National Australia Bank, and non-profit Cyber Threat Alliance. This release improves how you build, share, and present flows; it also offers new visualization tools that save time and generate insights. This update includes highly requested features, an improved look-and-feel, and expanded training and documentation. We have more features than we can fit into this blog, so follow us on LinkedIn where we will break down all the new features in a series of posts.\nFlow Visualization A central objective of this Attack Flow release is to improve the visualization of flows. Starting with any flow that you have built, you can now transform it into myriad of different visualizations. The alternative ways of looking at your flow data can save time and effort as well as generate insights into cyber attacks.\nAttack Flow generates multiple visualizations of flows, saving time and generating insight For example, it’s simple to generate an ATT\u0026amp;CK matrix from your flow. Download the Black Basta Ransomware JSON from our Example Flows, and then generate an ATT\u0026amp;CK matrix view by uploading the JSON into the Matrix View tool.\nCustom ATT\u0026amp;CK matrix view When you’re done, you can export the graphic to a high-quality image format to put into a report or presentation. Click here to see an example.\nProductivity \u0026amp; Efficiency In the past, we saw CTI reporting with embedded screenshots of flows, but the screenshots were large and unwieldy. As part of our push to make it easier for users of Attack Flow to share their flows with the public, we built a way to embed interactive flows into a webpage.\nGive it a try with the flow below by zooming and scrolling around to explore.\nClick and drag to move around the flow; use the scroll wheel to zoom Anybody can embed an interactive flow into their web page that can be panned and zoomed. This new feature makes it easier to share flows in your CTI reporting.\nTo improve efficiency, we have added a feature that lets you copy items from one flow and paste them into another flow. You can also paste the selection as an image into common applications such as Word and PowerPoint, which is a great way to quickly build reports and presentations. Another highly requested feature is the ability to select multiple elements at once, which you can now do by holding down the Alt/Option key as you drag a selection rectangle.\nCopy from Flow to Word As a visual improvement, we now offer both a “Light Mode” and \u0026ldquo;Dark Mode.\u0026rdquo; When copy or save graphics from Attack Flow, they appear in your chosen mode. Light mode is a great option for building professional deliverables using snippets from your flow for your management team or customers.\nSwitch between dark and light mode Learn more about all of the new visualization options on our Visualization page.\nTraining \u0026amp; Outreach With our Research Participants, we envision that Attack Flow will become an industry-wide tool for threat-informed visualization and sharing. To get there, we developed new usage guides that explain how to apply Attack Flow to specific job roles such as Incident Responder or Red Teamer. We are also hosting Attack Flow training sessions this summer.\nIf you work for a CTID member organization, reach out to your point of contact for more information. If you are not yet a CTID member and would like to request training in person or virtually, please contact us.\nLater this month, we will release a set of open-source trainings in video and PowerPoint formats. The video format is ideal for self-study, while the PowerPoint slides are for Attack Flow power users who want to host their own training events.\nGet Involved We welcome your feedback and contributions. There are several ways that you can get involved with Attack Flow and help advance threat-informed defense:\nLearn about Attack Flow on our project website. The site has everything you need to learn about Attack Flow from first principles and get started building your own flows. Review our example flows. The example flows are based on public reporting of well-known attacks such as NotPetya. You can use this library of flows to learn more about these historical attacks and/or to learn how to use Attack Flow itself. Build your own flows. Use the Attack Flow Builder to turn threat intelligence into a flow of your own. If your threat intelligence is public, you can submit your flow to our GitHub repository, and we will add it to our example flows. Join the community. Follow us on LinkedIn for updates and help us spread the word about Attack Flow. Please submit issues for any technical questions or contact us directly for general inquiries.\n","link":"/blog/2025/07/08/mitre-ctid-releases-attack-flow-version-3/","tags":["Attack Flow"],"title":"Vizualize, Understand, and Share with Attack Flow 3","type":"blog"},{"banner":"img/banners/member-voices.png","categories":["Video"],"contents":"Hans Wallinger from Infineon Technologies shares how CTID enables Infineon to build a threat-informed, risk-based cybersecurity organization.\n","link":"/videos/member-voices-hans-wallinger/","tags":["Member Voices"],"title":"Member Voices: Hans Wallinger from Infineon Technologies","type":"videos"},{"banner":"img/banners/squarex-interview-jon.png","categories":["Video"],"contents":"Jon Baker, Director \u0026amp; Co-founder of MITRE\u0026rsquo;s Center for Threat-Informed Defense (CTID) joins SquareX for a deep dive into the beginnings of the eponymous concept. In this episode, Jon shares how he started his journey in MITRE, discusses the intricacies of protecting the browser and practical advice on building threat-informed defense programs.\n","link":"/videos/community-driven-threat-intelligence/","tags":[],"title":"Community-Driven Threat Intelligence | SquareX Interview","type":"videos"},{"banner":"img/banners/tidfin-featured-image.png","categories":["Blog","Mappings"],"contents":" The Cyber Risk Institute (CRI) Profile is a distillation of the NIST Cybersecurity Framework (NIST CSF) tailored to address the financial services sector’s regulatory environment. Financial institutions, financial services companies, financial firms, and their third-party providers use the CRI Profile in their threat identification and management, risk assessments, and security control programs. In collaboration with Citigroup, JPMorgan Chase Bank N.A., and FS-ISAC, and in coordination with CRI, we connected the CRI Profile to the adversarial behaviors as described in MITRE ATT\u0026amp;CK®.\nWith the CRI Profile, financial institutions can see how the combined regulatory and other supervisory provisions provide security capabilities. With these mappings to ATT\u0026amp;CK, analysts will extend that connection to mitigations of specific adversary behaviors.\nSpecifically, users of these mappings will:\napply threat-informed analysis and decision-making to security control program design and implementation. connect the design and implementation of controls to the adversary behaviors they must mitigate. improve management and board reporting with respect to control investment and threat protection. Find the CRI Profile mapping resources - the mappings themselves, ATT\u0026amp;CK Navigator layers, and the methodology - on our Mappings Explorer website. Mappings Explorer enables defenders to access and explore the mapped security capabilities for the CRI Profile (among other frameworks) from the perspective of the ATT\u0026amp;CK techniques they mitigate. These mappings unite the threat-informed approach to cybersecurity and the security controls perspective.\n2100 Mappings to ATT\u0026amp;CK The CRI Profile consolidates more than 2500 regulatory and other supervisory provisions into a framework of roughly 300 diagnostic statements. Each diagnostic statement (DS) is a specific, measurable objective that helps financial institutions assess and manage their cyber risks. We completed our mappings at the DS level, with consideration given for the function, category, and subcategory levels.\nThis project maps version 2.1 of the CRI Profile to ATT\u0026amp;CK v16.1 techniques and sub-techniques. We determined 60 DS to be in-scope in four functional areas of Identify, Protect, Detect, and Extend. This resulted in more than 2100 mappings to ATT\u0026amp;CK techniques and sub-techniques. The below figure depicts the CRI Profile coverage of all ATT\u0026amp;CK techniques — the darker the technique is, the more DS map to that technique.\nATT\u0026amp;CK Navigator View for the CRI Profile v2.1 Mapping CRI Profile DS to ATT\u0026amp;CK applies a threat-informed approach to financial institutions cybersecurity programs and provides threat data for security control implementation decisions.\nOur Methodology We followed our methodology for mapping framework security capabilities to ATT\u0026amp;CK. This methodology is based upon our experience mapping frameworks and platforms and aims to provide the community with a reusable method of using ATT\u0026amp;CK to determine the capabilities of security offerings.\nThe first step is to identify the security capabilities in scope, in this case the DS. We applied the following considerations to identify DS in scope:\nTechnical and operational implementation emphasis, not management specific capabilities focused on organizational policy or procedures Mitigation of adversary behaviors (e.g., vulnerability remediation), not monitoring for behaviors (e.g., collect network traffic) System-specific explicit technical mitigations (e.g., block USB devices), not non-technical methods (e.g., block physical access to system) Once scoped, the mapping methodology is iterative.\nExamine the security capabilities provided by the in-scope DS Determine which adversary behavior the DS prevents in the context of ATT\u0026amp;CK mitigations and specific (Sub-)Techniques. Create mappings for those ATT\u0026amp;CK (sub-)techniques which the DS prevents. CRI Mapping Methodology Example Mappings Data Loss Prevention The CRI Profile under Protect: Data Security: Data loss prevention (PR.DS-01.02) provides for the implementation of technical controls to stop the loss and disclosure of sensitive information to outside attackers as well as inadvertent and malicious insiders. The implementation of data loss identification and prevention tools to monitor and protect against confidential data theft or destruction provides protection from adversary techniques related to data collection, data exfiltration, and data destruction, as depicted below.\nMappings for PR.DS-01.02 Data Loss Prevention Intrusion Detection and Prevention The CRI Profile statement for Detect: Continuous Monitoring: Intrusion detection and prevention (DE.CM-01.01) implements capabilities to detect and prevent potential network intrusions. Having mechanisms such as restricting unnecessary network traffic, blocking legacy protocols, and using SSL/TLS inspection can help to limit adversary movement and data exfiltration techniques, as shown below.\nMappings for De.CM-01.01 Intrusion Detection and Prevention Get Involved Tell us how you are using our work! If you have any feedback, technical questions, concerns, or contributions you’d like to make to the project, email us at ctid@mitre.org\n","link":"/blog/2025/06/16/threat-informed-defense-for-the-financial-sector/","tags":[],"title":"Threat-Informed Defense for the Financial Sector","type":"blog"},{"banner":"img/banners/tidfin-featured-image.png","categories":["Published Projects","Mappings"],"contents":"Connect adversarial threat mitigations to cybersecurity program resources tailored to the financial sector, namely the Cyber Risk Institute Profile.\nThe TID for the Financial Sector mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/tid-financial-sector/","tags":["Mappings","CRI"],"title":"Threat-Informed Defense for the Financial Sector","type":"projects"},{"banner":"img/banners/member-voices.png","categories":["Video"],"contents":"Derek Whigham from Lloyds Banking Group shares his how CTID enables Lloyds to deliver cyber defense, helping them to be the best that they can be while also helping others be the best that they can be.\n","link":"/videos/member-voices-derek-whigham/","tags":["Member Voices"],"title":"Member Voices: Derek Whigham from Lloyds Banking Group","type":"videos"},{"banner":"img/banners/member-voices.png","categories":["Video"],"contents":"Douglas Santos from Fortinet\u0026rsquo;s FortiGuard Labs shares how CTID puts members at the forefront of advancing threat intelligence at a global scale.\n","link":"/videos/member-voices-douglas-santos/","tags":["Member Voices"],"title":"Member Voices: Douglas Santos from Fortinet's FortiGuard Labs","type":"videos"},{"banner":"img/events/firstcon25.jpg","categories":["Events"],"contents":"We are grateful to train threat-informed defenders across two workshops at the 37th Annual FIRST Conference in Copenhagen, Denmark. FIRSTCON is an annual conference that promotes worldwide coordination and cooperation among computer security and incident response teams. The conference provides a forum for sharing goals, ideas, and information on how to improve computer security on a global scale.\nWould you like to meet with us at FIRSTCON25? Schedule a meeting here.\nLearn more about our training below. Full event information and training registration is on the FIRST event site.\n","link":"/events/first-2025/","tags":[],"title":"Join us at the 37th Annual FIRST Conference","type":"events"},{"banner":"img/banners/ambiguous-techniques-featured-image.png","categories":["Archived Projects"],"contents":"Building upon the research of Summiting the Pyramid, Ambiguous Techniques is a methodology to determine malicious intent behind seemingly benign behavior by applying contextual analysis to ATT\u0026amp;CK techniques. Reduce false positives and uncover adversarial use of living-off-the-land activity.\nThis is an old version of the Ambiguous Techniques project. For the latest version, see: Ambiguous Techniques.\n","link":"/projects/ambiguous-techniques-v1-0/","tags":[],"title":"Ambiguous Techniques v1.0","type":"projects"},{"banner":"img/banners/ambiguous-techniques-featured-image.png","categories":["Blog","Detection Engineering"],"contents":" MITRE ATT\u0026amp;CK® describes the tactics and techniques that have been used by cyber adversaries. Some techniques, such as System Network Configuration Discovery (T1016), are used during campaigns but are not intrinsically malicious. An ambiguous technique is an ATT\u0026amp;CK technique whose observable characteristics are insufficient to determine intent. In such cases, observable data does not allow us to confidently ascertain whether the intent behind the activity is malicious or benign. These ambiguous techniques are not typically used by defenders to detect adversary behavior because they do not provide enough information on their own to determine malicious intent. Ambiguous techniques may also have multiple procedural implementations which are difficult to distinguish from benign user activity until after a forensic investigation has been completed.\nAdversaries know this and use living-off-the-land (lotl) techniques for malicious outcomes. Identifying adversarial use of lotl techniques requires deliberate and conclusive detection methods to minimize false positives. In the end, detection engineers need to infer motive from security logs.\nIn partnership with Citigroup, Crowdstrike, Fujitsu, Fortinet, HCA Healthcare, Lloyds Banking Group, and The Microsoft Corporation, the Center for Threat-Informed Defense expanded Summiting the Pyramid to create Ambiguous Techniques, a methodology for determining the context required to discern between malicious and benign behavior while maintaining a robust detection that has high accuracy and is resistant to adversary evasion.\nContext is King! We classify three types of context that a defender can use to discern an actor’s intent: peripheral-level, chain-level, and technique-level. Each of these contexts adds information to the usage of a technique, which is necessary to determine intent.\nPeripheral-level Context Peripheral-level Context Inputs Peripheral-level context includes external information that is most valuable for defending against potential attacks targeting your network. This is an \u0026ldquo;outside-looking-in\u0026rdquo; perspective.\nWe apply peripheral-level context to techniques associated with pre-compromise activities, such as those in the Reconnaissance tactic. As a result, the detections generated in this category are proactive in nature. Peripheral-level context derives from cyber threat intelligence on threats to your network, industry, or sector.\nChain-level Context Chain-level context comes from observed co-occurring techniques - those that occur before, after, or concurrently with the specific technique of interest - in order to establish intent. We examined chain-level context techniques by leveraging data from our repository of Attack Flows and our Adversary Emulation Library.\nTechnique-level Context Technique-level Context Examples Technique-level context identifies artifacts related to the detection of a single technique. To determine technique-level context, we break down the detection criteria into four categories: Who, What, When, and Where.\nWho: Authentication and privileges, examining who is operating within the network, the privileges they are using, and how they are attempting to access resources. It provides insight into user behavior and access patterns. What: Traditional event artifacts, such as flags, commands, specific registry keys, API calls, and other concrete artifacts that can be extracted from event codes or event IDs. When: Analyzes access patterns, including the frequency of activity and whether operations are occurring outside of typical or expected hours. It helps identify anomalies in the timing of activity that may indicate malicious intent. Where: Examines the key terrain within a network. This includes monitoring critical files, locations, or systems, as well as examining network connections. By establishing a baseline, organizations can detect abnormal connections or flows, such as new connections being initiated or unexpected destinations being accessed. By organizing detection criteria into these categories, we provide a structured approach to developing detection analytics and identifying technique-level differentiators. This framework enables defenders to focus on key aspects of network activity - authentication, artifacts, timing, and terrain - while leveraging baseline data and behavioral analysis to detect anomalies and differentiate between benign and malicious behavior.\nHow to Use Context to Determine Intent Context Flow Chart The above flowchart represents the progression of activities during an incident, and which type of context to use as a defender. The flow starts from the onset of the attack behavior and moves toward behavioral specifics. The legend at the bottom-left highlights the different contexts, with gray representing not enough information to make a determination. For a deeper dive of how to use the context flow charts, head on over to our project website.\nOnce we have determined which context to use, we combine analytics to improve the fidelity of our detections. We identified two distinct approaches when chaining analytics together: direct correlation and loose correlation. These methods are designed for different scenarios and are generally not interchangeable. Each serves a specific purpose depending on the level of certainty and the nature of the adversary’s actions.\nDirect Correlation: Use direct correlation to detect a specific campaign, adversary, or tool. The most effective direct correlation analytics involve actions that are dependent on one another. For example, an adversary performs an initial action, and a subsequent action relies on the success of the first. These dependent actions may originate from different data sources or occur in different parts of the network, but their interdependence is key to establishing a direct correlation. This method is straightforward, as the analytics are chained together in a sequence where all actions must occur for the correlation to be valid. Loose Correlation: Apply loose correlation when there is only a general idea of the adversary’s behavior, rather than precise knowledge of the specific actions they will take. A good example of this is discovery activity, which occurs frequently on networks and can be difficult to distinguish as either normal behavior or adversary activity. For instance, system information discovery may be observed across multiple systems, while remote file share discovery may occur on a different set of systems. Individually, these actions may appear benign, but when multiple techniques converge on a single system or user, they begin to form a pattern that suggests adversary activity. While some implementations of analytic chaining attempt to enforce strict sequencing, we have found that complexity and cost of such implementations often outweigh the benefits. Thus, adoption of strictly sequences analytic chains is limited. Loose correlation allowing organizations to adapt thresholds and analytics to their specific environments while maintaining a balance between detection accuracy and operational feasibility.\nIt Is Your Turn to Detect the Malice in an Ambiguous Technique The Ambiguous Techniques framework determines the intent behind a technique through context. It offers a way to develop analytics for these techniques, enhancing efficiency by reducing resource burden and increasing visibility. We have included several example analytics that demonstrate how to improve your current detections. Defenders can apply these insights by integrating our guidance into their own development processes, using the documentation to create robust detections.\nPlease take our work and adapt it and extend it, and contribute back to the AT knowledge base by identifying attack chains and refining technique observables.\nFuture Summiting detection engineering work will focus on how compound and layered detections can be used to build robust detections, as well as how we can effectively measure multi-faceted detection coverage.\nGet Involved Tell us how you are using our work! If you have any feedback, technical questions, concerns, or contributions you’d like to make to the project, email us at ctid@mitre.org\n","link":"/blog/2025/05/13/ambiguous-techniques-determine-malice-through-context/","tags":[],"title":"Ambiguous Techniques: Determine Malice through Context","type":"blog"},{"banner":"img/banners/fight-fraud.png","categories":["Blog"],"contents":"In 2023, global fraud losses totaled USD $485.6 billion from a range of scams and bank fraud schemes according to the NASDAQ 2024 Global Financial Crime Report.\nTo date, there is no comprehensive detailed enumeration of financial fraud tactics and techniques, similar to what MITRE ATT\u0026amp;CK® has provided for enterprise threats. As a result, cyber and fraud programs have a knowledge gap among events detected through cyber means on financial institutions’ infrastructure, the material events of fraud affecting the customer, and the controls to disrupt fraud.\nIn 2025, the Center for Threat-Informed Defense will develop the Fight Financial Fraud (F3) framework of tactics, techniques, and procedures (TTPs) used by fraud actors. The F3 framework may include new tactics and techniques that characterize known fraud TTPs. It will reference and refine existing ATT\u0026amp;CK techniques when they are applicable to financial fraud. The F3 framework will include its own new content to describe fraud technical behaviors for which there is no existing ATT\u0026amp;CK content. Get Involved This project will fuse and analyze cyber and fraud data sources into a common language of tactics and techniques specific to fraud events. The resulting F3 framework will be the foundation of a longer-term research program that will advance our understanding of financial fraud TTPs, as well as our collective ability to emulate, detect, and prevent them.\nThe F3 framework will derive from prior work including the FS-ISAC Cyber Fraud Prevention Framework, the National Retail Federation Retail Fraud Taxonomy, and Verizon’s Data Breach Investigations Report. We will build the framework by modeling documented fraud activities such as Social Engineering, Money Laundering, and Cash Out. We will document the known tactics and techniques of financial threat actors in the context of a fraud event.\nProblem There is a knowledge gap among fraud events detected through cyber means on financial institutions’ infrastructure, the material events of fraud affecting the customer, and the controls to disrupt fraud.\nSolution Fuse and analyze cyber and fraud data sources into a common language of tactics and techniques specific to fraud events.\nImpact Disrupt fraud by joining together relevant individuals with roles related to loss prevention, security, risk management, anti-money laundering, and related functions\nInnovation with Global Impact The goals of fraudsters hurt us all: social engineering, money laundering, cash out, and more. Our collective success requires that we identify the varied sources of telemetry for fraud detection, and we document the tactics and techniques used by fraud actors. This foundational knowledge will enable innovation and efficiency across the financial sector as we fight financial fraud.\nFinacial fraud is a global challenge that\u0026rsquo;s larger than any single organization, sector, or country. Uniting sophisticated and innovative security teams from around the world creates innovative solutions at a global scale. Together we can change the game on our adversaries.\nMITRE’s Center for Threat-Informed Defense is a non-profit, privately funded R\u0026amp;D organization focused on advancing the state of the art and the state of the practice in threat-informed defense. Together with the global private sector, the Center conducts applied research and advanced development to improve cyber defense at scale. And, since the Center operates for the public good, we freely share our research for the benefit of all.\nGet Involved ","link":"/blog/2025/05/10/fight-fraud/","tags":["Financial Fraud"],"title":"Fight Fraud with Threat-Informed Defense","type":"blog"},{"banner":"img/banners/secure-ai.png","categories":["Blog","Cyber Threat Intelligence"],"contents":"Rapid adoption of AI has changed the threat landscape. AI-enabled systems are susceptible to traditional cybersecurity vulnerabilities and new attacks. As consumers and organizations integrate AI-enabled systems into their business, adversaries exploit them. Defenders must unite to thwart these new threats.\nThe Center for Threat-Informed Defense applies a threat-informed approach to AI security that enables rapid exchange of new threat information, develops approaches to emulating those threats, and provides comprehensive and effective mitigation strategies.\nGet Involved The Center’s 2024 Secure AI program, supported by 16 of its member organizations, significantly expanded MITRE ATLAS’s Knowledge Base and launched the AI Incident Sharing initiative. Building upon this, the 2025 Secure AI program will identify emerging AI security incidents, share about them, and offer mitigations. In 2025, we will further the Secure AI program in four ways:\nExpand the ATLAS Knowledge Base. Capture and characterize the evolving threats to AI-enabled systems and the malicious use of AI in cyber. We will collect empirical data from real-world observations and incorporate findings as structured updates to ATLAS. Expedite AI Incident Sharing. Characterize and disseminate anonymized information about attacks and failures in AI-enabled systems. Verifiable AI Vulnerability Discovery. Create verifiable and reproduceable vulnerability reports. Integrate existing model scanning and adversarial attack tools into a common platform in collaboration with CWE and CVE AI Working Groups and the AI Risk Database. AI Red Teaming and Adversary Emulation. Model threats with ATLAS through structured playbooks and methodologies. Problem The adoption of AI into existing infrastructures introduces an expanded threat landscape and new, unique, vulnerabilities to organizations.\nSolution Accelerate the development of MITRE ATLAS to meet industry needs in AI Security, including incident sharing, identifying new threats to and from Generative AI, and mitigation strategies that are widely applicable across industry.\nImpact Secure organizations against the unique, emergent, attack surfaces that arise in complex AI- enabled systems.\nInnovation with Global Impact Creatoing a safe and secure environment for AI-enabled systems is a challenge that larger than any single organization, sector, or country. Uniting sophisticated and innovative security teams from around the world creates innovative solutions at a global scale. Together we can change the game on cyber adversaries.\nMITRE’s Center for Threat-Informed Defense is a non-profit, privately funded R\u0026amp;D organization focused on advancing the state of the art and the state of the practice in threat-informed defense. Together with the global private sector, the Center conducts applied research and advanced development to improve cyber defense at scale. And, since the Center operates for the public good, we freely share our research for the benefit of all.\nGet Involved ","link":"/blog/2025/05/09/secure-ai-v2-announcement/","tags":["Artificial Intelligence"],"title":"Secure AI with Threat-Informed Defense","type":"blog"},{"banner":"img/banners/breaking-down-silos.jpg","categories":["Video","Cyber Threat Intelligence"],"contents":" Watch the Video Misaligned incentives between security teams often stall collaboration. Some organizations have begun merging their SOCs, red teams and threat intel groups under a shared leadership role to break silos, Jon Baker said, director at the Center for Threat-Informed Defense at Mitre.\n\u0026ldquo;You will start to see job postings for Director of Threat-Informed Defense, where an organization is bringing together intel and the offensive security team and the SOC team, kind of under one leadership role to just deliberately break those silos so that we can all have just a shared mission,\u0026rdquo; said Baker.\nIndicators such as improved defensive posture and faster feedback loops are key measures of success. Organizations that prioritize specific threats and quickly test, evaluate and implement defenses reduce friction across teams and improve readiness. Baker emphasized that shortening this cycle builds collaboration and drives continuous improvement.\nIn this video interview with Information Security Media Group at RSAC Conference 2025 Baker also discussed:\nWhy cross-team incentives often undermine cyber defense; How unified leadership roles break down silos; Metrics that show whether threat-informed defense is working. Baker co-founded the Center for Threat-Informed Defense as MITRE\u0026rsquo;s first privately funded R\u0026amp;D organization. He has extensive experience leading research teams and collaborating with industry to advance cybersecurity capabilities.\n","link":"/videos/breaking-down-silos-with-threat-informed-defense/","tags":[],"title":"Breaking Down Silos With Threat-Informed Defense","type":"videos"},{"banner":"img/banners/tid-mindset.jpg","categories":["Blog"],"contents":" The Center for Threat-Informed Defense has published the results of three new projects so far in 2025, as well as three updates within the corpus of Security Capability Mappings. Within the Center, our most impactful work comes from enabling efficiency and innovation across the industry, and we do so in our three key problem areas:\nCyber Threat Intelligence: knowing the adversary, their objectives, and their tactics, techniques, and procedures (TTPs). Defensive Measures: implement prevention, detection, and mitigation tailored to known threats. Testing \u0026amp; Evaluation: assess defenses by emulating realistic adversary behaviors. Threat-informed defense components Threat-informed defense aligns defensive measures to real-world observations of adversary tradecraft. Where cybersecurity often focused on brittle indicators of compromise that are easy for an adversary to change, threat-informed defense addresses the root adversary behavior, which is more stable over time and more expensive for adversaries to change. The result is more efficient use of defenders’ resources and a more robust program of prevention, detection, and response.\nA principle that guides our research program is Threat-Informed Defense applies broadly. In 2025 the Center will broaden our R\u0026amp;D program and apply a threat-informed approach to securing artificial intelligence enabled systems and fighting financial fraud.\nSecure AI with Threat-Informed Defense In 2024, the Center and 16 of our member organizations applied the principles of threat-informed defense to AI-enabled systems in our first Secure AI project. This resulted in a significant expansion of MITRE ATLAS™ with case studies that are curated by and relevant to industry partners, as well as the launch of the AI Incident Sharing Initiative.\nATLAS Matrix - April 2025 These successes demonstrated that there is more the Center can and will do in AI research. In 2025, we will further our AI Focus Area in four ways:\nExpand the ATLAS Knowledge Base. Capture and characterize the evolving threats to AI-enabled systems by collecting empirical data from real-world observations and incorporate findings as structured updates to ATLAS. Furthermore, this year’s research includes adversary behaviors such as malicious use of AI (AI-enabled attacks), especially as it pertains to attacks accelerated by GenAI.\nExpedite AI Incident Sharing to enable rapid characterization and dissemination of anonymized information about attacks and failures in AI-enabled systems.\nVerifiable AI Vulnerability Discovery. Integrate existing model scanning and adversarial attack tools into a common platform to enable the creation of verifiable and reproduceable vulnerability reports in collaboration with CWE and CVE AI working groups and the AI Risk Database.\nAI Red Teaming and Adversary Emulation. Develop strategies and guidance in the form of structured playbooks to emulate threats to AI-enabled systems so that defenders can test AI-enabled system defenses against known threats and collect telemetry for downstream defensive forensics.\nFight Financial Fraud Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.\nIt identifies known adversary behavior, relevant to an organization’s threat model, and fosters a community-driven approach to enable an organization to proactively defend, self-assess, and improve defenses against those known threats.\nThe problem of financial fraud is prime for the application of threat-informed defense. When we address financial fraud at the time of the material event, we are necessarily reacting to a fraud actor. It would be like placing our controls for intellectual property theft exclusively in the exfiltration stage. We will develop resources to apply intelligence and defensive measures enabling fraud teams to act earlier.\nThe Center\u0026rsquo;s Fight Financial Fraud research area will unite the events detected through cyber means with the material fraud event. This requires data fusion and analysis. Through collaborative research we will create a shared language for threat-informed financial fraud defense.\nSign up here to contribute to this effort. The goals of fraudsters hurt us all: social engineering, money laundering, cash out, and more. Our collective success requires that we identify the varied sources of telemetry for fraud detection, and we document the tactics and techniques used by fraud actors.\nGood Work Becomes Better Work A second principle of the Center’s research program is Good work becomes better work. We observe which prior Center publications are impactful to the community, and we hear your suggestions to extend prior research. Some of our 2025 projects build upon Summiting the Pyramid, Security Capability Mappings, and Attack Flow.\nDemystify Ambiguous Techniques MITRE ATT\u0026amp;CK® is a comprehensive reference of publicly reported adversary tactics, techniques and procedures (TTPs), including how to detect and mitigate them. However, ATT\u0026amp;CK techniques are not all intrinsically malicious. In fact, threat actors commonly achieve their objectives by living-off-the-land, leveraging native platform capabilities that may be critical business enablers. These ambiguous techniques are difficult to detect as adversary behaviors due to the need to separate benign activity from malicious activity. The Ambiguous Techniques project identified core behaviors and observables associated with ambiguous techniques and built robust detections for them. This research will lower the false positive rate of ambiguous techniques. It will be available to you in May 2025. Register here to Stay Informed about this and all our R\u0026amp;D project publications.\nSecurity Capability Mappings ATT\u0026amp;CK updates to a new major version twice per year, and security vendors constantly change their offerings. The Center’s Mappings Program updates all the mapping resources to reflect the most current versions of native platform security and adversary techniques.\nSecurity capability mappings correlate the defensive measures you have procured to the threats that keep you awake. We have shared updated mappings resources to the community on the Mappings Explorer platform.\nThe Prioritize Known Exploited Vulnerabilities with ATT\u0026amp;CK project bridges threat management and vulnerability management by connecting Common Vulnerabilities and Exposures (CVEs) that are actively exploited by adversaries to the impact of exploitation. We completed 800 mappings for over 400 CVEs from the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEVs) Catalog. Our research prioritized recent vulnerabilities and the most exploited ones as determined by inclusion in CISA’s Top Routinely Exploited Lists.\nIn January 2025 we published our mappings of security capabilities in hardware to adversary behaviors in Security Stack Mappings – Hardware-Enabled Defense. This project demonstrates the effectiveness of a hardware capability with operating system, anti-virus, or endpoint detection and response software features.\nThe Cyber Risk Institute (CRI) profile includes controls from the NIST Cyber Security Framework tailored to financial sector needs. In June 2025, we publish Threat-Informed Defense for the Financial Sector project, which maps the CRI’s financial sector profile to adversary behaviors. This gives cyber defenders in financial services organizations resources for threat-informed analysis and decision-making.\nLater this year, we will share Threat-Informed Defense for Cloud. Threats to cloud computing cover multiple security domains, objectives, and aspects of cloud technology. This project will create a common technical foundation for implementing cloud-native capabilities to mitigate threats to cloud environments.\nSee the Adversary Behaviors in Attack Flow We built Attack Flow as the data model for representing the sequence of adversary behaviors.\nAttack Flow Builder To defend against the adversaries’ sequence of behaviors, we have a data model with a web application that allows you to build and visualize those attack flows. Publishing June 2025, Flow Visualization will reap the benefits of this powerful data model by providing a users’ guide to Attack Flow Builder and template visualizations for important use cases. We will also build more flows into our set of Examples.\nLearn Together with Threat-Informed Training Threat-informed defense enables the collective resources of all defenders to be greater than those of any one adversary. So, we develop those resources for the collective while delivering our research. This is the third principle of Center research: Share the How. Making our R\u0026amp;D usable to the worldwide community of threat-informed defenders is an explicitly stated goal of all who are part of the Center for Threat-Informed Defense.\nThe Center creates operational resources for threat-informed defenders through our collaborative research and development program. Adoption of those resources by Center members and the worldwide community of threat-informed defenders is a Center goal. The Center and members have observed that adoption improves when users are trained in why, when, and how to implement the work. Prominent examples of this include Summiting the Pyramid training, a Secure AI webinar, and Attack Flow workshops.\nWe have embraced our responsibility by creating our Threat-Informed Training and Outreach project. This project will develop training modules for Center resources and deliver trainings at conferences, webinars, and to Center members. The Center will also record and distribute freely online the training we create, just as we give the products of our R\u0026amp;D program.\nINFORM Your Defense The Center’s initial Measure, Maximize, Mature Threat-Informed Defense (M3TID) project described the aspects of threat-informed defense (TID) and answered, “what does a healthy implementation of TID look like, both now and in the future?” Threat Informed-Defenders – from the Security Operations Center (SOC) analyst, who responds in real-time, to the Chief Information Security Officer (CISO), who sets the vision and drives defensive strategy – allocate resources to further impede the adversary in achieving their objective. M3TID started with a breadth-first approach, identifying the three dimensions of threat-informed defense and the first five components of each dimension.\nIn our follow-on INFORM Your Defense project, the Center will collect data on the dimensions and components that the Center has hypothesized will prove most important based on existing research and experience. Based on evidence, we seek to incorporate more granular sub-components with associated levels, more objective criteria for levels that tied to specific data sources and assessed by a 3rd party or automation, and additional components within the dimensions. This project may also modify the model to improve on the quantification of levels and modify the scoring algorithm to better align with evidence on the relative importance of each component to bottom-line security efficacy.\nOur Global Community We are grateful to the global community who has joined our mission to advance the state of the art and the state of the practice in threat-informed defense. We highlight the sponsors and participants of our Asia-Pacific ATT\u0026amp;CK Community Workshop: our host Citigroup, and sponsors Acronis, AttackIQ, Ensign Infosecurity, Fortinet, SquareX, and Trainocate. This event in Singapore anchors the Asia-Pacific region into our global series of community events with EU ATT\u0026amp;CK in Belgium, and ATT\u0026amp;CKcon in the U.S. Global adoption leads to impact and community feedback that enhances Center R\u0026amp;D.\nSecond, the Benefactor Program enables the global community to advance critical, public interest cybersecurity programs such as MITRE ATT\u0026amp;CK®, Caldera™, MITRE Engage™, and the Center for Threat-Informed Defense through charitable giving. Our benefactors support independent research in the public interest. We thank Acalvio, Coalfire, Limber Security, NVISO, SANS, SOC Prime, Tidal Cyber, and Zimperium for financially supporting our research to change the game on the adversary.\nParticipants drive the R\u0026amp;D program with active engagement and funding Get involved The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. We create widely usable, easily accessible, and practical resources for all. That is only possible with community support and engaged Center Participants. Your operational challenges, shared across organizations, sectors, and across regions, incite our impactful solutions. You’ve now read our plans for 2025; tell us what you need most from the Center.\nStay informed — Be the first to know about R\u0026amp;D project releases by signing up for our newsletter and following us on LinkedIn.\nUtilize Center R\u0026amp;D and share your feedback — Use our work to advance threat-informed defense in your organization and ultimately change the game on the adversary. Tell us how you use Center R\u0026amp;D, and we will refine our work to be more accessible and impactful.\nJoin us to support and advance the R\u0026amp;D program — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of ATT\u0026amp;CK. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.\n","link":"/blog/2025/04/22/threat-informed-defense-is-a-mindset/","tags":["R\u0026D Roadmap"],"title":"Threat-Informed Defense is a Mindset, Not a Technique","type":"blog"},{"banner":"img/banners/founder-interviews.jpg","categories":["Video"],"contents":"As the Center for Threat-Informed Defense celebrated its five-year anniversary, our founding members shared their experience and the impact of collaborative R\u0026amp;D.\nTogether, we learn, innovate, and create impactful resources that advance threat-informed defense globally.\n","link":"/videos/founder-interviews/","tags":["Member Voices"],"title":"We are the Center for Threat-Informed Defense - Founder Interviews","type":"videos"},{"banner":"img/banners/squarex-interview.png","categories":["Video"],"contents":"In this episode of the Be Fearless Podcast, SquareX Field CISO John Carse speaks with Mike Cunningham, R\u0026amp;D Program Manager at MITRE\u0026rsquo;s Center for Threat-Informed Defense.\nMike brings his unique background from the Navy and NSA to discuss how organizations can better defend against cyber threats by understanding adversary behaviors, browser security challenges and more.\n","link":"/videos/understanding-adversaries-via-threat-informed-defense/","tags":null,"title":"Understanding Adversaries via Threat-Informed Defense | SquareX Interview","type":"videos"},{"banner":"img/banners/threat-modeling-series.png","categories":["Video","Cyber Threat Intelligence","Defensive Measures"],"contents":"Episode 1: What Are We Working On? To secure a system effectively, you need to know your systems. In this first episode, Adam and Tiffany Bergeron dive into how defining the scope lays the groundwork for identifying and addressing threats.\nHow does your team identify systems before starting the threat modeling process?\nEpisode 2: What Could Go Wrong? After defining what we’re building, the next step is to identify potential threats. In this episode, Adam and Tiffany Bergeron walk through the ways defenders use both theory and evidence to effectively model potential attackers.\nDoes your team have a structured approach to identifying threats?\nEpisode 3: What are we going to do about it? Once you’ve identified potential threats, how do you respond? In this episode, Adam and Tiffany explore practical strategies for mitigating risks and making informed security decisions that align with business objectives.\nWhat approaches does your team use to prioritize threat mitigations?\nEpisode 4: Did we do a good job? After implementing mitigations, how do you measure success? In this episode, Adam and Tiffany discuss how to assess the effectiveness of your threat modeling efforts and continuously improve your security processes.\nDoes your team conduct reviews or retrospectives on threat modeling outcomes?\n","link":"/videos/threat-modeling-series/","tags":["Threat Modeling"],"title":"Threat Modeling Series","type":"videos"},{"banner":"img/2024_impact_report.png","categories":[],"contents":"2024 Impact Report Celebrating 5 Years AttackIQ is honored to have contributed to this groundbreaking initiative, building a thriving community dedicated to advancing impactful research and driving the adoption of threat-informed defense practices.\n- Carl Wright, AttackIQ\nToday’s threat landscape has reached a level of complexity never seen before. This requires industry collaboration to create new and rapidly deployable solutions. The Center for Threat-Informed Defense plays a unique and critical role in developing this advanced R\u0026amp;D.\n- Garrettson Blight, Booz Allen Hamilton\n…to work alongside and learn from a membership of world-class cybersecurity teams from across industry gave us insight and experiences that we could not have had working on our own.\n- DeKovan Lewis, JPMorgan Chase\nRead the Impact Report Download the 2024 Impact Report Our Impact “The fact that these developments are made available to the community free of charge shows how extraordinary this institution is. The world’s brightest minds develop innovative solutions for all of us GLOBALLY.”\n- Simone Kraus, Orange Cyberdefense\nSee Our Work Our Community “Collective defense is a core belief at Microsoft for better defending against growing attacks. Joining the Center as a Founder has provided a clear path to achieve this goal. Our membership allows Microsoft to deeply connect with the cybersecurity community, build collective defense through threat-informed research, and empower organizations to strengthen their defenses.”\n- Karthik Selvaraj, Microsoft\nSee Our Community Get Involved “Our research labs continue to lead in advancing innovation in threat-informed defence solutions. Our continued partnership with the Centre for Threat-Informed Defense has been helpful in supporting our innovation goals. We use ATT\u0026amp;CK to guide detection across the OT analytics that we develop, which leverage machine learning to identify sophisticated attack patterns. This approach enhances visibility into potential threats targeting critical infrastructure, enabling faster context aware detection of cyber threats.”\n- Dr. Jonathan Goh, Ensign InfoSecurity\nLearn More Become a Member If your organization is interested in becoming a member of the Center for Threat-Informed Defense, complete the form below and we will follow up by email. First Name Last Name Email Job Title Organization Sign up for the \"Stay Informed\" newsletter See Other Annual Impact Reports 2022 Impact Report 2023 Impact Report 2025 Impact Report ","link":"/resources/2024-impact-report/","tags":["Impact Reports"],"title":"2024 Impact Report","type":"resources"},{"banner":"img/banners/rsac-twa-seminar.png","categories":["Video","Cyber Threat Intelligence","Defensive Measures"],"contents":"Practical threat modeling experience is often centered in a single organization, and the fish doesn’t see the ocean. Learn from experts serving hundreds of organizations how ATT\u0026amp;CK provides an empirically grounded model that’s been successfully applied across commercial and government customers.\n","link":"/videos/rsac-twma-seminar/","tags":["Threat Modeling"],"title":"RSAC Virtual Seminar: How to Create a Threat Modeling Process and use ATT\u0026CK","type":"videos"},{"banner":"img/events/eu-workshop-2025.png","categories":["Events"],"contents":"The 2025 EU ATT\u0026amp;CK Community Workshop will be hosted in Brussels by EUROCONTROL, in collaboration with the Centre for Cybersecurity Belgium (CCB) and the Center for Threat-Informed Defense. The event is organized as a half-day training on May 14th followed by a full-day workshop on May 15th.\n","link":"/events/eu-attack-2025/","tags":["Workshops"],"title":"EU ATT\u0026CK Community Workshop","type":"events"},{"banner":"img/events/apac-2025.png","categories":["Events"],"contents":"On March 6-7, 2025, hundreds of regional cybersecurity practitioners and avid users of the MITRE ATT\u0026amp;CK® framework will convene in-person and virtually at Changi Business Park Singapore for two days of practitioner-led lightning talks, networking, experiential learning, and more at the second annual Asia-Pacific ATT\u0026amp;CK Community Workshop!\n","link":"/events/apac-2025/","tags":["Workshops"],"title":"Asia-Pacific ATT\u0026CK Community Workshop","type":"events"},{"banner":"img/banners/pkev-featured-image.png","categories":["Published Projects","Mappings"],"contents":"Prioritize Known Exploited Vulnerabilities shows defenders how to take a threat informed approach to vulnerability management.\nThe Prioritize Known Exploited Vulnerabilities mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/prioritize-known-exploited-vulnerabilties/","tags":["Mappings","CVE"],"title":"Prioritize Known Exploited Vulnerabilities","type":"projects"},{"banner":"img/banners/pkev-featured-image.png","categories":["Blog","Mappings"],"contents":" Historically, vulnerability management and threat management have been separate disciplines, but in a risk-focused world, they need to be brought together. Defenders struggle to integrate vulnerability and threat information and lack a consistent view of how adversaries use vulnerabilities to achieve their goals. Without this context, it is difficult to appropriately prioritize vulnerabilities.\nBack in 2021, the Center for Threat-Informed Defense, developed a methodology to use the adversary behaviors described in MITRE ATT\u0026amp;CK® to characterize the impact of vulnerabilities from CVE® in order to bridge vulnerability management and threat management. Vulnerability reporters and researchers can use the methodology to describe the impact of vulnerabilities more clearly and consistently. When used in a vulnerability report, ATT\u0026amp;CK’s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls.\nThis methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls. CVEs linked to ATT\u0026amp;CK techniques can empower defenders to better assess the true risk posed by specific vulnerabilities in their environment. When we first applied this methodology, it became clear that mapping all CVEs to ATT\u0026amp;CK was not feasible. As of this publication, there are more than 240,000 CVE Records. Trying to protect against every vulnerability on the list is cost-ineffective and daunting, if not impossible. To help the cyber community keep pace with threat activity and manage vulnerabilities, Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) Catalog, the authoritative source of CVEs that have been confirmed as being exploited.\nTo help focus defenders on this subset of CVEs, we created the Prioritize Known Exploited Vulnerabilities (PKEV) project in collaboration with Center participants, including AttackIQ, Citigroup, HCA Healthcare, JPMorgan Chase Bank N.A., and Microsoft Corporation. With PKEV, defenders make threat-informed vulnerability management and risk management decisions by focusing resources on relevant, active exploits, saving both time and money.\nThe resources for the project — mappings, ATT\u0026amp;CK Navigator layers, and the mapping methodology — are all available in Mappings Explorer. Mappings Explorer enables defenders to access and explore the Center’s mapped security frameworks, bridging the gap between risk management and threat informed defense.\nVulnerability + Exploit = Impact The Center’s mapping methodology for KEVs categorizes attack steps by method of exploitation, primary impact, and secondary impacts of exploitation. Using these categories, we create a vulnerability impact description template such as: The vulnerability allows the attacker to use [Exploitation Technique] which enables the [Primary Impact], which leads to [Secondary Impact].\nMapping Methodology To apply a threat-informed approach for the PKEV mappings, the team researched published methods of the exploitation and impact of each vulnerability, and excluded theoretical or proof-of-concept exploits. This information was analyzed to create CVE/KEV mappings to specific ATT\u0026amp;CK (sub-)techniques based on the identified adversary attack steps identified.\nOur team prioritized mapping the KEV Catalog by frequency and recency, resulting in about 800 mappings for over 400 CVEs. The most exploited KEVs as determined by inclusion in CISA’s Top Routinely Exploited Lists for years 2020 through 2023 are included in the mapping repository. The KEV Catalog includes vulnerabilities going back to 2002; mapping priority was given to more recent vulnerabilities by CVE date (2021 on).\nDefend Against Exploitation Techniques In 2024, Checkpoint disclosed CVE-2024-24919, which is a path traversal exploit that allows an adversary to execute root-level commands on the affected device. This is the exploitation technique, mapped to T1202: Indirect Command Execution.\nMap CVE to Exploitation Technique After the CVE was released, security research firm, Greynoise, saw malicious actors exploiting the vulnerability which enabled them to search the local file system for sensitive data. This is the primary impact of the exploit, mapped to T1005: Data from Local System.\nMap Exploitation Technique to Primary Impact The malicious actors were then seen reading, and presumably exfiltrating, data from various sensitive files like /etc/shadow and .ssh/authorized_keys, both of which contain information related to user authentication. Another security research firm, Mnemonic, has seen malicious actors exploiting this vulnerability to access Active Directory credentials by extracting ntds.dit.\nThese three observed techniques are the secondary impact, respectively mapped to T1003.008: OS Credential Dumping: /etc/passwd and /etc/shadow, T1552.004: Unsecured Credentials: Private Keys, and T1003:003: OS Credential Dumping: NTDS.\nMap Primary Impact to Secondary Impacts By applying the mapping methodology, we have created the vulnerability impact description:\nVulnerability Impact Description for CVE-2024-24919 Use PKEV to Stay Threat-Informed PKEV characterizes the exploitation and impact of vulnerabilities using the adversary behaviors described in ATT\u0026amp;CK. This connects vulnerability management, threat modeling, and compensating controls. A threat-informed approach to vulnerability and risk management:\nInforms defenders on what techniques an adversary might use to exploit a vulnerability Creates a clear way to describe the impacts and exploitation methods of vulnerabilities Prioritizes mitigation efforts on the subset of vulnerabilities that are identified as active threats: less than 4% of all CVEs are used in real-world attacks. Prompts remediation for high-risk and high-impact KEVs to safeguard systems (e.g. those used in ransomware campaigns). Creates a quick understanding of potential risks and impacts on the organization if the vulnerability is exploited. Focuses efforts on reducing the window of opportunity for attackers to exploit vulnerabilities that pose significant risks. Get Involved We welcome your feedback and contributions to continue to advance the PKEV mapping project. There are several ways that you can get involved with this and other mapping projects to help advance threat-informed defense:\nReview the mappings, use them, and tell us what you think. We welcome your review and feedback on the KEV/CVE mappings and resources. Analyze and map CVEs of interest to you. We encourage use of our methodology to map additional KEVs/CVEs and we welcome feedback on our mapping methodology. Share your ideas. Share your ideas or suggestions for additional tools and resources for helping the community to understand and make threat-informed decisions. You are also welcome to submit issues for any technical questions/concerns or contact the Center directly for more general inquiries.\nAbout the Center for Threat-Informed Defense The Center is a non-profit research and development consortium operated by MITRE. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT\u0026amp;CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.\n","link":"/blog/2025/02/13/pkev-blog/","tags":["Mappings","CVE","CISA-KEV"],"title":"Put Your Money Where Your Adversaries Are: Exploited Vulnerabilities","type":"blog"},{"banner":"img/banners/top-cyber-pro.jpg","categories":["Video"],"contents":"Jon Baker joins the Top Cyber Pro podcast to discuss the Center\u0026rsquo;s work and impact, including Top ATT\u0026amp;CK Techniques, Technique Inference Engine, Mappings Explorer, and Secure AI.\n","link":"/videos/top-cyber-pro/","tags":null,"title":"Top Cyber Pro: Jon Baker and the Center for Threat Informed Defense","type":"videos"},{"banner":"img/banners/xecurity-pulse-talk.jpg","categories":["Video"],"contents":"In this episode, we dive deep into the world of Threat Informed Defense with our special guest from MITRE, a leader in cybersecurity innovation. Discover how organizations can shift from reactive to proactive security postures by leveraging real-world threat intelligence, advanced frameworks, and cutting-edge strategies.\nWe’ll explore:\nThe core principles of Threat Informed Defense and why it’s a game-changer for cybersecurity. How MITRE’s ATT\u0026amp;CK framework is revolutionizing threat detection and response. Practical steps to implement a proactive defense strategy in your organization. Expert insights on staying ahead of evolving cyber threats. Whether you’re a cybersecurity professional, IT leader, or just passionate about digital defense, this episode is packed with actionable advice and insider knowledge you won’t want to miss. Tune in and learn how to build a smarter, stronger defense against today’s most sophisticated threats!\n","link":"/videos/xecurity-pulse-talk/","tags":null,"title":"The Secrets Of Threat-informed Defense: Decoding The Hacker's Mind","type":"videos"},{"banner":null,"categories":null,"contents":"THE MITRE CORPORATION RESPECTS THE PRIVACY OF ITS WEBSITE USERS. Effective Date: 01/15/2025\nThis Online Privacy Policy explains the types of personal information that MITRE’s Center for Threat-Informed Defense (“MITRE CTID,” “we,” “our,” “us”) collects from visitors to this website (the “Site”); how MITRE CTID uses, shares, protects, stores, and otherwise processes that personal information; and your choices with respect to our use of your personal information. By using our Site, you acknowledge that you understand and agree to the terms outlined in this Privacy Policy. If you have any questions, you may contact us using the information provided at the end of this Privacy Policy.\nThis notice is provided in a layered format so you can click through to the specific areas listed below.\nPersonal Information We Collect Personal Information You Give Us Information We Collect Automatically How We Use Personal Information How We Share Personal Information Linked Websites Social Features Security of Personal Information Your Choices Information for Visitors from Outside the United States Information for Visitors from Australia Information for Visitors from the European Economic Area and the United Kingdom Our Collection and Use of Personal Data Our Processing of Your Personal Data Your Rights Under the GDPR Our Retention of Your Personal Data Personal Data Transfers Information for Specific Individuals Privacy of Children Changes to Our Privacy Policy Questions Personal Information We Collect Personal Information You Give Us MITRE CTID may obtain your personal information when you interact with our Site, for example, when you request information about our services using the “Contact Us” link or sign up for our news and information offerings. Personal information is data that identifies you, or could reasonably be used to identify you, as an individual, such as your name, postal address, email address, and phone number.\nInformation We Collect Automatically We also may collect other information about your visits to our Site using automated tools; for example, cookies and other passive information collection technologies enable MITRE CTID to compile aggregate statistics concerning use of the Site, analyze trends, enhance the security of the Site, deliver content, and otherwise administer and improve the Site. This information may include your browser type, language preference, operating system, device identifier, device type, access time, Internet Protocol (IP) address, the URLs of websites you visited before and after visiting our Site, the web search that landed you on our Site, length of your visits to our Site, and the links you click and pages you visit within our Site. Our Site uses both session ID cookies and tracking cookies. Session ID cookies make it easier for you to navigate the Site and expire when you close your browser. Tracking cookies help us understand how you use the Site and enhance your user experience.\nPlease note that we, and other parties we work with, may collect personal information about your online activities over time and across different devices and sites when you use our Site.\nYour web browser may have settings that allow you to transmit a “Do Not Track” signal when you visit various websites or use online services. Like many websites, our Site is not designed to respond to “Do Not Track” signals received from browsers. To learn more about online tracking, the Federal Trade Commission (FTC) provides guidance on How To Protect Your Privacy Online.\nWe may use certain third-party web analytics services to help us understand and analyze how visitors use our Site and to serve advertisements on our behalf across the Internet. We have implemented Google Analytics and may use cookies and other identifiers to create a profile of you, measure your interests, personalize content, and detect your demographics, location, or device. For more information on how Google Analytics uses data collected through the Site, visit: www.google.com/policies/privacy/partners/. To opt out of Google Analytics cookies, visit: www.google.com/settings/ads and tools.google.com/dlpage/gaoptout/.\nHow We Use Personal Information MITRE CTID may use personal information we collect through our Site to::\ncommunicate with you, including to respond to your questions and requests, send you notices about our services, or contact you for additional information when needed; analyze Site trends, usage, and the activities of Site visitors; improve our Site and notify you about important updates; perform internal business analyses or for other business purposes consistent with our mission; facilitate, manage, personalize, and improve our partnership relationships; identify, prevent, investigate, and take other actions with respect to suspected or actual fraud or illegal activity or other activity that violates our policies; ensure the security and integrity of our personal information processing; comply with applicable laws, rules, regulations, and legal processes as well as our company policies; and fulfill other purposes, with your consent (as required). How We Share Personal Information MITRE CTID may share your personal information within our organization to:\nbetter respond to your inquiries; perform marketing research and for sales, support, and service-related purposes; protect rights, property, life, health, security, and safety; negotiate or complete any proposed or actual merger, purchase, sale, or any other type of acquisition or other transaction, including a transfer of all or a portion of our business to another organization; disclose personal information with your consent or at your direction; and achieve any other purpose consistent with our statements in this Privacy Policy or otherwise allowed by applicable law. MITRE CTID may disclose your personal information to comply with applicable law, such as in response to requests from law enforcement agencies, regulators, other public authorities, courts, and third-party litigants in connection with legal proceedings or investigations.\nLinked Websites Our Site may include links to other websites that are not owned or operated by MITRE CTID. This Privacy Policy does not apply to those websites, which may have their own privacy policies that you should review to understand how they may collect, use, or disclose your personal information. MITRE CTID is not responsible for the content or privacy practices of any linked websites that it does not control.\nSocial Features Certain features of our Site may permit you to interact with social media networks operated by unaffiliated parties, for example, if you “like” or “follow” MITRE on those platforms (“Social Features”). If you choose to “like” or share content or post information using Social Features, that information may be publicly displayed, and the party operating the social media platform may receive information about you and your use of our Site. Similarly, if you interact with us through Social Features, we may have access to information about you from the social media platform. Please note that if you mention MITRE or comment about or in response to us, in your post on a social media platform, that platform may allow us to publish your post on our Site. You should review the terms, policies, and settings of these platforms to learn more about their data practices and adjust your settings accordingly.\nSecurity of Personal Information MITRE maintains reasonable safeguards designed to protect personal information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. MITRE employs encryption technologies and user authentication procedures that are designed to keep data secure. Nevertheless, transmission via the Internet and online digital storage are not completely secure, so we cannot guarantee the security of your personal information.\nYour Choices If you are currently on our communications list and do not wish to receive further promotional email messages, you may email a request to ctid@mitre.org with the subject “Unsubscribe”. Opting out of marketing emails will not affect our administrative emails to you (for example, emails about your use of our services).\nInformation for Visitors from Outside the United States MITRE CTID is based in the United States. If you are visiting our Site from outside the United States, please be aware that information we obtain about you may be transferred to and processed in the United States or other jurisdictions. By using the Site and providing your personal information, you acknowledge that your personal information may be transferred to and processed in jurisdictions outside your own. Please be aware that the data protection laws and regulations that may apply to your personal information transferred to the United States or other countries may be different from the laws in your country of residence.\nInformation for Visitors from Australia We are committed to handling your personal information in an open and transparent manner in accordance with applicable laws and regulations. For more information on your privacy rights, you can visit the website of The Office of the Australian Information Commissioner at www.oaic.gov.au/.\nInformation for Visitors from the European Economic Area and the United Kingdom This section provides a GDPR Notice (“Notice”) for residents of the European Economic Area (“EEA”) and United Kingdom (“UK”) regarding their respective rights under the European Union’s General Data Protection Regulation and the United Kingdom’s General Data Protection Regulation (collectively, the “GDPR”). MITRE is the data controller for personal data collected through the Site.\nThis Notice supplements the information in this Privacy Policy and other MITRE privacy policies and notices. If there is a conflict between any other MITRE privacy policy, statement, or notice and this Notice, this Notice will prevail.\nOur Collection and Use of Personal Data Personal data collected through this Site may include:\nContact Data. You may provide your contact details, such as your name, phone number, postal address, email address, and company affiliation; for example, when you contact us for further information or subscribe to receive our news and information offerings. Device Data. We may obtain information about devices that access our Sites, including the type of device, operating system, device settings, unique device identifiers, and error data. Other Data You Provide. This includes personal data you include in communications you send to us, such as inquiries about our services. Our Processing of Your Personal Data Your personal data is required for us to provide some of our services. In some instances, if you fail to provide your personal data, you may not be able to access or use our services. We may process the personal data you provide for any of the purposes identified in the “How We Use Personal Information” and “How We Share Personal Information” Sections of our Online Privacy Policy.\nYour personal data is processed pursuant to the following legal bases:\nThe processing is necessary for us to provide you with the services you request or to respond to your questions. We have a legal obligation to process your personal data, such as compliance with applicable tax laws or other government regulations or compliance with a court order or binding law enforcement request. We have a legitimate interest in processing your personal data and our reasons for using the personal data outweigh the potential prejudice to your data protection rights. In particular, we have a legitimate interest in the following instances: To analyze and improve the safety and security of our Sites and services, including by implementing and enhancing security measures and safeguards and protecting against fraud, spam, and other abuses; To maintain and improve our Sites and services; and To operate and promote MITRE CTID\u0026rsquo;s services and provide you with information and communications about our services that are tailored to, and in accordance with, your preferences. You have consented to our processing of your personal data. When you consent, you may change your mind and withdraw your consent at any time by emailing us at privacy@mitre.org. Your Rights Under the GDPR The GDPR provides individuals with certain rights regarding their personal data. You may ask us to take the following actions:\nprovide you with information about our processing of your personal data and access to your personal data; update or correct inaccuracies in your personal data; delete your personal data; transfer a copy of your personal data to you or a third party of your choice; restrict the processing of your personal data; object to our use of your personal data for marketing purposes; and object to our reliance on legitimate interests as the basis for processing your personal data. You may submit these requests by email to privacy@mitre.org. We may require specific information from you to help us verify your identity prior to processing your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to any legal restrictions on disclosing this information.\nIf you would like to submit a complaint about our use of your personal data or our response to your request regarding your personal data, you may contact us at privacy@mitre.org or submit a complaint directly to the data protection authority in your jurisdiction. If you reside in the EEA, you can find information about your data protection authority here. If you reside in the UK, you may file complaints with the Information Commissioner’s Office here.\nOur Retention of Your Personal Data MITRE CTID retains your personal data for no longer than is necessary to achieve the purposes for which the personal data was collected, or as may otherwise be permitted or required under applicable law. To determine the appropriate retention period, we will consider the scope and sensitivity of the personal data; the potential risk of harm from unauthorized access to, use, or disclosure of the data; the purposes for which we process the data; whether we can achieve our purposes through other means; our business needs; and applicable legal requirements. Unless otherwise required by applicable law, at the end of the retention period, we will anonymize or securely destroy your personal data.\nPersonal Data Transfers By using this Site, you acknowledge that your personal data may be collected, transferred to, and processed in jurisdictions outside your own. When you directly provide your personal data through our Site, you acknowledge that your personal data is being provided by you to a company based in the United States. The laws that apply to personal data protection in the United States differ from those applicable in the EEA and the UK.\nIf it is necessary for us to transfer personal data out of the EEA and the UK, we do so by using suitable data transfer mechanisms, such as the standard contractual clauses approved by the European Commission, which impose data protection obligations on parties to the transfer.\nInformation for Specific Individuals Residents of U.S. states with consumer privacy laws in effect and enforceable may contact us at privacy@mitre.org for further information about our privacy practices.\nPrivacy of Children This Site is not intended for children, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will delete it in accordance with applicable law.\nChanges to Our Privacy Policy MITRE CTID may update or modify this Privacy Policy from time to time at our discretion. We will indicate changes to this Privacy Policy by updating the “Effective Date” at the beginning of the Privacy Policy. Please review this Privacy Policy periodically and especially before you provide any personal information to us. Your continued use of this Site after any update to this Privacy Policy will constitute your acceptance of our changes.\nQuestions If you have questions about this Privacy Policy or MITRE’s privacy practices, you may email privacy@mitre.org.\nMITRE’s Data Protection Officer may be contacted as follows:\nIn the United States\nDena Kozanas – Data Protection Officer\nAssociate General Counsel \u0026amp; Chief Privacy Official\n7515 Colshire Drive\nMcLean, VA 22102\nPhone: +1 (703) 269-8515\nEmail: privacy@mitre.org\nIn Singapore\nMITRE Asia Pacific Singapore\nThomas (Tass) Bruce Hudak – Privacy Coordinator\n1 Changi Business Park Avenue 1\nSuite #02-03/04\nSingapore 486058\nPhone: +65 8876 4609\nEmail: privacy@mitre.org\n","link":"/privacy/","tags":null,"title":"Privacy Policy","type":"page"},{"banner":null,"categories":null,"contents":"Use of the MITRE Center for Threat-Informed Defense (“MITRE CTID”) website is subject to these terms and conditions. Acceptance of Terms: By accessing and using the MITRE CTID website (“Site”), you acknowledge that you have read, understood, and agree to be bound by these Terms of Use and the Privacy Policy referenced herein. If you do not accept these Terms of Use and the Privacy Policy you are not authorized to use this Site. MITRE CTID may make modifications to the foregoing at any time and such modification will be effective upon posting to the Site. Your continued use of the Site after any modifications to these Terms of Use shall indicate your agreement with such modified terms.\nSupplementary Terms: Some portions of the Site may have additional rules guidelines or terms posted. If there is a conflict between these Terms of Use and the rules, guidelines or terms posted for a specific area of the Site, the latter will govern regarding your use of that part of the Site.\nSite Content: All content on this Site including, but not limited to software, text, graphics, images, video, audio and other material (collectively referred to as the “Content”), is the exclusive property of and owned by MITRE CTID and/or other authorized Third Party Service Providers. The Content may be owned by MITRE CTID or may be provided through an arrangement MITRE CTID has with others, including Third Party Service Providers, or other users of the Site. The Content is protected by copyright under both United States and foreign laws and may not be modified or altered in any way. Unauthorized use of the Content may violate copyright, trademark, and other laws. You have no rights in or to the Content and you may not use the Content except as specifically provided in these Terms of Use. You may access, copy, and print the Content on this Site provided you do not modify or delete any copyright, trademark or other proprietary notice that appears on the Content. No other use is permitted without prior written consent from MITRE CTID or the owner of the Content. If you violate any part of these Terms of Use, your permission to access and/or use the Content and the Site automatically terminates without notice.\nUser Content: The Site may now or in the future permit the submission of Content at the direction of users of the Site (“User Content”) and the hosting, sharing, and/or publishing of such User Content. You understand that whether or not such User Content is published, MITRE CTID does not guarantee any confidentiality with respect to any submissions you make. You shall be solely responsible for User Content you submit and the consequences of our posting or publishing such User Content. MITRE CTID reserves the right to decide whether User Content is appropriate and complies with these Terms of Use for copyright infringement and violations of intellectual property law, as well as other violations, such as, but not limited to, obscene or defamatory material, invasive of privacy rights, fraudulent, obscene, illegal, or otherwise objectionable. MITRE CTID may remove such User Content and/or terminate your access for uploading such material in violation of these Terms of Use at any time, without prior notice and at our sole discretion.\nLinks to External Sites: The Site may contain links to third-party Web sites (“External Sites”). These links are provided solely as a convenience to you and not as an endorsement by MITRE CTID of the information on such External Sites. The information on such External Sites is developed and provided by others. You should contact the External Site administrator if you have any concerns regarding such links or any information located on such External Sites. MITRE CTID disclaims any responsibility or liability with regards to the information posted on these External Sites.\nAccessibility: MITRE CTID strives to make information accessible to everyone. In some cases, visitors using assistive technology may have difficulty reading some content. If you have a disability that causes problems for you in accessing any of our information, please contact ctid@mitre.org.\nPermitted Use: The following Site activities are expressly prohibited: (i) collecting usernames and/or email addresses of other users by electronic or other means for the purpose of sending unsolicited email or other communications, (ii) any use of the Site, which in MITRE CTID’s sole judgment, degrades the reliability, speed, or operation of the Site or any underlying hardware or software thereof, (iii) you may not attempt to gain unauthorized access to any parts of the Site, (iv) you may not use any robot, spider, or other automated means to access the Site, (v) you may not access, download, use or export the Site, or the Content provided on the Site, in violation of U.S. export laws or regulations, or in violation of any other applicable laws or regulations, and (vi) any use of the Site which is unlawful or in violation of these Terms of Use.\nPassword Protection: Access to, and use of, any password protected areas of the Site is restricted to authorized users only and you may not share your password(s), account information, or access to the Site. You are responsible for maintaining the confidentiality of your password(s) and account information, and you are responsible for all activities that occur under your password(s) or account(s) or as a result of your access to the Site. You agree to notify MITRE CTID immediately of any unauthorized use of your password(s) or account(s).\nCopyright: If you are a copyright owner or an agent thereof and believe that any User Content or other Content infringes upon your copyrights, you may submit a notification pursuant to the Digital Millennium Copyright Act (“DMCA”) by providing our Copyright Agent with the following information in writing (see 17 U.S.C 512(c)(3) for further detail):\n(i) A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed;\n(ii) Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site;\n(ii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled and information reasonably sufficient to permit MITRE CTID to locate the material;\n(iv) Information reasonably sufficient to permit MITRE CTID to contact you, such as an address, telephone number, and, if available, an electronic mail;\n(v) A statement that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and\n(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that you are authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.\nMITRE CTID’s designated Copyright Agent to receive notifications of claimed infringement and other notices relating to User Content and/or violation of these Terms of Use (e.g., violations of criminal laws) is: General Counsel, The MITRE Corporation, 7525 Colshire Drive, McLean, VA 22102-7539 Note: Only DMCA notices and notices relating to complaints in connection with User Content or violations of these Terms of Use should go to the Copyright Agent. Any other feedback, comments, and other communications should be sent to and addressed in the “Contact Us” link.\nIndemnification: You agree to defend, indemnify, and hold MITRE CTID and other Third Party Service Providers harmless from and against any claims, actions or demands, including, without limitation, reasonable legal and accounting fees, arising or resulting from your breach of these Terms of Use or your uploading of, access to, or use or misuse of the Content, User Content or the Site. MITRE CTID shall provide notice to you of any such claim, suit, or proceeding and may assist you, at your expense, in defending any such claim, suit or proceeding. MITRE CTID reserves the right to assume the exclusive defense and control of any matter which is subject to indemnification under this section. In such case, you agree to cooperate with any reasonable requests assisting our defense of such matter.\nDisclaimer of Warranty and Limitation of Liability: WE, OUR AUTHORIZED THIRD PARTY PROVIDERS, AND OUR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, OR LICENSORS, MAKE NO WARRANTIES OR REPRESENTATIONS ABOUT THE CONTENT (INCLUDING THE USER CONTENT), INCLUDING BUT NOT LIMITED TO ITS ACCURACY, RELIABILITY, COMPLETENESS, TIMELINESS, OR RELIABILITY. NEITHER WE NOR OUR AUTHORIZED THIRD PARTY PROVIDERS SHALL BE SUBJECT TO LIABILITY FOR TRUTH, ACCURACY, OR COMPLETENESS OF ANY INFORMATION CONVEYED TO THE USER OR FOR ERRORS, MISTAKES OR OMISSIONS THEREIN OR FOR ANY DELAYS OR INTERRUPTIONS OF THE DATA OR INFORMATION STREAM FROM WHATEVER CAUSE. YOU AGREE THAT YOU USE THE SITE AND THE CONTENT (INCLUDING THE USER CONTENT) AT YOUR OWN RISK. NEITHER WE NOR OUR AUTHORIZED THIRD-PARTY SERVICE PROVIDERS WARRANT THAT THE SITE WILL OPERATE ERROR FREE OR THAT THIS SITE, ITS SERVER, OR THE CONTENT (INCLUDING THE USER CONTENT) ARE FREE OF COMPUTER VIRUSES OR SIMILAR CONTAMINATION OR DESTRUCTIVE FEATURES. IF YOUR USE OF THE SITE OR THE CONTENT (INCLUDING THE USER CONTENT) RESULTS IN THE NEED FOR SERVICING OR REPLACING EQUIPMENT OR DATA, WE SHALL NOT BE RESPONSIBLE FOR THOSE COSTS. THE SITE AND CONTENT (INCLUDING THE USER CONTENT) ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT ANY WARRANTIES OF ANY KIND. WE AND OUR AUTHORIZED THIRD-PARTY SERVICE PROVIDERS HEREBY DISCLAIM ALL WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF TITLE, MERCHANTABILITY, NON-INFRINGEMENT OF THIRD PARTIES’ RIGHTS, AND FITNESS FOR PARTICULAR PURPOSE. IN NO EVENT SHALL WE OR OUR AUTHORIZED THIRD PARTY SERVICE PROVIDERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, INCIDENTAL AND CONSEQUENTIAL DAMAGES, LOST PROFITS, OR DAMAGES RESULTING FROM LOST DATA OR BUSINESS INTERRUPTION) RESULTING FROM THE USE OR INABILITY TO USE THE SITE AND THE CONTENT (INCLUDING THE USER CONTENT), WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER LEGAL THEORY, EVEN IF A WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOU SPECIFICALLY ACKNOWLEDGE AND AGREE THAT NEITHER MITRE CTID NOR ITS AUTHORIZED THIRD-PARTY SERVICE PROVIDERS SHALL BE LIABLE FOR ANY DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF ANY USER OF THE SITE. YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY OF THE ABOVE CLAIMS OR ANY DISPUTE WITH MITRE CTID IS TO DISCONTINUE YOUR USE OF THE SITE. YOU AND MITRE CTID AGREE THAT ANY CAUSE OF ACTION ARISING OUT OF OR RELATED TO THE SITE MUST COMMENCE WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES OR THE CAUSE OF ACTION IS PERMANENTLY BARRED. BECAUSE SOME JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, OR THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, ALL OR A PORTION OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. IN SUCH JURISDICTIONS, OUR AND OUR AUTHORIZED THIRD-PARTY SERVICE PROVIDER’S LIABILITY SHALL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW.\nGeneral: These Terms of Use, and any rights and licenses granted hereunder, may not be transferred or assigned by you, but may be assigned by MITRE CTID without restriction. These Terms of Use are governed by the internal substantive laws of the Commonwealth of Virginia, without respect to its conflict of laws provision. You expressly agree to submit to the exclusive personal jurisdiction of the state and federal courts located in the Commonwealth of Virginia, United States.\nIf any provision of these Terms of Use is found to be invalid, unlawful, void, or unenforceable by any court having competent jurisdiction, the invalidity of such provision shall not affect the validity of the remaining provisions of the Terms of Use, which shall remain in full force and effect.\nFailure by MITRE CTID or our authorized third-party service providers to act on or enforce any provision of the Terms of Use shall not be construed as a waiver of that provision or any other provision in these Terms of Use. No waiver shall be effective against us or our authorized third-party service providers unless made in writing, and no such waiver shall be construed as a waiver in any other or subsequent instance.\nExcept as expressly agreed by us and you, these Terms of Use constitute the entire agreement between you and us with respect to the subject matter hereof, and supersede all previous or contemporaneous agreements, whether written or oral, between the parties with respect to such subject matter.\n","link":"/terms/","tags":null,"title":"Terms \u0026 Conditions","type":"page"},{"banner":"img/banners/security-stack-mappings-hardware-enabled-defense.jpg","categories":["Published Projects","Mappings"],"contents":"The Security Stack Mappings – Hardware-Enabled Defense project demonstrates full stack threat-informed defense, from the hardware board to the software bytes.\nThe Hardware-Enabled Defense mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/security-stack-mappings-hardware-enabled-defense/","tags":["Hardware"],"title":"Security Stack Mappings – Hardware-Enabled Defense","type":"projects"},{"banner":"img/banners/security-stack-mappings-hardware-enabled-defense.jpg","categories":["Blog","Mappings"],"contents":" Advanced security features in hardware can be partnered with operating system (OS) and software security features to optimize mitigations against cyber threats. However, these hardware-based capabilities are typically not well known to security practitioners. With modern chips deployed to tens of millions of enterprise systems there is a tremendous opportunity create defense-in-depth to counter adversarial threats to systems and data.\nTo meet this need, the Center for Threat-Informed Defense (Center) created Security Stack Mappings (SSM) - Intel vPro in partnership with Center participants AttackIQ, CrowdStrike, Intel Corporation, and Microsoft Corporation. The SSM-Intel vPro project connects adversarial behaviors as described in MITRE ATT\u0026amp;CK® to integrated hardware, OS, and security software capabilities of standard enterprise-class systems. With this, threat-informed defenders apply these additive capabilities to mitigate real-world adversary behaviors.\nThe resources for the SSM-Intel vPro project — including the mappings, ATT\u0026amp;CK Navigator layers, and the mapping methodology — are all available in Mappings Explorer. Mappings Explorer enables cyber defenders to easily access and explore the Center’s mapped security capabilities, bridging the gap between a threat-informed approach to cybersecurity and the traditional perspective of security controls.\nWhat Does the Hardware Do for Defense? The SSM-Intel vPro project illustrates the security capabilities of recent generation system hardware when stacked with OS and security software. Defensive capabilities available within enterprise hardware used in conjunction with OS security and with security software solutions can defend against specific ATT\u0026amp;CK adversary techniques.\nProject Scope Setting the project scope involved determining which OS and security software capabilities were enabled or enhanced by the underlying hardware. The integrated security capabilities included in scope were derived from the following product areas:\nIntel Core Ultra vPro Enterprise Microsoft Windows 11 with Microsoft Defender CrowdStrike Falcon For each product area, the security capabilities considered in scope for this project are:\nintegrated hardware capabilities with OS or software implementation included as part of the product’s native security offering technical in nature (versus administrative or physical) technically documented with publicly available security information, indicating protection from, detection of, or response to adversary behaviors as described in ATT\u0026amp;CK. Capabilities included in project scope are integrated hardware capabilities with OS or security software implementation. The mappings show how software uses features of the hardware, and OS and software capabilities that are not hardware-enabled were not mapped as those are outside of this project’s solution set.\nMapping Methodology We applied a tailored Security Stack Mapping Methodology to connect the combined hardware-level and OS, or combined hardware-level and security software protection, detection, and response capabilities. The methodology utilizes the information in the ATT\u0026amp;CK knowledge base and its underlying data model to understand, assess, and record the real-world threats that security controls can potentially mitigate.\nThe methodology follows these steps:\nIdentify security capabilities in scope. Identify the Intel hardware capabilities used by CrowdStrike Falcon and Windows 11 Enterprise with Microsoft Defender to be mapped.\nReview security capability documentation. For in-scope integrated capabilities, identify and evaluate the mitigating security features provided for adversarial threats.\nIdentify mappable ATT\u0026amp;CK Techniques \u0026amp; Sub-techniques. Identify the ATT\u0026amp;CKv15.1 techniques and sub-techniques mappable to the integrated capability.\nScore the effectiveness of the capability for the adversary behavior. Assess the effectiveness of the type of capability provided for the identified ATT\u0026amp;CK techniques and sub-techniques.\nProtect: capability limits or contains the impact of a (sub-)technique. Detect: capability identifies the potential occurrence of a (sub-)technique. Respond: capability provides actions to take for detected (sub-)technique. Create a mapping of integrated capabilities to ATT\u0026amp;CK (sub-)technique. Creating a mapping of the integrated capabilities based on the information gathered from the previous steps.\nBy documenting and sharing our scoping decisions and methodology, we aim to accelerate community collaboration. Due to the nature of mapping security controls to ATT\u0026amp;CK, we anticipate differences in perspective on overall approach and possibly even the mapping of specific controls to specific techniques. We welcome your feedback and perspectives.\nMapping Summary The SSM-Intel vPro project mapped Microsoft Windows 11 Enterprise with Microsoft Defender and CrowdStrike Falcon hardware-enabled capabilities under the security categories of Hardware — Advanced Threat Protection, Hardware — Trusted Computing, Hardware — Encryption and Data Protection, and Hardware — Virtualization, resulting in over 230 mappings of integrated mitigations to adversary behaviors. The mappings depict the practical application of the hardware for specific adversarial threats, and how hardware-enabled security can be used in conjunction with OS security solutions and with security software to provide defense-in-depth solutions. The table below provides an overview of the security features in hardware leveraged by OS and security software features mapped under this project.\nHardware Enabled Defenses Integrated Mapping Examples An example of Hardware — Advanced Threat Protection integration is Intel Threat Detection Technology (TDT) with CrowdStrike Falcon Accelerated Memory Scanning (AMS). AMS enhances visibility of in-memory patterns and threats, such as attempts to cover up malicious activity or code execution masquerading as legitimate processes. This combination enables faster detection of cyber threats earlier in the kill chain and in real-time, with minimal impact on system performance. With this integration we identified protect and detect coverage for over 90 ATT\u0026amp;CK (sub-)techniques, depicted below.\nHardware — Advanced Threat Protection: Intel TDT and CrowdStrike Falcon AMS Intel Platform Trust Technology (PTT) and Microsoft Windows Hello Enhanced Sign-in Security (ESS) yield a Hardware — Trusted Computing integrated mapping. The Trusted Platform Module (TPM) offered by Intel Platform Trust Technology (PTT) stores authentication data including public/private key pairs. Windows Hello ESS protects against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios. This integration resulted in mappings for protect and detect coverage for over 20 ATT\u0026amp;CK (sub-)techniques, as depicted below.\nHardware — Trusted Computing: Intel PTT and Windows Hello ESS Get Involved We welcome your feedback and contributions to continue to advance the SSM-Intel vPro Mapping project. There are several ways that you can get involved with this and other mapping projects to help advance threat-informed defense:\nReview the mappings, use them, and tell us what you think. We welcome your review and feedback on the SSM-Intel vPro mappings, our methodology, and resources. Analyze and map your security capabilities. We encourage use of our methodology to map security capabilities of additional products and we welcome mapping contributions. Help us prioritize additional platforms to map. Let us know what platforms you would like to see mapped to ATT\u0026amp;CK. Your input will help us prioritize how we expand our mappings. Share your ideas. Share your ideas or suggestions for additional tools and resources for helping the community to understand and make threat-informed decisions. You are also welcome to submit issues for any technical questions/concerns or contact the Center directly for more general inquiries.\n","link":"/blog/2025/01/03/stacked-defense-from-the-hardware-up/","tags":["Hardware"],"title":"Stacked Defense from the Hardware Up","type":"blog"},{"banner":"img/logos/tid-circle.png","categories":null,"contents":" The MITRE INFORM Project (formerly known as M3TID) identified a set of 5 best practice components for each of the 3 Dimensions of TID. For each of those best practices, a spectrum of 5 maturity levels were defined to describe implementing that best practice from a least threat-informed to a most threat-informed implementation. The Best Practices assessment allows you to evaluate your current posture to better understand the efficacy of existing or planned defensive measures and identify defensive gaps.\n","link":"/inform/","tags":null,"title":"MITRE INFORM: Best Practices Assessment Tool","type":"page"},{"banner":"img/banners/summiting-the-pyramid.jpg","categories":["Published Projects"],"contents":"Summiting the Pyramid (STP) creates a methodology to score analytics against the pyramid of pain, helping defenders create more robust detections against adversary behavior. With this update, STP reduces false positives and expands scoring to network-based analytics.\n","link":"/projects/summiting-the-pyramid/","tags":[],"title":"Summiting the Pyramid","type":"projects"},{"banner":"img/banners/summiting-the-pyramid.webp","categories":["Blog"],"contents":" David Bianco’s The Pyramid of Pain introduced the world to the idea that if defenders focused on identifying and detecting adversary tactics, techniques, and procedures (TTPs), it would be harder for adversaries to evade detection. The higher up the Pyramid a defender can detect, the greater the cost imposed on the adversary.\nDavid Bianco\u0026#39;s Pyramid of Pain In 2023, the Center for Threat-Informed Defense created and released Summiting the Pyramid. Summiting the Pyramid (STP) provided a methodology to score analytics against the pyramid of pain, helping defenders create more robust detections against adversary behavior. The methodology scores analytics against the pyramid of pain and changes the way we assess about detection engineering by scrutinizing the components within the analytic. Since its release, Summiting the Pyramid has been used by organizations to improve their detections of adversary behavior, and the Sigma analytics repository now has an STP flag to score the robustness of open-source analytics.\nThe initial research broke ground on the new dimension of robustness, and immediately the community asked for more. Two requests in particular inspired our next research area:\nFewer false positives. How can we write robust detection analytics that are resistant to adversary evasion without introducing too many false positives? Determining analytic robustness scoring for network-based analytics. How could we expand the scoring framework to include analytics from both a network-based sensing and host-based sensing perspective? The initial release of Summiting provided a framework for scoring host-based analytics, primarily from the Windows Operating System (OS). In partnership with AttackIQ, Fortinet, IBM Security, Lloyds Banking Group, and The Microsoft Corporation, Summiting the Pyramid now includes resources for defenders to build accurate, robust analytics for host and network data that are difficult for an adversary to evade.\nBuild a Robust Detection Ideally, our detections will be accurate and resistant to adversary evasion over time.\nAn accurate analytic has low false positives and low false negatives (i.e., good precision and recall). A robust analytic will remain accurate, even as adversaries implement new and sneakier versions of ATT\u0026amp;CK techniques.\nThe methodology now provides three actionable steps to build robust detections:\nIdentify sets of observables which will trigger no matter how a technique is implemented, known as a spanning set. Select spanning sets which are most specific to malicious behavior, focusing on resistance to adversary evasion first, and then on accuracy. Add false positive exclusions, making the detection more accurate. These exclusions use specific values of fields that are difficult for the adversary to modify. This is necessary to preclude an adversary “hiding” within the exclusion itself. Summiting the Pyramid has introduced Detection Decomposition Diagrams (D3) to facilitate this process. These D3 visuals give defenders a view across multiple implementations of a technique to identify analytic and event observables for robust detections. D3 visuals include benign and malicious implementations of the technique. Observables which span across multiple implementations provide higher robustness; that is, resistance to adversary evasion over time. Other observables may be used for better accuracy rates.\nD3 for ATT\u0026amp;CK sub-technique Scheduled Task/Job: Scheduled Tasks There will be tradeoffs between robustness and accuracy when building more robust detections. For some technique a detection’s, resistance to adversary evasion might be more important than accuracy, or vice versa. The robust detection guidance and D3 visuals provide defenders the tools and steps to evaluate the tradeoffs, determine how each component impacts the detection, and build the most impactful detection for their environment.\nExpanding to Network Detections Summiting the Pyramid now has two frameworks for scoring detections: host-based model and network traffic model. These are separate because OS-based robustness looks different from network traffic robustness.\nThe host-based model consists of three event-robustness columns. It measures the increasing cost or difficulty for the adversary to avoid host-based sensors. This includes host-based network events. To incorporate these events, the rows have been updated to account for detections or events which may occur on the outside boundary (Level 2) or within the defender’s environment (Level 3).\nThe network traffic model scores detections based on the increasing cost or difficulty for the adversary to avoid sensor visibility into the relevant network protocol. This model has two columns: protocol header and protocol payload. Network traffic robustness increases as you move into the header, since a defender will not need to rely on obfuscated network traffic payloads to detect adversarial activity.\nThe host-based scoring matrix (blue) and the network traffic scoring matrix (purple). With these two models, defenders can analyze robustness from both a host-based and network perspective.\nIncreasing Difficulty on Adversaries in v2 Summiting the Pyramid provides a framework to understand how adversaries can evade detections, helping defenders build more accurate, robust detections. In this continuation of Summiting the Pyramid, defenders can:\nUtilize step-by-step guidance and D3 visuals to build robust detections which are accurate and resistant to adversary evasion over time. Scoring to network detections and improve them through pre-scored observables. Use the Summiting the Pyramid analytics repository. Future work will include how to build more robust detections against non-malicious (living-off-the-land) techniques and will expand the Summiting the Pyramid framework to more OS’s and environments.\nGet Involved We would love to hear about how you’re using our work! If you have any feedback, technical questions, concerns, or contributions you’d like to make to the project, use the Contact Us form or submit an issue on Github.\n","link":"/blog/2024/12/16/summiting-the-pyramid-bring-the-pain/","tags":["Detection Engineering"],"title":"Summiting the Pyramid: Bring the Pain with Robust and Accurate Detection","type":"blog"},{"banner":"img/banners/best-defense-is-a-security-capability.webp","categories":["Blog","Mappings"],"contents":" Preventing adversary behaviors can seem like an impossible task, particularly when advanced persistent threats (APTs) are again in the news with another high-profile attack. If an adversary can breach a Fortune 500 company, what chance do you have? With the Center for Threat-Informed Defense (Center) security capability mappings, you will improve your odds.\nMost organizations have access to security control frameworks, either through native controls, e.g. Microsoft Windows security feature, or vendor-provided controls, e.g. AWS Security. When we draw a clear path from a security control to an adversary tactic, technique, or procedure (TTP), you can see their defensive power. The Center created the standard to illuminate a clear path, or mapping, from control to TTP.\nThese mappings are a transparent way for defenders to apply MITRE ATT\u0026amp;CK® in their environments. However, ATT\u0026amp;CK updates twice a year which means the techniques advance while the control mappings are left behind. Security control frameworks are also updated, furthering the divide. As a result, the capabilities contained in each mappings project at their time of publication do not reflect recent adversary techniques or defensive measures. When the mappings are out of sync with a version of ATT\u0026amp;CK, they lose: a version 8 defense may not protect against a version 12 adversary. Keeping an organization’s mappings current with recent versions of ATT\u0026amp;CK is a good practice, but ad hoc updates of mappings to ATT\u0026amp;CK are costly. In partnership with Center members Center for Internet Security, Citigroup, HCA Healthcare, JPMorgan Chase Bank N.A., Lloyds Banking Group, Microsoft Corporation, and Verizon Business, we have committed to an enduring effort that will update and share mappings on a regular cadence, keeping in sync with ATT\u0026amp;CK. Organizations will be able to choose the version of mappings that best meets the needs of their own, unique cybersecurity programs.\nThree years of defense in under six weeks We launched this project on November 1 and have completed our first update: AWS to ATT\u0026amp;CK v16! AWS was originally mapped to ATT\u0026amp;CK v9, over 3 years ago. You’ll find this update, all our existing mappings, and our upcoming releases in the our Mappings Explorer. Since v9 was released, 107 techniques have been added and 480 have been modified (we figured out those numbers using ATT\u0026amp;CK Sync, which shows you all changes in ATT\u0026amp;CK from any version to another).\nWhat’s on the horizon? We are updating all our existing security capability mappings. You can expect a new mapping release every six weeks. The mappings we have scheduled, and the current version to which they are mapped, are the following:\nAWS (currently mapped to ATT\u0026amp;CK version 9.0) COMPLETED! Azure (currently mapped to ATT\u0026amp;CK version 8.2) Google Cloud Platform (currently mapped to ATT\u0026amp;CK version 10.0) VERIS (currently mapped to ATT\u0026amp;CK versions 12.1, 9.0) NIST 800–53 (currently mapped to ATT\u0026amp;CK versions 14.1, 12.1, 10.1, 9.0, 8.2) M365 (currently mapped to ATT\u0026amp;CK version 14.1) CVE (currently mapped to ATT\u0026amp;CK version 9.0; upcoming mappings to 15.1) We will also improve the mappings user experience. Mappings Explorer will include new data formats that expand the scope of our mappings. We will bring ATT\u0026amp;CK Sync into the Mappings Editor, providing a one-stop shop for all the mappings work. We are currently researching how Intel vPro processors can be used to enhance software security. This is a new area for our mappings program so we had to rethink our data model and how we present the information in Mappings Explorer.\nAlong with our Mappings Explorer update, we are updating our Mappings Editor. This freely available tool is what our team uses to perform our mappings. Mappings Editor moves the community from spreadsheets to a polished interface that reduces your time to identify a path from control to technique. Please check out Mappings Editor for your internal use cases, share your successes, and how we can improve it.\nDefend Yourself Through this Center work, each of our mappings will be current with the latest adversary TTPs, ensuring that you can defend against the latest threats. This is a low-cost opportunity to improve your defenses by fully using the features already available to you, so use these resources. We believe that a rising tide lifts all boats and there’s no easier way to raise the tide than to enable native security controls that directly protect, detect, or respond to adversary threats.\nWe welcome your feedback and contributions to continue to advance our work. If you have any feedback, technical questions, concerns, or contributions you’d like to make to the project, use the Contact Us form or submit an issue on Github.\n","link":"/blog/2024/12/13/best-defense-is-a-security-capability-mapped-to-attack/","tags":[],"title":"The Best Defense is a Security Capability Mapped to ATT\u0026CK","type":"blog"},{"banner":"img/banners/secure-ai.png","categories":["Video","Cyber Threat Intelligence"],"contents":"Christina Liaghati, MITRE ATLAS Lead, and Jonathan Baker, Center for Threat-Informed Defense Director, discuss taking a threat-informed approach to securing AI-enabled systems. Learn more about using MITRE ATLAS as a framework for understanding threats to AI-enabled systems, our AI Incident Sharing Initiative, our R\u0026amp;D roadmap driven by cyber practitioners working with MITRE, and how you can get involved.\n","link":"/videos/secure-ai-webinar/","tags":["Artificial Intelligence"],"title":"Secure AI Webinar","type":"videos"},{"banner":"img/banners/secure-ai.png","categories":["Events","Cyber Threat Intelligence"],"contents":"Webinar: Taking a Threat-Informed Approach to Securing AI Host: Jon Baker, Director \u0026amp; Co-Founder, MITRE Center for Threat-Informed Defense\nGuest: Dr. Christina Liaghati, MITRE ATLAS Lead\nChristina Liaghati, MITRE ATLAS Lead, and Jonathan Baker, Center for Threat-Informed Defense Director, discuss taking a threat-informed approach to securing AI-enabled systems. Learn more about using MITRE ATLAS as a framework for understanding threats to AI-enabled systems, our AI Incident Sharing Initiative, our R\u0026amp;D roadmap driven by cyber practitioners working with MITRE, and how you can get involved.\nView The Recording Slides ","link":"/events/secure-ai-webinar/","tags":["Artificial Intelligence"],"title":"Secure AI Webinar","type":"events"},{"banner":"img/threat-informed-defense-triangle.png","categories":["Blog"],"contents":" This is the third and final part of the Center for Threat-Informed Defense 2024 R\u0026amp;D Roadmap. In Part One and Part Two, we shared the Center’s guiding principles for research in 2024.\nGood work becomes better work. We observed which prior Center publications are impactful to the community, and we heard from you how our research can provide further solutions. Some of our 2024 projects build upon Summiting the Pyramid, Security Capability Mappings, and Attack Flow. Share the how. We made a conscious investment to make new releases more accessible. What once might have been a GitHub directory is now a mobile-friendly browser-based application. And we went one step further by developing resources to train threat-informed defenders how to apply our work. Threat-informed defense aligns defensive measures to real-world observations of adversary tradecraft. Where cybersecurity often focused on brittle indicators of compromise that are easy for an adversary to change, threat-informed defense focuses energy on adversary behavior, which is more stable over time and more expensive for adversaries to evade. The result is more efficient use of defenders’ resources and a more robust program of prevention, detection, and response.\nThe third principle for our 2024 research program is Threat-Informed Defense applies broadly. You will find Center projects that apply threat-informed defense to artificial intelligence enabled systems, to hardware, and a variety of platforms.\nThreat-Informed Defense Applies Broadly Artificial Intelligence meets Threat-Informed Defense In 2024, the Center and 16 of our member organizations applied the principles of threat-informed defense to AI-enabled systems in our first Secure AI project. This resulted in a significant expansion of the MITRE ATLAS database with case studies that are curated by and relevant to industry partners, as well as the launch of the AI Incident Sharing Initiative.\nThese successes demonstrated that there is more the Center can and will do in AI security research. In 2025, we will further our AI Focus Area in four ways:\nExpand the ATLAS Knowledge Base with domain-specific vulnerabilities and mitigations Expedite AI Incident Sharing Verifiable AI Vulnerability Discovery AI Red Teaming and Adversary Emulation Demystify Ambiguous Techniques MITRE ATT\u0026amp;CK techniques are not all intrinsically malicious. In fact, threat actors commonly achieve their objectives by living-off-the-land, leveraging native platform capabilities that may be critical business enablers. These ambiguous techniques are difficult to detect as adversary behaviors due to the need to separate benign activity from malicious activity. Our Ambiguous Techniques project will identify core behaviors and observables associated with ambiguous techniques and build robust detections for them. ​​​​​​This research will lower the false positive rate of ambiguous techniques.\nFull Stack Threat-Informed Defense We endeavor to map security capabilities in hardware to adversary behaviors in Security Stack Mappings — Hardware-Enabled Defense. This will require us to extend our mappings methodology. In this project we will determine how hardware capabilities, in tandem with an operating system,\nidentify the potential occurrence of a (sub-)technique, limit the impact of a (sub-)technique, or provide actions to take for detected (sub-)technique. Such integration is essential for proactive and robust threat-informed defense for enterprise environments. We have included emulation plans for some techniques to demonstrate the effectiveness of the hardware capability with anti-virus or endpoint detection and response software features. These results will be published in January 2025 and affect billions of enterprise-class systems worldwide.\nTID Beyond Windows, TID Beyond Humans Following the development of the Center’s first Linux-based adversary emulation plan OceanLotus, we see the need for Linux defenders to possess the expanded resources and awareness as every other threat-informed defender. Currently, Linux OS native security functions have not matured to log data required to detect adversarial behaviors using ATT\u0026amp;CK-based hunting methodologies. The Center’s Threat-Informed Defense for Linux project will create and validate open-source tooling configurations for Linux compatible with ATT\u0026amp;CK-based hunting methodologies that are suitable for operational environments.​\nCybersecurity analysts encounter novel situations every day and must research, study, and evaluate exponentially more options for defense than attackers. This GenAI for Threat-Informed Defense project will use Generative AI, such as LLMs and chatbots, to provide contextual information for cybersecurity scenarios and automate common tasks in the analyst’s workflow.​ This research will demonstrate that GenAI can deliver actionable advice to cyber analysts at scale, enabling defenders to respond to novel situations while automating repetitive tasks out of the analyst’s queue.\nWhat’s Next? Our R\u0026amp;D program grows with the needs of defenders — your needs. So you influence our next research project, as you have influenced all that we have released to the community to date. Here are your next steps to make a difference as a threat-informed defender.\nRead Part One and Part Two of the Center’s 2024 R\u0026amp;D Roadmap Update.\nStay informed — Be the first to know about R\u0026amp;D project releases by signing up for our newsletter and following us on LinkedIn.\nUse Center R\u0026amp;D and share your feedback — Using our work to advance threat-informed defense in your organization goes a long way to ultimately changing the game on the adversary. Letting us know how you are using Center R\u0026amp;D allows us to continually refine our work, making it more accessible and impactful.\nJoin us to advance Threat-Informed Defense — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of ATT\u0026amp;CK. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.\n","link":"/blog/2024/11/22/threat-informed-defense-applies-broadly-2024-rd-roadmap/","tags":["R\u0026D Roadmap"],"title":"Threat-Informed Defense Applies Broadly – 2024 R\u0026D Roadmap Update – Part Three","type":"blog"},{"banner":"img/banners/share-the-how.webp","categories":["Blog"],"contents":" In Part One of our 2024 Roadmap Update, we shared that the Center for Threat-Informed Defense shaped our R\u0026amp;D program upon three principles; first was\nGood work becomes better work. We observed which prior Center publications are impactful to the community, and we heard from you how our research can provide further solutions. Some of our 2024 projects build upon Summiting the Pyramid, Security Capability Mappings, and Attack Flow.\nOur mission is to advance the state of the art and state of the practice in threat-informed defense globally. To make that transition from art to practice for all defenders, our second principle is Share the how.\nWe made a conscious investment to make new releases more accessible. What once might have been a GitHub directory is now a mobile-friendly browser-based application. And we went one step further by developing resources to train threat-informed defenders how to apply our work. Threat-informed defense enables the collective resources of all defenders to be greater than those of any one adversary. So we develop those resources for the collective in the course of delivering our research.\nShare the How In 2024, we actively participated with the community in the application of threat-informed defense through virtual and in-person training, threat-informed exercises, and bespoke applications of our project resources in specific environments.\nThis Center initiative began at the Asia-Pacific ATT\u0026amp;CK Community Workshop in April 2024. Prior to the workshop the Center offered training to identify which data sources identify particular adversary techniques and practical instruction in how to refine detection rules based on those data sources. These derive from the Center’s Sensor Mappings to ATT\u0026amp;CK and Summiting the Pyramid project releases.\nWe learned from our training cohort how these resources would be impactful in their threat scenarios. To continue our learning loop, we offered that training virtually and in-person through 2024. We were so inspired by the engagement with our work that we have developed project training resources for more of your favorite Center projects.\nOperational Technology Table Top Exercise Our Defending Operational Technology (OT) with ATT\u0026amp;CK project was inspired by the observation that adversaries who target OT systems avail themselves of techniques on IT systems. We developed a methodology to model threats to a hybrid IT/OT environment that includes multiple domains and provides a customizable and repeatable framework for analyzing and building threat collections. Furthermore, we developed a reference architecture to visualize the technologies in an IT/OT environment so that defenders can determine the attack surface where a threat actor can generate a cyber effect.\nDefending OT with ATT\u0026amp;CK Reference Architecture And to demonstrate the threat, we built a custom collection of threats based on a compilation of real-world adversary behaviors associated with the 20 architectural assets outlined in the reference architecture. This process resulted in a comprehensive threat collection comprising 251 techniques and 441 sub-techniques.\nWith these resources we developed an ATT\u0026amp;CK-based Cyber Tabletop Exercise to discuss a real-world example and understand the best defensive capabilities to counter those threats. We selected the 2022 Ukraine Electric Power attack by Sandworm, because the campaign utilized a mix of techniques from ATT\u0026amp;CK for Enterprise and ICS to infiltrate a Ukrainian electric utility and send unauthorized commands from their SCADA system. Please run this exercise with us by contacting the Center here.\nTurn Your Threat Model into a Supermodel with ATT\u0026amp;CK Threat-informed defense is a team sport, and the Center’s Threat Modeling with ATT\u0026amp;CK project brings the security architects and threat modelers onto the field with security operators and threat intelligence. We observed that there is a lack of guidance on how to best utilize existing tools and data with ATT\u0026amp;CK to improve existing threat modeling methodologies. This project applied the Four Questions Framework and integrates ATT\u0026amp;CK into existing threat modeling methodologies like Attack Trees. Apply this process to identify critical assets, assess threats, measure existing defensive capabilities, and recommend threat and defense informed mitigations.\nOrganizations of any size or maturity level can use this process to model threats to their own assets using their existing tools and CTI data. Even with this process published and available for all, there remains a need to introduce threat modelers and security operators to this common language. We offer a guided beta test integrating Threat Modeling with ATT\u0026amp;CK into your threat modeling practice.\nTeams that are planning to conduct threat modeling exercises should join this beta. Your team will identify the most likely techniques adversaries will use, evaluate these techniques against your existing defensive capabilities, and recommend security investments in areas of residual risk. Your team will apply the step-by-step threat modeling guidance provided on the Threat Modeling with ATT\u0026amp;CK website to a real threat modeling task in your organization. This is an opportunity to integrate ATT\u0026amp;CK into your threat modeling process. Contacting the Center here to participate.\nSecure AI Training Our Secure AI project had a featured role at the Asia-Pacific FIRST conference in 2024, where workshop participants learned how to navigate the ATLAS matrix and case studies and created a new case study and incident report using the new incident page launched through the Secure AI project.\nThe workshop participants represented 17 organizations from 15 countries and all were familiar with MITRE ATT\u0026amp;CK. For most it was their first hands-on experience with the unique adversarial attacks that have been leveraged against AI systems in real-world incidents and realistic red-teaming demonstrations. Join the AI-incident sharing program here.\nThreat-Informed Defense is a Continual Process In March 2024, the Center undertook the ambitious effort to Measure, Maximize, and Mature Threat-Informed Defense (M3TID). M3TID created an actionable definition of threat-informed defense and its associated key activities, and a formalized approach to measure your threat-informed defense. This maturity model complements existing cybersecurity maturity models by incorporating a measure of how well threat information is leveraged. M3TID gives organizations the ability to measure the current state of their defense, to identify and prioritize areas to advance, and a repeatable method to track their progress.\nIn 2025, the Center will deliver a survey for organizations to calibrate their posture. Completing the survey will generate actionable recommendations as to how to improve. In addition, the Center will debut training for defenders at the March 2025 APAC ATT\u0026amp;CK Community Workshop in Singapore. This training will cover topics in each component area, leading to a holistic advancement of threat-informed defense in your enterprise.\nIt Takes a Village Threat-informed defense changes the game on the adversary, and it will always be a team sport. We are grateful for your feedback on the products of our research, on how you use Center resources, and the content of our trainings, workshops, and other engagements. We aim to create widely used, easily accessible, and practical resources through our R\u0026amp;D program. That is only possible with community support and engaged Center Participants. Your feedback is key to evolving our work and maximizing its impact. Your hard problems and ideas inform our R\u0026amp;D program.\nPlease read the rest of our 2024 R\u0026amp;D Roadmap Update\nPart One Good Work Becomes Better Work and Part Three Threat-Informed Defense Applies Broadly Stay informed — Be the first to know about R\u0026amp;D project releases by signing up for our newsletter and following us on LinkedIn.\nUse Center R\u0026amp;D and share your feedback — Using our work to advance threat-informed defense in your organization goes a long way to ultimately changing the game on the adversary. Letting us know how you are using Center R\u0026amp;D allows us to continually refine our work, making it more accessible and impactful.\nJoin us to advance Threat-Informed Defense — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of ATT\u0026amp;CK. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.\n","link":"/blog/2024/11/22/share-the-how-2024-rd-roadmap-update/","tags":["R\u0026D Roadmap"],"title":"Share the How – 2024 R\u0026D Roadmap Update – Part Two","type":"blog"},{"banner":"img/banners/good-work-becomes-better.webp","categories":["Blog"],"contents":" “Threat-Informed Defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.”\nIt identifies known adversary behavior, relevant to an organization’s threat model, and fosters a community-driven approach to enable an organization to proactively defend, self-assess, and improve defenses against those known threats.\nGood work becomes better work The three dimensions of threat-informed defense are:\nCyber Threat Intelligence: knowing the adversary, their objectives, and their tactics, techniques, and procedures (TTPs). Defensive Measures: implement prevention, detection, and mitigation tailored to known threats. Testing \u0026amp; Evaluation: assess defenses by emulating realistic adversary behaviors and TTPs. We observed which prior Center publications are impactful to the community, and we heard from you how our research can provide further solutions. Some of our 2024 projects build upon Summiting the Pyramid, Security Capability Mappings, and Attack Flow.\nSummiting the Pyramid — detection that resists adversary evasion Many analytics depend on specific tools or artifacts, making them susceptible to low-cost evasion techniques by adversaries. In September 2023, we published the Summiting the Pyramid (STP) methodology that defines and quantifies robustness, or how difficult it is for adversaries to evade certain detections. Practically the project resources include a framework for scoring robustness and a repository of scored analytics, including analytic improvements.\nSince that release, we have observed community adoption and application of STP including a “STP score” field in SIGMA analytics, and real-world assessments that evaluate and improve threat detection rule resilience by applying the STP framework at scale.\nMotivated by your use of STP, we extended our research into analytic precision and recall with robustness, and network observables. Now STP provides guidance on how to build robust detections, focusing on precision, accuracy, and resistance to adversary evasion. These materials will be available to all in December 2024. In addition to the practical guidance, you will also find visuals to break down technique implementations and identify observables for detections, and frameworks to score both host-based events and network traffic observables.\nThis is ongoing research, and your examples will drive us to our next solution. Please stay involved with Summiting the Pyramid by:\nSending additional observables to add to our Model Mapping Pages, both for our host-based and network traffic models Providing your worked examples to add to our scored analytics repository Security Capability Mappings Over the Center’s five years, the mappings program has grown to represent one-fourth of all Center research with over half our members participating across cloud platforms, security controls, incident sharing, and more. We have united these individuated efforts and our future work into Mappings Explorer.\nATT\u0026amp;CK is updated to a new major version twice per year, and security vendors constantly change their offerings. As a result, the snapshots of capabilities contained in the mappings projects do not reflect current adversary techniques or defensive measures. Now we update all the mapping resources to reflect the most current version of adversary techniques, in perpetuity.\nSecurity capability mappings correlate the defensive measures you have procured to the threats that keep you awake. You will see updated mappings resources released to the community about every six weeks, starting in December 2024 with an update to our AWS mappings from ATT\u0026amp;CK v9 to ATT\u0026amp;CK v16.\nWe previously created a methodology to map Common Vulnerabilities and Exposures (CVEs) to ATT\u0026amp;CK. Now we focus on CVEs that the Cybersecurity and Infrastructure Security Agency has confirmed as being exploited in the wild: the Known Exploited Vulnerabilities (KEVs) Catalog. The Prioritize Known Exploited Vulnerabilities with ATT\u0026amp;CK project bridges threat management and vulnerability management by connecting CVEs that have been exploited to the impact of exploitation, and will be available to you in February 2025.\nWe also endeavor to map security capabilities in hardware to adversary behaviors in Security Stack Mappings — Hardware-Enabled Defense. In this project we will extend our mappings methodology to determine how hardware capabilities, in tandem with an operating system, can:\nidentify the potential occurrence of a (sub-)technique, limit the impact of a (sub-)technique, or provide actions to take for detected (sub-)technique. Such integration is essential for proactive and robust threat-informed defense for enterprise environments. We will include emulation plans to demonstrate the effectiveness of the hardware capability with anti-virus or endpoint detection and response software features. These results will be published in January 2025 and affect billions of enterprise-class systems worldwide.\nThe Cyber Risk Institute (CRI) built a financial sector profile of the NIST Cyber Security Framework, tailoring the framework to financial sector needs. Our Threat-Informed Defense for the Financial Sector project will map the CRI profile to adversary behaviors giving cyber defenders in financial services organizations resources for threat-informed analysis and decision-making.\nIn addition to mappings that are tailored to sector specific needs, we will map adversary behaviors to a technology platform. Threats to cloud computing cover multiple security domains, objectives, and aspects of cloud technology. Our Threat-Informed Defense for Cloud research will create a common technical foundation for implementing cloud-native capabilities to mitigate threats to cloud environments.\nSee Adversary Behaviors in Attack Flow We built Attack Flow as the data model for representing sequences of adversary behaviors.\nTo defend against the adversaries’ attacks, we must understand the sequence of behaviors. We have a data model with a web application that allows you to build and visualize those attack flows. But Attack Flow as it stands today has left some users wanting to get started faster, and our Flow Visualization project will remedy that. Flow Visualization will reap the benefits of this powerful data model by providing a new users’ guide to Attack Flow Builder and template visualizations for important use cases. We will also build more flows into our set of examples.\nIn the next part of this 2024 Center Roadmap update, please read about our second guiding principle: Share the How.\nThis is Part One of the Center’s 2024 R\u0026amp;D Roadmap Update. Please read Part Two and Part Three and then…\nJoin us to advance Threat-Informed Defense — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of ATT\u0026amp;CK. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.\n","link":"/blog/2024/11/22/good-work-becomes-better-work-2024-rd-roadmap/","tags":["R\u0026D Roadmap"],"title":"Good Work Becomes Better Work – 2024 R\u0026D Roadmap Update – Part One","type":"blog"},{"banner":"img/banners/attack-con-5-updates.png","categories":["Video"],"contents":"Jon Baker of MITRE\u0026rsquo;s Center for Threat-Informed Defense celebrates the Center\u0026rsquo;s 5th anniversary, detailing what they\u0026rsquo;ve done, but also what new research is coming out to help cyber defenders.\n","link":"/videos/center-updates-attack-con-5/","tags":["ATT\u0026CKcon"],"title":"Updates from the Center for Threat-Informed Defense - ATT\u0026CKcon 5.0 Day 2","type":"videos"},{"banner":null,"categories":null,"contents":"","link":"/index.json","tags":null,"title":"","type":"json"},{"banner":"img/events/attack-con-5.png","categories":["Events"],"contents":"ATT\u0026amp;CKcon unites the MITRE ATT\u0026amp;CK® user community annually to share lessons learned, new ideas, and advance adoption of ATT\u0026amp;CK and threat-informed defense.\nThis year’s event holds special significance as we commemorate the 5th anniversary of the Center for Threat-Informed Defense’s launch. In addition to a special anniversary reception at ATT\u0026amp;CKcon, the Center will host its advisors and members before ATT\u0026amp;CKcon kicks off for strategic discussions of the Center and our roadmap. Then on Thursday, the Center will host a free training session, open to all, to drive community-wide advancement to threat detection capabilities.\nGet Involved ","link":"/events/attack-con-5/","tags":["ATT\u0026CKCon"],"title":"Center for Threat-Informed Defense at MITRE ATT\u0026CKcon 5.0","type":"events"},{"banner":"img/2023_impact_report.png","categories":[],"contents":"Illustrating Our Approach to Collaborative R\u0026amp;D The Center for Threat-Informed Defense’s third annual Impact Report delivers insight into the impact of the Center’s public interest R\u0026amp;D and the latest advancements in threat-informed defense. The 2023 report highlights seven new freely available resources that will help organizations implement a threat-informed defense and showcases Center participant perspectives on the value of collaborative R\u0026amp;D. The Center’s unique approach to public interest R\u0026amp;D unites industry with the common purpose to advance threat-informed defense.\nDownload the 2023 Impact Report See Other Annual Impact Reports 2021 Impact Report 2022 Impact Report 2024 Impact Report Become a Member If your organization is interested in becoming a member of the Center for Threat-Informed Defense, complete the form below and we will follow up by email. First Name Last Name Email Job Title Organization Sign up for the \"Stay Informed\" newsletter ","link":"/resources/2023-impact-report/","tags":["Impact Reports"],"title":"2023 Impact Report","type":"resources"},{"banner":"img/banners/secure-ai.png","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"A collaboration with MITRE ATLAS™ to advance security for AI–enabled systems that takes a threat-informed approach, enables rapid exchange of new threat information, and provides mitigation strategies.\n","link":"/projects/secure-ai-v1-0/","tags":["Artificial Intelligence"],"title":"Secure AI v1.0","type":"projects"},{"banner":"img/banners/secure-ai.png","categories":["Blog",""],"contents":" The Secure AI research project is a collaborative effort between MITRE ATLAS™ and the Center for Threat-Informed Defense (Center) designed to facilitate rapid communication of evolving vulnerabilities in the AI security space through effective incident sharing. This research effort will boost community knowledge of threats to Artificial Intelligence-enabled systems. With AI technology and adoption advancing exponentially across critical domains, new threat vectors and vulnerabilities are emerging every day, and they require novel security procedures.\nIn partnership with AttackIQ, BlueRock, Booz Allen Hamilton, CATO Networks, Citigroup, CrowdStrike, FS-ISAC, Fujitsu, HCA Healthcare, HiddenLayer, Intel Corporation, JPMorgan Chase Bank, Microsoft Corporation, Standard Chartered, and Verizon Business, we deployed a system for improved AI incident capture and added new case studies, techniques, and mitigations to the ATLAS knowledge base. These case studies illustrate novel AI attack procedures that organizations should be aware of and defend against.\nRapid Information Sharing for AI Incidents Organizations across government, industry, academia, and nonprofit sectors continue to incorporate AI components into their software systems. Commensurately, incidents involving these systems will increasingly occur. Standardized and rapid information sharing about these AI incidents will empower the entire community to improve the collective defense of such systems and prevent external harms. Sharing information about the affected AI artifacts, affected system and users, attacker, and incident detection can be vital to improving those defenses. For this reason, we focused on aligning the capture of information for AI incident expression with existing cybersecurity standards, using a STIX 2.1 bundle as our basis.\nIncident Sharing Portal Landing Page This project developed the AI Incident Sharing initiative as a mechanism for a community of trusted contributors to both receive and share protected and anonymized data on real world AI incidents that are occurring across operational AI-enabled systems. Just as MITRE operates CVE for the cyber community or ASIAS for the aviation community, this AI Incident Sharing initiative will serve as the safe space for AI assurance incident sharing at the intersection of the industry, government, and extended community. In capturing and carefully distributing the appropriately sanitized and technically focused AI incident data, this effort aims to enable more data driven risk intelligence and analysis at scale across the community.\nThe first version of the AI Incident Sharing website launched in September at https://ai-incidents.mitre.org/.\nReport an AI Incident Case Studies About Attacks Against AI-Enabled Systems Expand Community Knowledge Since AI-enabled systems are susceptible to both traditional cybersecurity vulnerabilities and new attacks that exploit unique characteristics of AI, we knew mapping these new threats would be a crucial aspect of securing organizations against those unique and emergent attack surfaces. For this release, we identified a swath of new case studies based on real-world attacks or realistic red teaming exercises that are designed to inform organizations about the latest threats to AI-enabled systems. We highlight one case study below and the rest are published as part of ATLAS’s most recent update:\nShadowRay AI Infrastructure Data Leak: In late 2023, the Ray software team addressed multiple newly discovered vulnerabilities, including a lack of Authorization in the Jobs API that was not included in security scans because of an ongoing dispute about whether it was a feature or a vulnerability. As a result, unknown attackers were able to use the vulnerability over the span of 7 months to invoke arbitrary jobs on the remote host with access to Ray production clusters, allowing for the theft of sensitive information and unauthorized access to compute power to mine cryptocurrency. User cost to pay for hijacked machines and compute time was estimated at almost $1 billion. Through our research on these case studies, we added the following new techniques to the ATLAS matrix:\nAcquire Infrastructure: Domains — Tactic: Resource Development Erode Database Integrity — Tactic: Impact Discover LLM Hallucinations Publish Hallucinated Entities Updated ATLAS Matrix The Secure AI research participants also collaborated to identify other cutting-edge threats against AI-enabled systems such as:\nPrivacy/Membership Inference Attacks: Organizations need to prepare for membership inference attacks. Booz Allen Hamilton gathered resources that illustrate the existing Exfiltration via ML Inference APIL: Infer Training Data Membership technique. These resources highlight the way that adversaries can infer the membership of a data sample within a model’s training set, raising privacy concerns and risking the leak of private information or intellectual property. Another example involved researchers recovering over 10,000 examples of training data from ChatGPT for only $200 in query cost. The membership inference attack was then used to distinguish which examples were hallucinated and which came from ground truth memorized examples, exfiltrating data that contained personally identifiable information. LLM Behavior Modification: Standard Chartered helped identify the potential for attackers to modify the behavior of large language models (LLMs) whose model weights are accessible and modifiable by attackers. Malicious threat actors can then use known techniques to effectively “kill switch” current alignment methods and gain access to powerful models that are now unaligned. Potential uses for this type of unaligned model include assistance with cyber attacks, biological or chemical weapon production, and human sentiment manipulation. LLM Jailbreaking: Verizon showcased an attacker who repeatedly posts demonstrations of jailbreaking the latest Generative AI models including text and image generators. The X user — Pliny the Prompter — has also released a repository of jailbreaking methods that can be used on frontier models on GitHub and further illustrate the LLM Jailbreak technique. Tensor Steganography: Borrowing on the concept of steganography from cybersecurity, tensor steganography allows an attacker to hide either data or malware within a model. In a recent example, researchers at HiddenLayer hid malware that executed quantum ransomware automatically within ResNet18, an open-source image recognition model. Relevant Mitigations Identifying novel vulnerabilities and attack methods is an important first step in improving the security of our AI-enabled systems. However, the increased adoption of AI within existing systems means that the mitigation of those vulnerabilities is critical to organizational success across the AI lifecycle. That’s why the ATLAS knowledge base also includes mitigations as a list of security concepts and classes of technologies that can be used to prevent a (sub)technique from being successfully executed against an AI-enabled system. In addition to the identification of new case studies and attack techniques, we also collaborated on the identification of new mitigations that can help minimize or prevent harms within AI-enabled systems. These included:\nGenerative AI Model Alignment: Utilizing techniques to improve model alignment with safety, security, and content policies can be done when training or fine-tuning a model. This can include using techniques like Supervised Fine-Tuning, Reinforcement Learning from Human or AI Feedback, and Targeted Safety Context Distillation to improve the safety and alignment of the model. Guardrails for Generative AI: Based on ongoing efforts by organizations such as NIST and FS-ISAC, guardrails refer to measures within a GenAI model’s structure that limit the model’s output. These guardrails allow the model to adhere to model objectives, content guidelines, and model safety and security. By defining out-of-bounds and unacceptable behaviors and outputs and using real-time output monitoring, organizations can use these guardrails to ensure that generated outputs stay within scope and fulfill the intended purpose. Guidelines for Generative AI: Guidelines are safety controls placed between user-provided input and a generative AI model to direct the model to produce desired outputs and prevent undesired outputs. AI Bill of Materials: Generating an AI bill of materials (AI BOM) containing information about the raw AI model, sub-AI systems, and greater AI-enabled system components, and delivering it to an end-user will allow for improved detection of vulnerable AI artifacts used to create the target ML model such as pre-trained models and datasets. AI Telemetry Logging: Intel emphasized the importance of this mitigation approach that relies on logging to help collect events related to access of AI models and artifacts, including inference API invocation. Monitoring logs can also help to detect security threats and prevent impact. ATLAS and ATT\u0026amp;CK Integration As the ground truth of adversarial TTPs for traditional cybersecurity, MITRE ATT\u0026amp;CK® is already widely adopted within the security community. ATLAS is modeled after and complementary to ATT\u0026amp;CK in order to raise the awareness of rapidly evolving vulnerabilities of AI-enabled systems as they extend beyond cyber. To continue facilitating the improved understanding of these vulnerabilities and how they relate to and differ from TTPs seen within ATT\u0026amp;CK, we have synchronized updates between the two knowledge bases. When ATT\u0026amp;CK releases a new version, ATLAS will update in kind.\nThe ATLAS STIX data has now been updated to include ATT\u0026amp;CK Enterprise v15.1 and the ATLAS matrix has now been expressed as a STIX 2.1 bundle following the ATT\u0026amp;CK data model. That ATLAS STIX 2.1 data has now been combined with the ATT\u0026amp;CK Enterprise data and can be used as domain data within the ATLAS Navigator.\nATLAS Integrated into ATT\u0026amp;CK Navigator Get Involved Our collective research has provided actionable documentation of novel threat vectors for AI-enabled systems, steps for mitigating those novel threats, and improved incident capture for AI incidents. But we’re not done. AI security needs evolve as new AI applications are adopted. We welcome community feedback and additional suggestions for other real-world attacks that can be included in future work as we advance community awareness of threats to AI-enabled systems. There are several ways you can get involved with this and other projects to continue advancing AI security and threat-informed defense:\nTest out the new AI incident sharing form and report ongoing threats your organization has witnessed. Review the new case studies, adversarial techniques, and mitigations, then tell us what you think. Share your additional case studies, tools, or resources that can help our community understand and make threat-informed decisions for AI-enabled systems. Contact us at ctid@mitre.org for any questions about this and future AI security work.\n","link":"/blog/2024/09/30/threat-informed-defense-to-secure-ai/","tags":[],"title":"Threat Informed Defense to Secure AI","type":"blog"},{"banner":null,"categories":null,"contents":" Strategic Guidance to Change the Game on the Adversary The Advisory Council provides strategic guidance and executive advocacy in support of the Center's mission. Advisors apply their executive experience to guide the Center as we evolve our strategy, model, and approach to advancing threat-informed defense. Advisors increase the Center’s impact and support the Center’s growth leveraging their connections and influence. Learn More about Joining the Center Council Goals Impact Focus on visibility, accessibility, and applicability of projects.\nGrowth Advise on growth strategy and membership goals.\nModel Evolve the business model and shape new programs.\nFocus Recommend and Evaluate new Focus areas.\nAdvisors Advisors are senior level executives from the Center's Founding Participant organizations and Research Partner organizations.\nCarl Wright Chief Commercial Officer\nAttackIQ\nFounding Research Partner\nJoe Opacki Senior Vice President, InfoSec Executive\nBank of America\nFounding Research Partner\nElvis Veliz Managing Director, Offensive Security \u0026amp; Vulnerability Management\nCiti\nFounding Research Partner\nJoel Spurlock Vice President, Data Science\nCrowdStrike\nResearch Partner\nMichael Daniel President and Chief Executive Officer\nCyber Threat Alliance\nFounding Non-Profit\nDerek Manky Chief Security Strategist \u0026amp; VP Global Threat Intelligence/ Fortinet\u0026#39;s FortiGuard Labs\nFortinet\nResearch Partner\nSyoichi Kanzaki Senior Expert, National Security Business Unit\nFujitsu\nFounding Research Sponsor\nTJ Bean Chief Information Security Officer\nHCA Healthcare\nFounding Research Partner\nHeath Montembeault Global Head of Applied Cyber Threat Research\nJPMorgan Chase Bank\nFounding Research Partner\nDerek Whigham Chief Product Owner, Chief Security Office\nLloyds Banking Group\nResearch Partner\nBriony Shipman Head of Cyber Defence\nLloyds Banking Group\nResearch Partner\nKarthik Selvaraj Partner Director Security Research\nMicrosoft\nFounding Research Partner\nDr. Martin Otto Head of Cybersecurity Research US\nSiemens AG\nFounding Research Sponsor\nAlex Pinto Associate Director, Security Research - DBIR\nVerizon Business\nResearch Partner\n","link":"/advisory-council/","tags":null,"title":"Advisory Council","type":"page"},{"banner":null,"categories":null,"contents":"Individual Contributors The Center for Threat-Informed Defense is a non-profit, privately funded research and development organization operated by MITRE. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally.\nComprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT\u0026amp;CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations.\nWe are frequently asked how individual contributors can participate in the Center\u0026rsquo;s work. While we do not offer a membership level for individuals, we do encourage individuals to engage with our R\u0026amp;D projects. This page describes a range of ideas for individuals to make meaningful, and impactful contributions.\n","link":"/contributors/","tags":null,"title":"Individual Contributors","type":"page"},{"banner":null,"categories":null,"contents":" Leslie Z. Anderson Chief Cyber Strategist and Head of Threat-Informed Defense Programs\nLeslie leads the MITRE Center for Threat-Informed Defense and ATT\u0026amp;CK Evaluations programs, advancing practical cybersecurity through the application of real-world adversary behaviors. She drives the strategic integration and evolution of MITRE’s open-source frameworks and community-driven resources, empowering organizations to improve their defensive posture. Most recently Leslie served as chief strategist for cyber operations integration at MITRE, and she played a key role in launching the company’s efforts to bridge commercial innovation with government. Suneel Sundar Director of R\u0026amp;D\nAs the Director of Research \u0026amp; Development in the Center for Threat-Informed Defense, Suneel leads and executes the Center’s research program with MITRE engineers, private sector partners, and U.S. government organizations that makes cyber attackers’ lives difficult. Suneel teaches Iyengar yoga in San Diego and over Zoom. Denise Davenport Director of Member Services\nAs the Director of Member Services, Denise works closely with Center Members, ensuring productive, collaborative relationships aligning their work with the Center’s mission. Her career in association management has afforded her the opportunity to work with members from a variety of backgrounds and professions, including community association managers, attorneys, civil engineers, and Enrolled Agents. Mike Cunningham R\u0026amp;D Program Manager\nAs R\u0026amp;D Program Manager in MITRE’s Center for Threat-Informed Defense, Mike is responsible for project execution and vision. He continuously advances the state of the art and the state of practice in threat-informed defense through cutting-edge research and innovation. Before joining MITRE, Mike was an Interactive On-Net Operator in Tailored Access Operations at the NSA. In his spare time, Mike cherishes quality time with his wife and three daughters. He also enjoys playing music, staying fit, and basking in the San Diego sun. Tiffany Bergeron Chief Architect, Mappings Program\nAs the Chief Mappings architect, Tiffany oversees all Center projects related to MITRE ATT\u0026amp;CK mappings, including the Mappings Explorer website, security platform mappings, and security control framework mappings. Allison Robbins Lead Developer\nAs a UX Engineer for the Center, Allison is responsible for the design and implementation of the Center\u0026#39;s web properties, including this site, Mappings Explorer, ATT\u0026amp;CK Sync, Top ATT\u0026amp;CK Techniques, and more! ","link":"/our-team/","tags":null,"title":"Our Team","type":"page"},{"banner":null,"categories":null,"contents":"Center for Threat-Informed Defense Branding These logos for the MITRE Center for Threat-Informed Defense provided here for our threat-informed defense community to use in support of the Center’s research; they must not be used to endorse or promote products or services. To request permission to use the logo, please email ctid@mitre.org with your contact information and planed usage of the logo.\n","link":"/brand/","tags":null,"title":"Our Brand","type":"page"},{"banner":"img/banners/threat-detection-maturity.png","categories":["Video","Detection Engineering"],"contents":"Many threat detections are easily evaded by sophisticated adversaries. Systematically improving detection capabilities is a challenge for many organizations. In this video, Michaela Adams and Jacob Shorr discuss how the Summiting the Pyramid (STP) framework can help. STP measures the robustness of detection rules, leading to more effective security. Jacob shares how he and the team at Accenture leverage STP to help their clients rapidly evaluate and mature their cyber defenses.\n","link":"/videos/threat-detection-maturity/","tags":[],"title":"Threat Detection Maturity: Applying Summiting the Pyramid at Scale","type":"videos"},{"banner":"img/banners/chess.jpg","categories":["Blog","Cyber Threat Intelligence"],"contents":" Describing adversarial behaviors in the form of tactics, techniques, and procedures (TTPs) using MITRE ATT\u0026amp;CK® revolutionized detection and response. Focusing on TTPs creates an opportunity for high-fidelity detection of adversaries. If we can detect a behavior, the adversary will need to change behaviors — increasing cost and risk for the adversary.\nDetecting adversary behaviors is challenging. There are often many approaches to implementing a single behavior and adversaries commonly use native capabilities (living off the land), making it difficult to differentiate adversary activity from normal user activity.\nAdversary TTPs occur in sequences. Understanding these sequences creates an opportunity to improve detection. If we know that Phishing is followed by Process Injection and then Hijack Execution Flow, we can begin looking for this pattern of TTPs. This sounds good in theory, but how does a defender know which behaviors are likely to have occurred together?\nThe Technique Inference Engine (TIE) uses a machine learning model trained on cyber threat intelligence to recommend likely TTPs based on a known input TTP. TIE will help analysts quickly understand what is likely to have happened next based on a broad corpus of threat intelligence. In collaboration with experts from Citigroup, Cyber Threat Alliance, Fortinet, Google Cloud, HCA Healthcare, IBM Security, Lloyds Banking Group, Tenable, and Verizon Business, we have built TIE to be a practical resource with immediate benefit for all security teams and designed it to easily enable further research and innovation.\nTechnique Inference Engine Landing Page The right dataset is critical for prediction Having the right dataset is critical to the predictive nature of the model. We identified four key attributes of our dataset to assure our model delivers relevant results.\nThe data is based on real-world observations of adversary activity. The data represents sets of techniques that have occurred as part of the same activity. The data contains multiple implementations covered by each technique. The model has sufficiently many TTP examples to discover trends in activity and avoid bias towards predicting the most common or popular techniques. We exclude contrived or speculative data. For our purposes, we did not augment the data set with artificial data to prevent introducing non-existent associations between techniques. Cyber threat intelligence (CTI) reports meet all the above criteria as they are crafted through expert analysis of cyber intrusions and observed adversary activity. By combining data used in previous Center research projects, CTI repositories, and contributions from our research partners we generated over 6,200 reports, covering 96% of the techniques in ATT\u0026amp;CK.\nA common challenge among machine learning and threat-informed defense research is obtaining sufficient data to develop effective models. To support future research, we published our training data, which includes attributes such as campaigns, CTI references, and technique frequency to encourage researchers to build new models and discover novel associations.\nThe Model Our recommender model uses a simple and powerful method to characterize each technique in the training data. This approach delivers technique predictions in a fraction of a second and is written in a way that is easily interpreted by security teams and machine learning experts alike. Advanced users can launch our code in a Jupyter notebook to adjust model parameters, retrain the model with a custom data set, and more.\nTechnique Inference Engine Context is crucial in information fusion. Security teams require more than just a list of techniques to respond to incidents, emulate the adversary, or derive actionable threat intelligence. To make our predictions accessible to the broadest possible audience, we integrated TIE directly into your browser.\nTechnique Inference Engine Web Interface The web tool is the most accessible way to get a complete picture of the adversary. TIE uses on-device machine learning to predict related techniques — no information is sent over the network or stored. The predicted techniques can be organized by technique name, rank, or tactic. Filter results based on inference score, threat actor, campaign, or platform. Use TIE to visualize results through ATT\u0026amp;CK navigator to add emphasis via a heatmap or compare to other reports in a common format.\nTIE Supports ATT\u0026amp;CK Navigator Export We’re delighted to provide the community with a tool that gives defenders a way to identify what you don’t detect. Our documentation walks through each step of our research and has examples of how TIE augments new lead generation for SOC teams, improves post-mortem incident analysis by filling in potential reporting gaps, and can create more comprehensive adversary emulation plans.\nCommunity involvement makes us better! Building solutions that improve threat-informed defense is a community effort. Here are a few ways to stay involved:\nUse our inference engine and share your feedback. Github issues are the best way to send questions, bug reports, and feature requests. Retrain the model for better results. When you share new training data with us, our automation retrains the model and publishes an updated version of the site. If you create a model that bests our Technique Inference Engine — we’d love to hear about it! Email us at ctid@mitre.org for more general inquiries.\n","link":"/blog/2024/09/09/know-your-adversarys-next-move-with-tie/","tags":["Machine Learning"],"title":"Know Your Adversary's Next Move With TIE","type":"blog"},{"banner":"img/banners/chess.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"Know your adversary’s next move with the Technique Inference Engine, a machine learning-powered tool that infers unseen adversary techniques, providing security teams actionable intelligence.\n","link":"/projects/technique-inference-engine/","tags":["Machine Learning"],"title":"Technique Inference Engine","type":"projects"},{"banner":"img/banners/ampersand.png","categories":["Published Projects","Defensive Measures"],"contents":"Defending Operational Technology (OT) with ATT\u0026amp;CK provides a customized collection of MITRE ATT\u0026amp;CK® techniques tailored to the attack surface and threat model for OT environments. Historical attacks against OT and adversarial techniques contained in ATT\u0026amp;CK for Enterprise, ATT\u0026amp;CK for ICS, and other relevant ATT\u0026amp;CK platforms were analyzed to identify and define a reference architecture and threat collection of techniques adversaries could use within an IT/OT hybrid architecture. The resultant resources can be used by organizations that use OT to evaluate and employ security controls for real-world adversary behaviors targeting those environments.\n","link":"/projects/defending-ot-with-attack/","tags":["Operational Technology"],"title":"Defending OT with ATT\u0026CK","type":"projects"},{"banner":"img/banners/ampersand.png","categories":["Blog","Defensive Measures"],"contents":" Critical infrastructure such as electrical generation facilities, water treatment plants, and transportation systems are a lifeline for our communities. Unfortunately, this dependence has made critical infrastructure a prime target for threat actors. Furthermore, these systems often lack security measures we see in enterprise networks, making them easier to attack. By identifying the threat landscape and communicating adversary behaviors affecting information technology (IT) and operational technology (OT) systems, organizations can evaluate and employ security controls for real-world adversary behaviors targeting those environments.\nIn collaboration with AttackIQ, Booz Allen Hamilton, Ensign InfoSecurity, Global Cyber Alliance and Siemens, the Center for Threat-Informed Defense created Defending OT with ATT\u0026amp;CK to identify and defend against adversarial techniques that impact operations on critical infrastructure. We created three resources to identify assets and technologies in complex IT/OT environments and present an approach to comprehensively identify adversarial behaviors targeting those systems.\nA threat model methodology A reference architecture A threat collection of unique adversary behaviors This information is essential to implement defensive measures against the techniques that adversaries use against critical infrastructure.\nThreat Model Methodology To ensure a thorough analysis and documentation of potential adversarial techniques, this research project developed a methodology to model threats to a hybrid IT/OT environment that includes multiple domains and provides a customizable and repeatable framework for analyzing and building threat collections. The methodology expands the Center’s Defending IaaS with ATT\u0026amp;CK approach by presenting a comprehensive view of adversary behavior that could impact overall operations within a hybrid IT/OT environment.\nFor Defending OT with ATT\u0026amp;CK, we applied this methodology to identify the assets that constitute the attack surface of a hybrid IT/OT environment. From these assets we developed the reference architecture. We then established selection criteria to assess the threats posed by each one of these technologies based on relevant factors, such as operating system risks or industrial control system (ICS) processes affected.\nStep 1. Identify Attack Surface\nIdentify security boundaries and understand the technologies that form their architecture.\nStep 2. Compile Sources\nGenerate a comprehensive picture of adversarial risks; it is necessary to include CTI sources for the listed assets.\nStep 3. Define Selection Criteria\nIdentify which adversarial risks apply to your scenario and asset and omit irrelevant sources.\nStep 4. Select Techniques\nReview and evaluate adversarial techniques for each asset to curate the final collection.\nStep 5. Build Collection\nAssemble the techniques into a custom threat collection to share throughout your organization.\nReference Architecture To determine the attack surface where a threat actor can generate a cyber effect, we developed a reference architecture that aligns with the Purdue Model to visualize the technologies within a IT/OT environment. In defining architectural assets, we considered several factors to ensure comprehensive coverage of risks.\nEvaluate the boundaries between IT and OT systems Identifying relevant attack vectors Understand the adversary’s goals when targeting assets that could disrupt or impact operations. This reference architecture provides a common, reusable view of assets and technologies used in IT/OT environments where a threat actor can impact operations. It serves as a framework for depicting assets through functional components across the technology stack of an OT environment in hierarchical levels. All assets depicted in the architecture were mapped to ATT\u0026amp;CK for Enterprise’s platforms or ATT\u0026amp;CK for ICS’ assets, with nine hybrid assets overlapping techniques from multiple domains of ATT\u0026amp;CK. The architecture aids in evaluating security boundaries between different operational zones and assessing plausible attack vectors between IT and OT assets.\nDefending OT with ATT\u0026amp;CK Reference Architecture Multi-Domain Threat Collection The Defending OT with ATT\u0026amp;CK threat collection is a set of ATT\u0026amp;CK techniques tailored to the attack surface and threat model for OT environments. To identify and define this multi-domain collection, we analyzed adversarial tactics, techniques, and procedures (TTPs) as contained in ATT\u0026amp;CK for Enterprise, ATT\u0026amp;CK for ICS, and other relevant ATT\u0026amp;CK datasets such as Cloud and Containers. The threat collection is designed to evaluate, plan, and employ mitigating security controls for adversarial techniques within an IT/OT architecture.\nWe utilized the Center’s ATT\u0026amp;CK Workbench to build a custom collection of threats based on a compilation of real-world adversary behaviors documented in ATT\u0026amp;CK v15. ATT\u0026amp;CK Workbench provides the flexibility and customization needed to identify specific adversarial risks associated with the 20 architectural assets outlined in the reference architecture. This process resulted in a comprehensive threat collection comprising 251 techniques and 441 sub-techniques. ATT\u0026amp;CK Workbench streamlined the analysis of threats and facilitated the communication of various risks for each asset. Additionally, we created a custom threat collection that can be exported and shared as a STIX bundle.\nThreat collection for Defending OT with ATT\u0026amp;CK’s Assets in Workbench Recommended Use Cases Organizations looking to tailor research for specific needs can view the collection of techniques using the latest version of ATT\u0026amp;CK Workbench. These resources offer a template for organizations looking to extend our approach for their intended use cases, including:\nThreat Intelligence Mapping: Leverage real-world threats to understand how adversarial behaviors might impact assets across an environment. Red Teaming and Penetration Testing: Conduct strategic adversarial simulation and scenarios to comprehensively evaluate real-world risk across the attack surface. Security Architecture and Operations: Develop capabilities for effective threat hunting, response to malicious activity, and eradicating threats within an IT/OT ecosystem. Collaborative Cyber Tabletop Exercises: Assess adversarial risks and compare them with the organization’s existing security technologies. Get Involved There are several ways that you can get involved with this project and help advance threat-informed defense. Please review the project resources, use them, and tell us what you think.\nWe welcome your contributions to help advance Defending OT with ATT\u0026amp;CK in the form of pull requests; please review the contributor notice before making a pull request.\nFor any technical questions or requests, please submit issues on GitHub . You may also contact ctid@mitre.org directly for more general inquiries about the Center for Threat-Informed Defense.\n","link":"/blog/2024/08/14/guarding-the-grid-defending-operational-technology-with-attack/","tags":["Operational Technology"],"title":"Guarding the Grid: Defending Operational Technology With ATT\u0026CK","type":"blog"},{"banner":"img/banners/top-attack-techniques.jpg","categories":["Published Projects",""],"contents":"Top ATT\u0026amp;CK Techniques provides defenders with a systematic approach to prioritizing ATT\u0026amp;CK techniques. Our open methodology considers technique prevalence, common attack choke points, and actionability to enable defenders to focus on the ATT\u0026amp;CK techniques that are most relevant to their organization.\nThe Top ATT\u0026amp;CK Techniques Calculator makes building customized top technique lists easy. Users can create a top 10 technique list tailored to their organization.\nThe Top Ransomware Technique List provides a starting point for defending against ransomware attacks and demonstrates how the Top ATT\u0026amp;CK Techniques methodology can be tailored to different use cases.\n","link":"/projects/top-attack-techniques/","tags":["Where To Start"],"title":"Top ATT\u0026CK Techniques","type":"projects"},{"banner":"img/banners/threat-modeling.png","categories":["Published Projects","Cyber Threat Intelligence","Defensive Measures"],"contents":"Threat Modeling with ATT\u0026amp;CK defines how to integrate MITRE ATT\u0026amp;CK® into your organization’s existing threat modeling methodology. This process is intended for universal application to any system or technology stack (large or small) using existing threat modeling methodologies like STRIDE, PASTA, or Attack Trees. To demonstrate its use and applicability to a wide audience of cybersecurity practitioners, we apply this process to a fictional internet-of-things (IOT) system called the Ankle Monitoring Predictor of Stroke (AMPS).\n","link":"/projects/threat-modeling-with-attack/","tags":["Threat Modeling"],"title":"Threat Modeling With ATT\u0026CK","type":"projects"},{"banner":"img/banners/laser-brain.webp","categories":["Blog",""],"contents":" As artificial intelligence (AI) becomes increasingly integrated into various industries, the importance of securing AI-enabled systems cannot be overstated. Recognizing this critical need, the Center for Threat-Informed Defense is launching a major initiative to bolster security for AI-enabled systems by enhancing the existing MITRE ATLAS™ framework.\nNew Research Initiative: Secure AI On June 11, 2024, the Center for Threat-Informed Defense launched its most collaborative project to date: the Secure AI research project. This initiative will enhance the community knowledge base of threats to AI-enabled systems and develop strategies to mitigate these risks. A diverse group of industry leaders from communications, financial, healthcare, and technology sectors have joined to create this community resource. Participating organizations include:\nAttackIQ, Inc. BedRock Systems Booz Allen Hamilton CATO Networks Citigroup CrowdStrike, Inc. FS-ISAC Fujitsu HCA Healthcare HiddenLayer Intel JPMorgan Chase Bank, N.A. Microsoft Corporation Standard Chartered Verizon Business These organizations are contributing their technical expertise and resources to create practical tools and strategies for securing AI systems.\nEnhancing MITRE ATLAS The Secure AI research project is focused on the enhancement of MITRE ATLAS. ATLAS is a globally-accessible knowledge base that documents adversary tactics and techniques observed in real-world attacks and realistic demonstrations from AI red teams and security groups. ATLAS is modeled after and complementary to MITRE ATT\u0026amp;CK®, raising awareness of the rapidly evolving vulnerabilities of Al-enabled systems as they extend beyond cyber. The Secure AI project will:\nExpand the ATLAS knowledge base through incident sharing metrics and mechanisms. Document new case studies within ATLAS that address vulnerabilities in industry-relevant systems, including generative AI. Describe new relevant mitigations based on documented AI incidents. Align ATLAS tactics, techniques, and procedures (TTPs) with the current version of MITRE ATT\u0026amp;CK TTPs. Collaboration and Community Involvement The Center for Threat-Informed Defense invites additional industry participants to contribute their technical expertise and funding to this vital research. We are also seeking data contributors who can share AI incident data and insights to enhance the project’s impact. Your participation will assist with these important efforts to build a comprehensive understanding of threats to AI-enabled systems and strengthen the defenses of those systems across industries.\nBy collaborating on this important research, industry leaders will secure AI-enabled systems and protect against emerging cyber threats. Contact us at ctid@mitre.org to join us in this effort and make a lasting impact on the cybersecurity community.\n","link":"/blog/2024/07/16/industry-leaders-expand-threat-informed-defense-to-ai-enabled-systems/","tags":["Machine Learning"],"title":"Industry Leaders Expand Threat Informed Defense to AI Enabled Systems","type":"blog"},{"banner":"img/banners/database-threat-model.webp","categories":["Blog","Cyber Threat Intelligence","Defensive Measures"],"contents":" Cybersecurity teams use threat modeling as a critical component of defensive cyber operations to understand and reduce threats to their systems and environments. To stay up to date on various threats, teams rely on cyber threat intelligence (CTI) reporting. Increasingly, CTI vendors providing these reports characterize adversarial behaviors in the form of tactics, techniques and procedures (TTPs) using MITRE ATT\u0026amp;CK®. Teams need a scalable and repeatable process to combine relevant adversary TTPs with theorized adversarial behaviors used in threat modeling methodologies like Attack Trees, STRIDE, or PASTA.\nRecognizing the need for this process, the Center for Threat-Informed Defense (Center) created the Threat Modeling with ATT\u0026amp;CK project. We want cybersecurity teams to integrate ATT\u0026amp;CK into threat modeling methodologies and we want developers to understand and prioritize defenses against relevant threat behaviors. This project unites these defenders under ATT\u0026amp;CK to create more secure systems and environments.\nAt the core of all threat modeling activities are four key questions, outlined in the Threat Modeling Manifesto and used in other popular guides like OWASP’s threat modeling process:\nQuestion 1 — What are we working on?\nQuestion 2 — What could go wrong?\nQuestion 3 — What are we going to do about it?\nQuestion 4 — Did we do a good job?\nThese questions are typically answered using a mix of industry-standard threat modeling methodologies like Attack Trees, STRIDE, or PASTA. Partnering with AttackIQ, Citigroup, HCA Healthcare, Infineon Technologies, JPMorgan Chase Bank, and Verizon Business, the Center’s process provides steps to integrate ATT\u0026amp;CK into existing methodologies to improve your answers to each question above. The process, summarized below, allows your team to leverage your existing CTI data and tools to prioritize the most concerning threat behaviors while striking a balance between theoretical and observed threats. On the Center’s project website, you will find detailed instructions, videos, and examples of each of the below steps applied to a fictional Internet of Things (IOT) device called the Ankle Monitoring Predictor of Stroke (AMPS).\nQuestion 1 — What are we working on? “What are we working on” establishes the ground truth for the system you want to threat model — what it does, what it’s made of, what it talks to, and so on. We realized early on that there wasn’t much standardized guidance out there as to how a team goes about answering this question in a simple and repeatable way. We used data flow diagrams (DFDs) to capture components and information exchanges of a system or application. But the question remains: for which components do we build a DFD? More importantly, where in our organization do we get this information?\nFigure 1 AMPS Data Flow Diagram The Center’s process explains relevant documentation, stakeholders, and even recommends a few types of meetings that will improve data gathering. The process also provides a means to identify the critical components within a given system’s DFD: Mission and System decomposition and functional thread analysis. Using this process, analysts can identify critical tasks that must be performed for the system to successfully accomplish its function(s) and highlight the critical components of a system that those critical tasks rely upon.\nQuestion 2 — What could go wrong? “What could go wrong” directly addresses the ‘threat’ portion of ‘threat modeling’. To answer this question, teams typically use a mix of structured threat enumeration methods like Attack Trees, STRIDE, or PASTA to capture and categorize the types of threats against a given component identified in Question 1. Using Attack Trees as an example methodology, the Center’s process provides a step-by-step breakdown of how to best leverage your existing CTI data and tools with ATT\u0026amp;CK as a common language between observed behaviors and theorized capabilities. The Center explains how to include theoretical and evidence-based threat research into your methodology of choice while tailoring each threat’s importance to your specific organizational need.\nFigure 2 “What could go wrong?” answered for AMPS Above is a graphical representation of the process outlined in detail on the Center’s site. Following it will allow your team to accurately prioritize threat behavior by striking the appropriate balance between theory and evidence. Our example illustrates the process with Attack Trees, and is generalizable to handle your method of choice (e.g., STRIDE) in its place. In the process you can also use your own CTI to get a comprehensive view of threats against your system.\nQuestion 3 — What are we going to do about it? “What are we going to do about it” is where threat modeling directly impacts and changes your system. You can build your list of potential threats, but the impact comes when you identify means of mitigating those threats. In this step of the process, you compare prioritized threat TTPs from Question 2 to your organization’s security stack to determine whether you have the capability to defend against some of these threats.\nThis is where a detailed understanding of your security stack’s capabilities is necessary. Don’t have intimate knowledge of these capabilities? No problem! The Center’s process applies Mappings Explorer to show how some of the most common technology platform security capabilities map to the ATT\u0026amp;CK framework.\nFigure 3 Where Threat meets Defense for AMPS The Threat Modeling with ATT\u0026amp;CK process overlays threat TTPs and defensive capabilities to determine which relevant TTPs can be mitigated and to what extent. The result is a map of the residual risk posed by TTPs given your current security posture. The Center recommends a few ways to search for mitigations to these residual risk TTPs and chief among them are those mitigations recommended in each technique or sub-technique’s page on ATT\u0026amp;CK’s website.\nQuestion 4 — Did we do a good job? “Did we do a good job” is a chance to pause and reflect on the success of your modeling activities.\nFigure 4 Secondary review is a chance to reevaluate the AMPS threat model While out of scope for the Center’s work, this step of the process poses high-level questions to evaluate the impact of your work and determine when to reevaluate your threat models.\nAnticipate and Mitigate This process bridges the gap between industry-standard threat modeling methodologies and ATT\u0026amp;CK, enabling cyber defenders to focus on the activity of threat modeling with understanding of adversary behaviors. Meaningful integration of ATT\u0026amp;CK creates a threat-informed process and helps practitioners focus priorities and understand how an adversary could compromise systems. The creation of this threat modeling process enables organizations of any size or maturity level to model threats to their own assets and in their own environments in combination with their existing tools and CTI data. Visit our site for the entire process along with examples and tutorial videos. Don’t wait! Become the model for threat modeling today!\nGet Involved We want to hear from teams out there who have brainstormed their own ways to integrate ATT\u0026amp;CK into threat modeling methodologies. We’d also love to hear from anyone else who gives the process a try. Your feedback and any examples trying this on your own systems would continue to advance the standard process of Threat Modeling with ATT\u0026amp;CK. For any general or technical questions contact ctid@mitre.org directly.\n","link":"/blog/2024/07/08/turn-your-threat-model-to-supermodel-with-attack/","tags":["Threat Modeling"],"title":"Turn Your Threat Model to Supermodel with ATT\u0026CK","type":"blog"},{"banner":"img/banners/cwe-calculator.jpg","categories":["Blog",""],"contents":" Project Overview The CWE with Environmental CVSS Calculator brings threat-informed defense into the software development lifecycle. The result is better prioritization of weaknesses while software is being created and ultimately guides software engineering teams to develop software with fewer vulnerabilities.\nIn vulnerability management, defenders can prioritize which Common Vulnerabilities and Exposures (CVEs) to tackle first; a scoring system known as Common Vulnerability Scoring System (CVSS) was created to rank and prioritize CVEs. CVSS contains threat-informed elements such as the existence of exploit code. But nothing equivalent has existed for weakness management! CWE Calculator fills this gap by adapting the CWE Top 25 methodology to make it easy for cyber defenders to generate their own, customized CWE rankings.\nWeakness management can overwhelm software development with too many weaknesses, and not enough engineers to investigate and repair them.\nThe Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weaknesses that can become vulnerabilities. Static Application Security Testing (SAST) tools analyze software for potential security issues and associate those issues with a CWE number, e.g. CWE-862: Missing Authorization. Engineers use CWE to understand the nature of the weakness, the ways that adversaries might exploit it, and how to repair the weakness to create more robust software.\nCalculator Tool In partnership with members FIS Global, Fujitsu, and JPMorgan Chase, the Center for Threat-Informed Defense (Center) created the CWE with Environmental CVSS Calculator: CWE tells us what the weakness is; this Calculator answers “so what?” so that engineers can decide “now what?”\nThe CWE with Environmental CVSS Calculator estimates the severity of weaknesses by locating CVEs related to that weakness and averaging their scores together. This empirical approach scores the CWEs based on real-world outcomes and guides software engineers to fix the weaknesses which historically created the most severe vulnerabilities down the road. The calculator supports CVSS environmental and temporal factors. These factors allow engineers to model the specific conditions in which their code is expected to run, such as mitigating security controls and confidentiality/integrity/availability requirements. As a result, the Calculator can fine tune the scores to each unique operating environment.\nThe Calculator can be used in a command-line mode that will be familiar to software engineers. The calculator also offers a Dockerized web service that is ideal for integration into continuous integration \u0026amp; deployment (CI/CD) pipelines for integration with automated SAST tools and automated build processes.\nTo learn more, see our GitHub Wiki, which goes over the installation, command line, and web service modes of operation. We welcome your feedback and contributions to continue to advance CWE with Environmental CVSS Calculator. You are also welcome to submit issues here for any technical questions/concerns or contact ctid@mitre.org directly for more general inquiries.\n","link":"/blog/2024/06/21/software-security-now-threat-informed/","tags":[],"title":"Software Security: Now Threat-Informed!","type":"blog"},{"banner":"img/banners/cwe-calculator.jpg","categories":["Published Projects",""],"contents":"The software industry is faced with managing large numbers of software weaknesses (commonly identified by static-scanning tools using CWE ID reference), alongside large numbers of software vulnerabilities (CVEs), which all sit across many assets with differing security requirements. The calculator enables software development teams to score and prioritize discovered weaknesses empirically based on data in the National Vulnerability Database (NVD).\n","link":"/projects/cwe-with-environmental-cvss-calculator/","tags":[],"title":"CWE with Environmental CVSS Calculator","type":"projects"},{"banner":"img/banners/summiting_the_pyramid_shmoocon.png","categories":["Video","Detection Engineering"],"contents":"The Center for Threat-Informed Defense presents their “Summiting the Pyramid” research project at Schmoocon, a major cybersecurity conference. Steve Luke, Michaela Adams, and Roman Dasczcyszak explain how to describe, characterize, and score the robustness of cyber detections against a sophisticated adversary. This foundational research builds upon David Bianco’s Pyramid of Pain and enables organizations to run more effective threat hunting and threat detection programs.\n","link":"/videos/summiting-the-pyramid-shmoocon/","tags":[],"title":"Shmoocon 2024: Summiting the Pyramid of Pain","type":"videos"},{"banner":"img/banners/hacker-gpt4o.webp","categories":["Blog",""],"contents":" This is the third and final blog post in a series detailing MITRE’s encounter with a state-sponsored cyber threat actor in our research and experimentation network, NERVE. It builds upon the insights shared in our April 19, 2024 post, “Advanced Cyber Threats Impact Even the Most Prepared” and May 3, 2024 post “Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion”. We continue to work across MITRE, including our Information Security Team, to help all security teams understand and defend against this threat.\nIn this post of our series, we provide technical details of new behavior employed by the adversary, who aligns with Google Mandiant’s UNC5221, and how the BRICKSTORM backdoor and BEEFLUSH web shell abused VMs in VMware through a privileged user account, VPXUSER, to establish persistence within the impacted environment. We will also provide detection scripts, from MITRE and CrowdStrike, to find this activity in other environments and go over how Secure Boot serves as a barrier against the adversary technique.\nRecap from Parts One \u0026amp; Two In our first blog post, we shared the experience of facing a cyber intrusion that targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) through two Ivanti Connect Secure zero-day vulnerabilities that bypassed our multi-factor authentication. The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials.\nIn our second blog post, we took a deep dive into the technical details of the intrusion, including a timeline of events, indicators of compromise, and malware analysis. Additionally, we disclosed novel aspects not previously reported by Mandiant or other threat intelligence sources, including:\nDetails on the BEEFLUSH web shell; and Unique components of the BUSHWALK web shell seen in our incident. Tactic Technique ID Use Initial Access Exploit Public-Facing Applications T1190 Adversary compromised MITRE\u0026rsquo;s prototypingnetwork through a pair of zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023–46805 \u0026amp; CVE-2024–21887) Initial Access Valid Accounts T1078 Adversary leveraged compromised accounts Persistence Server Software Component: Web Shell T1505.003 Adversary installed web shells to maintain persistence Execution Command and Scripting Interpreter T1059 Adversary executed commands and scripts Lateral Movement Remote Service Session Hijacking T1563 Adversary hijacked Pulse sessions for users to move laterally into the VMware environment bypassing Multi-factor Authentication Lateral Movement Remote Services T1021 Adversary attempted several different methods (i.e. RDP and SSH) to utilize valid accounts and move across the network Exfiltration Exfiltration Over C2 Channel T1041 Adversary exfiltrated data using their C2 infrastructure Defense Evasion Hide Artifacts: Run Virtual Instance T1564.006 Adversary created staging and persistent VMs within VMware environment Table 1. Notable MITRE ATT\u0026amp;CK® techniques shared in our initial blog\nBefore delving into the techniques employed by the adversary to abuse VMware infrastructure, it is essential to understand the overarching context: the adversary had already gained administrative access to NERVE ESXi infrastructure.\nCreated Rogue VMs Rogue VMs are created and managed through service accounts directly on the hypervisor, rather than through the vCenter administrative console. As a result, these VMs do not appear in the inventory.\nAs we said in the second post, “On January 5, 2024, the adversary escalated their attack with manipulated VMs and compromised administrative credentials to establish control over the infrastructure. Specifically, their actions included attempted enablement of SSH, destruction of one of their own VMs, and file downloads.”\nThe adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.\nBy deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.\nDetecting Adversary Activity in VMware Ecosystem In VMware’s environment, spotting adversary activity demands meticulous scrutiny. For instance, adversaries might enable SSH on hypervisors and log in by routing traffic through the vCenter Server. This technique underscores the importance of monitoring SSH activity for signs of unauthorized access.\nWhat to Look for:\nAnomalous SSH Enablement: Keep a close watch for unexpected occurrences of “SSH login enabled” messages. Any activation of SSH outside the normal administrative cycle could indicate malicious activity. Unusual SSH Sessions: Monitor for deviations from the expected pattern of SSH sessions being opened. Look out for instances where “SSH session was opened for” messages occur unexpectedly or at unusual times. Tactic Technique ID Use Execution Command and Scripting Interpreter: Python T1059.006 Adversary executed Python scripts Persistence Server Software Component: Web Shell T1505.003 Adversary installed web shells to maintain persistence Persistence Valid Accounts T1078 Adversary logged into hypervisors Defense Evasion Impair Defenses: Disable or Modify System Firewall T1562.004 Adversary enabled SSH on hypervisors Lateral Movement Remote Services: SSH T1021.004 Adversary used SSH to create tunnels Command and Control Protocol Tunneling T1572 Adversary tunneled network communications Command and Control Proxy: Internal Proxy T1090.001 Adversary used an internal proxy Table 2. Notable ATT\u0026amp;CK techniques\nDeploying Rogue VMs As we said in the second post, “Moving forward to January 7, 2024, the adversary accessed VMs and deployed malicious payloads, the BRICKSTORM backdoor and the BEEFLUSH web shell. The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives.”\nThe adversary bypassed detection mechanisms by deploying rogue VMs, as VPXUSER, directly onto hypervisors using SFTP to write files then executed them with /bin/vmx. By doing this, these rogue VMs were not discoverable via vCenter, the ESXi web interface, and even some on-hypervisor command-line utilities that query the API.\nThese rogue VMs contained the BRICKSTORM backdoor and persistence mechanisms, see blog post 2, that were configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets within the prototyping network.\nAdversaries often can leverage the vpxuser account to perform various administrative tasks, such as enumerating VMs, accessing configuration settings, and interacting with the underlying hypervisor infrastructure. Additionally, adversaries may deploy rogue VMs directly onto hypervisors to evade detection mechanisms and maintain persistence within the environment. Rogue VMs, which are created and operated without proper authorization and management by the hypervisor, provide adversaries with a stealthy foothold for conducting malicious activities. These VMs can bypass visibility controls within VMware management interfaces, making them difficult to detect and mitigate.\nDetecting Rogue VMs Safeguarding against rogue VMs and any ensuing persistence demands a vigilant approach. Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs. This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.\nWhat to Look For: Command-Line Usage: Utilize the following commands on an ESXi hypervisor to identify unregistered VMs:\nvim-cmd vmsvc/getallvms esxcli vm process list | grep Display Comparison of VM Lists: Compare the output of vim-cmd (API-based VM check) with the list of running VMs obtained from esxcli.\nDifferences in the list of VMs between the output of a vim-cmd (that will check for VMs via the API) and the list of running VMs that esxcli sees (which directly queries the host hypervisor) indicate a potential problem. A VM running on a hypervisor that is not seen via the registered VM data via API warrants further investigation as a possible unregistered/rogue VM. Detecting VMware Persistence To address the persistence of these rogue VMs, it is crucial to scrutinize the hypervisor’s startup scripts.\nWhat to Look For: Persistence Mechanism: Monitor for modification of the legitimate /etc/rc.local.d/local.sh file to include the following line:\n/bin/vmx -x /vmfs/volumes/\u0026lt;REDACTED\\_VOLUME\u0026gt;/\u0026lt;REDACTED\\_VM\\_NAME\u0026gt;/\u0026lt;REDACTED\\_VM\\_NAME\u0026gt;.vmx 2\u0026gt;/dev/null 0\u0026gt;/dev/null \u0026amp; Persistence Identification: Search for invocations of the /bin/vmx binary within /etc/rc.local.d/ or more specifically by manually reviewing the local.sh startup script with the following commands:\ngrep -r \\/bin\\/vmx /etc/rc.local.d/ cat /etc/rc.local.d/local.sh Tactic Technique ID Use Persistence Boot or Logon Initialization Scripts: RC Scripts T1037.004 Adversary modified rc.local scripts on the hypervisor to launch their unregistered VMs Lateral Movement Ingress Tool Transfer T1105 Adversary deployed unregistered VMs directly onto the hypervisor using SFTP Table 3. Notable ATT\u0026amp;CK techniques\nSuspicious VMware Detection Scripts MITRE is sharing two scripts designed to identify and mitigate potential threats within the VMware environment. The first script, developed by MITRE, Invoke-HiddenVMQuery is written in PowerShell and serves to detect malicious activities. It scans for anomalous invocations of the /bin/vmx binary within rc.local.d scripts.\nFurthermore, it checks for the presence of rogue VMs by cross-referencing data obtained from two sources: the vim-cmd utility, which queries VMs via the API, and the list of running VMs retrieved by esxcli, a command-line interface directly querying the host hypervisor. Any VM detected running on a hypervisor but not listed via the registered VM data via API warrants immediate investigation as a potential threat.\nWe are also sharing a PowerShell script, VirtualGHOST, that CrowdStrike prepared to help detect evidence of unregistered VMs using PowerCLI and help scale hunting exercises by executing the scripts remotely. Thanks to CrowdStrike for their collaboration in identifying these adversary tactics, techniques, and procedures (TTPs).\nBy leveraging these scripts, organizations can identify and respond to suspicious activities, bolstering their cybersecurity defenses against evolving threats.\nRecommended Mitigation Strategy Based on consultation with the VMware PSIRT team, the most effective countermeasure to thwart the persistence mechanism is to enable secure boot. Secure boot is a security feature designed to verify the integrity of a host’s boot process, mitigating the risk of unauthorized modifications.\nEnabling secure boot serves as one defense against adversaries seeking to establish persistent access within the VMware environment. By verifying the integrity of the boot process, secure boot prevents malicious actors from injecting unauthorized code.\nThis countermeasure aligns with the MITRE ATT\u0026amp;CK Mitigation: Boot Integrity (M1046).\nBy fortifying the boot process with secure boot, organizations can thwart adversaries’ efforts to evade detection and maintain unauthorized access to critical systems.\nFor detailed information on this feature and its implementation, please refer to the following resource: VMware Secure Boot Documentation.\nConclusion As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats. By understanding and countering their new adversary behaviors, we can bolster our defenses and safeguard critical assets against future intrusions.\nFor additional IOCs and context, including for more detail on the exploits, backdoors, and C2 involved, please see our prior post.\n","link":"/blog/2024/05/22/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion/","tags":[],"title":"Infiltrating Defenses: Abusing VMware in MITRE's Cyber Intrusion","type":"blog"},{"banner":"img/banners/rsac-2024.png","categories":["Video"],"contents":"The cybersecurity landscape is ever-evolving, and staying ahead of threats requires constant innovation and collaboration. At the recent RSA Conference, industry experts gathered to discuss the latest trends and advancements in the field. One of the On Location Coverage with Sean Martin and Marco Ciappelli was the insightful conversation between Sean and Jon Baker, shedding light on the groundbreaking work being done at MITRE\u0026rsquo;s Center for Threat Informed Defense.\nThe Art of Possible: A Glimpse into RSA Conference 2024\nThe RSA Conference provided a platform for cybersecurity professionals to come together and discuss pressing issues in the industry. Sean Martin and Jon Baker\u0026rsquo;s conversation touched upon the theme of this year\u0026rsquo;s conference, \u0026ldquo;The Art of Possible.\u0026rdquo; This theme resonated with the audience as they delved into the dynamic nature of cybersecurity and the need for continual learning and growth.\nMITRE: A Beacon of Innovation in Cybersecurity\nJon Baker, Director of the Center for Threat Informed Defense at MITRE, shared insights into the organization\u0026rsquo;s rich history and its mission to solve problems for a safer world. With a focus on advancing threat informed defense globally, MITRE has been a driving force behind initiatives like the ATT\u0026amp;CK framework and the CVE program.\nCollaborative Research and Development at MITRE\nOne of the key pillars of MITRE\u0026rsquo;s work is collaborative research and development. Through projects like the Technique Inference Engine and Summoning the Pyramid, MITRE is pushing the boundaries of what is possible in cybersecurity. These projects not only aim to enhance detection capabilities but also empower security teams to proactively defend against threats.\nEngaging the Community: How You Can Get Involved\nThe Center for Threat Informed Defense encourages active participation from the cybersecurity community. By leveraging resources like the Top Attack Technique Calculator and M3TID, organizations can enhance their threat intelligence capabilities and improve their defenses. MITRE also hosts global events and training sessions to promote awareness and facilitate knowledge sharing.\nJoin the Movement: Embracing Innovation in Cybersecurity\nAs the cybersecurity landscape continues to evolve, embracing innovation is key to staying ahead of cyber threats. MITRE\u0026rsquo;s Center for Threat Informed Defense offers a roadmap for organizations looking to enhance their security posture and adapt to the changing threat landscape. By getting involved, providing feedback, and leveraging the tools and resources available, organizations can contribute to a safer and more secure digital ecosystem.\nClosing Thoughts\nThe conversation between Sean Martin and Jon Baker at the RSA Conference highlighted the critical role of collaboration and innovation in cybersecurity. MITRE\u0026rsquo;s Center for Threat Informed Defense is at the forefront of driving impactful research and development efforts that benefit the entire cybersecurity community. By embracing the spirit of continual learning and advancement, organizations can strengthen their defenses and create a more resilient cybersecurity posture.\nStay tuned for more insights and updates from MITRE\u0026rsquo;s Center for Threat Informed Defense and join the movement towards a safer digital world.\n","link":"/videos/innovations-in-threat-informed-defense/","tags":[],"title":"Innovations in Cybersecurity and Threat Intelligence Solutions | RSAC 2024 | A MITRE Story","type":"videos"},{"banner":"img/banners/morethreat-roadmap.webp","categories":["Blog",""],"contents":" The Center for Threat-Informed Defense released five new projects in the first quarter of 2024, and this momentum will carry through the calendar year. You can use our latest research to advance your understanding of insider threats, make data driven decisions about your defenses, search and explore a rich corpus of security capabilities mapped to MITRE ATT\u0026amp;CK®, and measure your threat-informed defense. Through the rest of 2024, we will conduct and publish research in cyber analytics, artificial intelligence (AI), threat intelligence, and threat-informed resources for everyone on your team, from developer to director.\nWithin the Center, our most impactful work comes from enabling innovation across the industry, and we do so in our three Key Problem Areas:\nCyber Threat Intelligence: Increase the operational effectiveness of threat-intel products and advance the global understanding of adversary behaviors. Test \u0026amp; Evaluation: Bring the adversary perspective to cybersecurity test and evaluation to understand true defensive posture. Defensive Measures: Systematically advance our ability to detect and prevent adversary behaviors. Figure 1. Threat-Informed Defense feedback loop What have we done for threat-informed defense in 2024? One part of our Center roadmap in 2024 and beyond is to deliver our research in a format that is easily and widely usable for the global community of defenders. Each of the Center’s 2024 project releases has a dedicated project website that maintains the comprehensive set of project resources.\nIn March 2024, we expanded the Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base. We began our insider threat research with members in 2022, ultimately sharing 31 techniques and 20 sub-techniques used by insiders against IT systems. Now we are up to 47 techniques and 29 sub-techniques, as well as 36 unique mitigations for these documented insider behaviors. We also introduced Observable Human Indicators to the knowledge base; these are objective, quantifiable attributes of insiders that complement the cyber observables. Utilizing the Knowledge Base, cyber defenders across organizations will identify insider threat activity on IT systems and limit the damage.\nFigure 2. Insider Threat TTP Knowledge Base We also continued development of the Sightings Ecosystem. The ecosystem fundamentally advances the collective ability to see threat activity across organizational, platform, vendor, and geographical boundaries. Voluntarily contributed raw “sightings” — observations of specific adversary TTPs — are anonymized and aggregated to produce insights into the most commonly used attacker techniques. The Sightings data feeds our own Center research as well, providing evidence of adversary activities that fuels the Top ATT\u0026amp;CK Techniques Calculator](https://center-for-threat-informed-defense.github.io/top-attack-techniques/#/calculator), Summiting the Pyramid, and upcoming Technique Inference Engine. Please share with us how you use the Sightings Ecosystem. See the data and analysis and become a contributor here.\nFigure 3. Sightings Ecosystem In March 2024, the Center undertook the ambitious effort to Measure, Maximize, and Mature Threat-Informed Defense (M3TID). M3TID created an actionable definition of threat-informed defense and its associated key activities, and a formalized approach to measure your threat-informed defense. This maturity model complements existing cybersecurity maturity models by incorporating a measure of how well threat information is leveraged.\nFigure 4. Threat-Informed Defense: Dimensions and Components Security capability mappings correlate the defensive measures you have procured to the threats that keep you awake. Mappings Explorer is a hub for defenders to explore security capabilities mapped to MITRE ATT\u0026amp;CK®. This singular resource enables cyber defenders to understand how various security controls and capabilities protect against the adversary behaviors catalogued in the ATT\u0026amp;CK knowledge base in easily accessible and customizable ways.\nFigure 5. Capabilities that protect against Exfiltration over USB from Mappings Explorer Our latest addition to the Center mappings program and likewise included in Mappings Explorer is Security Stack Mappings — Microsoft 365 (M365). Here we share native security capabilities available as part of Microsoft 365 mapped to the ATT\u0026amp;CK techniques that those capabilities can detect, protect, or respond to. End users will make threat-informed decisions about which capabilities mitigate common attacker techniques.\nAnd as always, these resources are available to all on the Center for Threat-Informed Defense website.\nWhat’s next? For 2024, we are committed to extending and expanding on Center products that the community has embraced and deemed impactful.\nDetection Engineering In September 2023, the Center released Summiting the Pyramid to exceptional community reception, including conference talks, podcasts, and especially its inclusion as a Sigma rules tag.\nFigure 6. Create more robust detections with Summiting the Pyramid In gratitude, the Center will further the research in three ways:\nAnalytic precision and recall will create more precise, less false-positive prone analytics without sacrificing robustness. Network robustness scoring. Most defensive evasion techniques focus on the host. We will expand robustness to network-focused data sources. ATT\u0026amp;CK Data Source Scoring and Analysis. We will catalog and score known data sources associated with ATT\u0026amp;CK techniques to provide an initial basis for automated scoring. These data sources also expand the number of observables in the analytic and event observables categories in the STP scoring methodology. These results will broaden the impact of Summiting the Pyramid, creating more robust detections, and further increase cost to the adversary.\nIn 2024 the Center will embark on new research into detecting Ambiguous Techniques used by adversaries; that is, techniques whose observables are not sufficient to determine malicious intent such as System Network Configuration Discovery. We will detect malicious implementation of ambiguous techniques by creating Ambiguous Technique Analytics with low false positive rates.\nThis research will have three steps:\nidentify which techniques can be categorized as benign techniques; search Attack Flows to identify co-occurring techniques either before or after ambiguous techniques; and identify core behaviors and observables associated with those techniques for building robust detections**.** Threat-Informed AI and AI-Informed Defense Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. The principles of threat-informed defense apply beyond traditional enterprise cybersecurity. In acknowledgement of that, we expand to threat-informed defense for AI. We must take a holistic view of AI threats and vulnerabilities within the context of the larger system, rather than vulnerabilities of a particular AI model or isolated data. MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) is modeled after and complementary to MITRE ATT\u0026amp;CK. This project will raise awareness of the rapidly evolving vulnerabilities of Al-enabled systems as they extend beyond cyber.\nFigure 7. ATLAS Matrix ca. April 2024 ATLAS is broadly scoped to cover the landscape of threats and vulnerabilities introduced into AI-enabled systems, including adversarial machine learning and elements of cybersecurity. The Center’s Secure AI project will expand the knowledge base of adversary tactics, techniques, and case studies for AI-enabled systems built from real-world observations and red team demonstrations against current systems. In particular, this project will\nIncrease the knowledge base and understanding of real-world threats through incident sharing metrics and mechanisms. This incident sharing effort would include incidents beyond security into equitability, interpretability, robustness, resilience, and privacy. Extend the data-driven generative AI (GenAI) focus of MITRE ATLAS by documenting new case studies that address the vulnerabilities of systems that incorporate generative AI. Align the ATLAS Tactics Techniques and Procedures (TTPs) with the current version of ATT\u0026amp;CK TTPs and implement a plan to keep the TTP versions in sync. The Secure AI research will be released to the public in September 2024. The results of Secure AI will form the foundation for future Center work in Securing AI-Enabled Systems. We will continue by:\nDeveloping and publishing strategies to mitigate relevant (high likelihood, high impact) threats to AI-enabled systems. Developing tools and playbooks to emulate threats to AI-enabled systems, allowing defenders to test AI-enabled system defenses against known threats. Our Secure AI proposal inspired our members to propose an orthogonal use case GenAI for Threat-Informed Defense: a threat-informed AI-enabled partner for defenders. We will build a chatbot tailored to support the needs of cybersecurity analysts implementing threat-informed defense. In our small-scale proof-of-concept, we see the capability to accelerate the analysis of cyber threat intelligence (CTI) as well as related tasks such as attribution, reformatting data for ingestion into threat intelligence platforms, building Attack Flows, and visualizing data.\nTechnique Inference Engine and Adversary Capability Calculator When investigating an attack chain, organizations need to prioritize which adversary behaviors to address first. Our Technique Inference Engine (TIE) project creates a model usable by both human analysts and automation platforms to investigate attack chains. Given two or more observed techniques in sequence, TIE will recommend a likely next technique or previous technique. TIE guides analysts, threat hunters, red teamers, investigators, and threat modelers from what technique is seen to what is not-yet-seen. Similarly, the Adversary Capability Calculator (ACC) will infer what an adversary could do (capability) from what an adversary has done (ability). This will more accurately calculate risk, both proactively and during a live incident.\nUnderstand Adversary Behaviors Through ATT\u0026amp;CK As part of our research to understand adversary behaviors, we have partnered with Center members to extend ATT\u0026amp;CK’s knowledge bases. We seek to collect evidence of adversarial activities in the telecommunications space for inclusion in ATT\u0026amp;CK for Mobile. Furthermore, the absence of preparatory (PRE) tactics in ATT\u0026amp;CK for Mobile hinders our ability to track, understand, and communicate adversaries’ preparation. So we will research preparatory tactics for mobile and integrating the tactics into ATT\u0026amp;CK for Mobile and across ATT\u0026amp;CK domains.\nCurrently all ATT\u0026amp;CK technology domains use sub-technique objects except ATT\u0026amp;CK for Industrial Control Systems (ICS). To bring sub-techniques into ICS, we must evaluate the technique overlap between ATT\u0026amp;CK for ICS and ATT\u0026amp;CK for Enterprise and realign techniques under the same sub-technique names. This effort further builds the Center’s operational technology (OT) research. In July 2024, the Center will release a customized collection of MITRE ATT\u0026amp;CK techniques tailored to the unique attack surface and threat model for OT as Defending Operational Technology with ATT\u0026amp;CK. Defenders will use the collection to plan and evaluate security controls for organizations that use OT.\nSecurity Capability Mappings Over the Center’s five years, the Mappings Program has grown to represent one-fourth of all Center research with over half our members participating across cloud platforms, security controls, incident sharing, and more. We will unite these individuated efforts and our future work into a Mappings Omnibus. ATT\u0026amp;CK is updated to a new major version twice per year, and security vendors constantly change their offerings. As a result, the snapshots of capabilities contained in the mappings projects do not reflect current adversary techniques or defensive measures. With Mappings Omnibus, we update all the mapping resources to reflect the most current version of adversary techniques, in perpetuity.\nWe previously applied the mappings methodology to Common Vulnerabilities and Exposures (CVE). Now we focus on CVEs that the Cybersecurity and Infrastructure Security Agency has confirmed as being exploited in the wild: the Known Exploited Vulnerabilities (KEVs) Catalog. The Prioritize Known Exploited Vulnerabilities with ATT\u0026amp;CK project will bridge threat management and vulnerability management by connecting CVEs that are actively exploited by adversaries to the impact of exploitation. We also endeavor to map security capabilities in hardware to adversary behaviors in Security Stack Mappings — Hardware-Enabled Defense. This will require us to extend our mappings methodology. In this project we will determine how hardware capabilities, in tandem with an operating system,\nidentify the potential occurrence of a (sub-)technique, limit the impact of a (sub-)technique, or provide actions to take for detected (sub-)technique. Such integration is essential for proactive and robust threat-informed defense for enterprise environments.\nThreat-Informed Defense for Developers, Modelers, and Deciders In the course of our M3TID research, we concluded that threat-informed defense can only be maximized and matured when all security practitioners in an organization have committed to it. The Center conducts three projects to extend the principles of threat-informed defense. For the threat modelers, we will publish Threat Modeling with ATT\u0026amp;CK in July 2024. It makes adversary techniques in ATT\u0026amp;CK actionable to those who threat model or conduct assessments to enumerate potential threats for systems by using ATT\u0026amp;CK and popular threat modeling methodologies to enumerate threat scenarios for practitioners who are developing systems or applications.\nNext, we turn to the software developers, especially those who are faced with managing large numbers of software weaknesses, identified using Common Weakness Enumeration (CWE), alongside large numbers of software vulnerabilities (CVEs). These weaknesses and vulnerabilities sit across many assets with differing security requirements. We developed the CWE with Environmental CVSS Calculator to compare and prioritize across weaknesses and vulnerabilities. Software development teams can rank discovered weaknesses based on an expected Common Vulnerability Scoring System score, if the weakness is ever exploitable.\nThird, we consider the threat-informed decision maker. Start with our 2022 resource Attack Flow as a graphical approach to understanding sequences of adversary behaviors.\nFigure 8. Attack Flow of breach at Uber by Lapsus$ group The Center’s upcoming Flow Visualization project builds the business case for cyber visualization and contributes new idioms that are relevant industry-wide. This project identifies decision makers, the cognitive tasks carried out by those decision makers, and designs data visualizations to support decision making.\nGlobalize Threat-Informed Defense We are grateful to the global community that has joined us in our mission to advance the state of the art and the state of the practice in threat-informed defense. We highlight the sponsors and participants of our Asia-Pacific ATT\u0026amp;CK Community Workshop: our host Citigroup, and sponsors Acronis, Deloitte, SOC Prime, Lloyds Banking Group, and Fortinet. This event in Singapore anchors the Asia-Pacific region into our global series of community events with EU ATT\u0026amp;CK in Belgium, and ATT\u0026amp;CKcon in the U.S. Global adoption leads to impact and community feedback that enhances Center R\u0026amp;D.\nSecond, the Benefactor Program enables the global community to advance critical, public interest cybersecurity programs such as MITRE ATT\u0026amp;CK®, Caldera™, MITRE Engage™, and the Center for Threat-Informed Defense through charitable giving. Our benefactors are support independent research in the public interest.​ We thank Acalvio, Coalfire, NVISO, SOC Prime, Tidal Cyber, and Zimperium for financially supporting our research to change the game on the adversary.\nFigure 9. We scale threat-informed defense through whole community engagement. Get Involved The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. We create widely usable, easily accessible, and practical resources for all. That is only possible with community support and engaged Center Participants. Your operational challenges, shared across organizations, sectors, and across regions, incite our impactful solutions. You’ve now read our plans for 2024; tell us what you need most from the Center.\nStay informed — Be the first to know about R\u0026amp;D project releases by signing up for our newsletter and following us on LinkedIn.\nUtilize Center R\u0026amp;D and share your feedback — Using our work to advance threat-informed defense in your organization goes a long way to ultimately changing the game on the adversary. Tell us how you use Center R\u0026amp;D, and we will refine our work to be more accessible and impactful.\nJoin us to support and advance the R\u0026amp;D program — Our Participants are thought leaders with sophisticated security teams that are advanced practitioners of threat-informed defense and users of MITRE ATT\u0026amp;CK®. With the understanding that the cyber challenges we face are bigger than ourselves, our members join the Center prepared to tackle hard problems in a uniquely collaborative environment. If this sounds like your organization, learn more here about how to become a Center Participant.\n","link":"/blog/2024/05/02/more-threat-informed-in-more-ways-with-more-defenders/","tags":[],"title":"More Threat Informed in More Ways With More Defenders","type":"blog"},{"banner":"img/events/apac.jpg","categories":["Events"],"contents":"We are grateful to our sponsors and everyone who participated in the 2024 Asia-Pacific ATT\u0026amp;CK Community Workshop.\n2024 marked the inaugural event during which regional security operations practitioners and avid users of MITRE ATT\u0026amp;CK gathered in Singapore, to network, learn, and advance threat-informed defense through hands-on training and practitioner-led lighting talks.\nPresenters from across the Asia-Pacific region shared their work related to ATT\u0026amp;CK whether it’s best practices, worst practices, or something completely different.\nWe invite you to watch and share these insightful talks!\nExplore the talks from 2024 Asia-Pacific ATT\u0026amp;CK Workshop on our YouTube playlist.\n","link":"/events/apac-2024/","tags":["Workshops"],"title":"Asia-Pacific ATT\u0026CK Community Workshop 2024","type":"events"},{"banner":"img/banners/microsoft-365.jpg","categories":["Published Projects","Mappings"],"contents":"The project presents a comprehensive mapping of M365’s native security features against the MITRE ATT\u0026amp;CK® framework, detailing how these capabilities can protect, detect, and respond to cyber threats. By reviewing M365 documentation, the project identifies security actions that can mitigate adversary behaviors, providing a valuable tool for organizations to improve their threat-informed defense strategies.\nThe M365 mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/security-stack-mappings-microsoft-365/","tags":["Cloud"],"title":"Security Stack Mappings – Microsoft 365 Mappings","type":"projects"},{"banner":"img/banners/m3tid.jpg","categories":["Published Projects"],"contents":"M3TID leverages threat understanding to improve a security program by creating an actionable definition of threat-informed defense and its associated key activities, and a formalized approach to measure your threat-informed defense. This maturity model complements existing cybersecurity maturity models by incorporating a measure of how well threat information is leveraged.\nLeveraging knowledge of cyber threats to prioritize the allocation of limited resources is one of the most impactful and efficient ways to reduce overall risk.\n","link":"/projects/measure-maximize-and-mature-threat-informed-defense-m3tid/","tags":["Where To Start"],"title":"Measure, Maximize, and Mature Threat-Informed Defense (M3TID)","type":"projects"},{"banner":"img/banners/interview-blake-strom.png","categories":["Video"],"contents":"In this interview at ATT\u0026amp;CKcon 4.0, October, 2023, Suneel Sundar, Director of R\u0026amp;D at the Center for Threat-Informed Defense, speaks with Blake Strom, Principal Security Research Manager, Microsoft, Creator of ATT\u0026amp;CK.\n","link":"/videos/interview-with-attack-creator/","tags":["ATT\u0026CKcon"],"title":"Summiting the Pyramid: an Interview with the Creator of ATT\u0026CK®","type":"videos"},{"banner":"img/banners/mappings-explorer.jpg","categories":["Published Projects","Mappings"],"contents":"Mappings Explorer is a hub for defenders to explore security capabilities mapped to MITRE ATT\u0026amp;CK®. This singular resource enables cyber defenders to understand how security controls and capabilities protect against the adversary behaviors catalogued in the ATT\u0026amp;CK knowledge base. Our mappings bridge the threat-informed approach to cybersecurity with traditional cyber hygiene through the deployment of security controls.\nMappings Explorer presents threat and mitigation data in easily accessible and customizable ways. This centralized collection enables threat-informed decision making by relating real-world cyber threats to corresponding mapped security capabilities.\nVisit the Center’s Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026amp;CK®.\n","link":"/projects/mappings-explorer/","tags":[],"title":"Mappings Explorer","type":"projects"},{"banner":"img/banners/sightings2.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"This project provides cybersecurity defenders and researchers with critical insight into real-world adversary behaviors mapped to ATT\u0026amp;CK. The ecosystem fundamentally advances the collective ability to see threat activity across organizational, platform, vendor, and geographical boundaries. Voluntarily contributed raw “sightings”, or observations of specific adversary TTPs, are anonymized, and aggregated to produce insights into the most commonly used attacker techniques.\n","link":"/projects/sightings-ecosystem/","tags":["Data Contributions"],"title":"Sightings Ecosystem","type":"projects"},{"banner":"img/banners/insider-thread-ttp-kb2.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"The Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base advances our collective understanding of the technical mechanisms that insider threats use. With this knowledge, Insider Threat Programs and Security Operations Centers can detect, mitigate, and emulate insider actions on IT systems to stop insider threats. Utilizing the Knowledge Base, cyber defenders across organizations will identify insider threat activity on IT systems and limit the damage.\n","link":"/projects/insider-threat-ttp-knowledge-base/","tags":["Data Contributions","Insider Threat"],"title":"Insider Threat TTP Knowledge Base","type":"projects"},{"banner":"img/banners/cti_blueprints_attackiq.png","categories":["Video","Cyber Threat Intelligence"],"contents":"Learn more about CTI Blueprints, one of the Center\u0026rsquo;s new projects, from Keith Wilson of Attack IQ. Visit the Center’s CTI Blueprints project summary page for links to the Github downloads, online builder and more: CTI Blueprints.\n","link":"/videos/cti-blueprints-spotlight/","tags":["Leadership Spotlight","Cyber Tools"],"title":"Leadership Spotlight: CTI Blueprints with Keith Wilson (ATTACKIQ)","type":"videos"},{"banner":"img/banners/cti_blueprints_stream.png","categories":["Video","Cyber Threat Intelligence"],"contents":"As a part of Adversary Village\u0026rsquo;s Adversary Guru series, MITRE\u0026rsquo;s Center for Threat Informed Defense presents CTI Blueprints, a free suite of templates, sample reports, and a software tool designed to help analysts create high-quality actionable reports more consistently and efficiently.\n","link":"/videos/cti-blueprints-stream/","tags":["Cyber Tools"],"title":"CTI Blueprints: Adversary Village","type":"videos"},{"banner":"img/banners/leadership-spotlight-fortinet-pyramid.png","categories":["Video","Detection Engineering"],"contents":"In Episode 10 of the Center for Threat-Informed Defense’s “Leadership Spotlight” video series, Douglas Santos, Director, Advanced Threat Intelligence, at Fortinet\u0026rsquo;s FortiGuard Labs, discusses the Center’s “Summiting the Pyramid” R\u0026amp;D project.\n","link":"/videos/leadership-spotlight-fortinet-pyramid/","tags":["Leadership Spotlight"],"title":"Leadership Spotlight: Summiting the Pyramid with Douglas Santos (Fortinet)","type":"videos"},{"banner":"img/banners/sensor-mappings.jpg","categories":["Published Projects","Detection Engineering"],"contents":"Sensor Mappings to ATT\u0026amp;CK gives cyber defenders the information they need to identify and understand cyber incidents occurring in their environment. Various tools and services are available to collect system or network information, but it is not always clear how to use those tools to provide visibility into specific threats and adversarial behaviors occurring in their environment. These mappings between sensor events and ATT\u0026amp;CK data sources allows cyber defenders to create a more detailed picture of cyber incidents, including the threat actor, technical behavior, telemetry collection, and impact.\n","link":"/projects/sensor-mappings-to-attack/","tags":[],"title":"Sensor Mappings to ATT\u0026CK","type":"projects"},{"banner":"img/banners/attack_workbench_spotlight.png","categories":["Video","Cyber Threat Intelligence"],"contents":"In Episode 9 of the Center for Threat-Informed Defense’s “Leadership Spotlight” video series, Douglas José Pereira dos Santos, Director, Advanced Threat Intelligence, at Fortinet\u0026rsquo;s FortiGuard Labs, discusses Fortinet’s role in collaborating on ATT\u0026amp;CK Workbench. Douglas highlights issues with siloed project teams and how ATT\u0026amp;CK Workbench expands the functionality of the current platform to enable teams with common tools to share intelligence. He focuses on how ATT\u0026amp;CK Workbench addresses these needs and how Fortinet uses ATT\u0026amp;CK Workbench.\n","link":"/videos/attack-workbench-spotlight/","tags":["Leadership Spotlight"],"title":"Leadership Spotlight: MITRE ATT\u0026CK Workbench with Douglas Santos","type":"videos"},{"banner":"img/banners/center-conversations.png","categories":["Video","Mappings"],"contents":"The Center for Threat-Informed Defense collaborated with Verizon and Siemens to combine the common language of ATT\u0026amp;CK with the incident model of VERIS. Bridging these two communities enables improved understanding of incidents and threats.\nIn this Center Conversation, Alex Pinto and Phil Langlois (Verizon Business Group), and Jon Baker and Tiffany Bergeron from the Center discuss how this project empowers defenders to efficiently tie adversary TTPs to their real-world impact by connecting ATT\u0026amp;CK-based threat intel to VERIS-based incident reports.\n","link":"/videos/center-conversations-veris/","tags":["Center Conversations"],"title":"Center Conversations: Bridging VERIS and ATT\u0026CK to Improve Incident Classification","type":"videos"},{"banner":"img/banners/attack-con-4-updates.jpg","categories":["Video"],"contents":"In this session from ATT\u0026amp;CKcon 4.0, October, 2023, Jon Baker, Director of the Center for Threat-Informed Defense, shares recent updates from the Center.\n","link":"/videos/center-updates-attack-con-4/","tags":["ATT\u0026CKcon"],"title":"Updates from the Center for Threat Informed Defense - ATT\u0026CKcon 4.0","type":"videos"},{"banner":"img/banners/leadership_spotlight_bae.png","categories":["Video"],"contents":"In Episode 8 of the Center for Threat-Informed Defense\u0026rsquo;s \u0026ldquo;Leadership Spotlight” series, Adrian Nish, Head of Cyber Portfolio at BAE Systems Digital Intelligence, discusses the Center’s “CTI Blueprints” R\u0026amp;D project.\nVisit the Center’s CTI Blueprints project summary page for links to the Github downloads, online builder and more: CTI Blueprints.\n","link":"/videos/leadership-spotlight-bae-systems/","tags":["Leadership Spotlight","Cyber Tools"],"title":"Leadership Spotlight: CTI Blueprints with Adrian Nish (BAE Systems)","type":"videos"},{"banner":"img/2022_impact_report.png","categories":[],"contents":"Illustrating Our Approach to Collaborative R\u0026amp;D The Center for Threat-Informed Defense’s second annual Impact Report delivers insight into the impact of the Center’s public interest R\u0026amp;D and the latest advancements in threat-informed defense. Closing out the year with 22 published R\u0026amp;D projects is a truly remarkable achievement that was only accomplished with the hard work and dedication of the Center’s 30 Participants. The single most rewarding outcome of 2022 has been the organic adoption of the Center’s work. Not only are security teams using our work in creative ways, but our work is reaching small businesses, academia, and non-profit organizations that lack the resources to develop and conduct this research on their own.\nDownload the 2022 Impact Report See Other Annual Impact Reports 2021 Impact Report 2023 Impact Report 2024 Impact Report Become a Member If your organization is interested in becoming a member of the Center for Threat-Informed Defense, complete the form below and we will follow up by email. First Name Last Name Email Job Title Organization Sign up for the \"Stay Informed\" newsletter ","link":"/resources/2022-impact-report/","tags":["Impact Reports"],"title":"2022 Impact Report","type":"resources"},{"banner":"img/banners/ocean-lotus.jpg","categories":["Published Projects","Adversary Emulation"],"contents":"OceanLotus (aka APT32, SeaLotus, APT-C-00) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists. This project adds the first macOS and Linux focused plans to the Adversary Emulation library for red and blue teams to systematically test their defenses against real-world adversary TTPs.\n","link":"/projects/oceanlotus-adversary-emulation-plan/","tags":[],"title":"OceanLotus Adversary Emulation Plan","type":"projects"},{"banner":"img/banners/summiting_the_pyramid_attackcon-4.png","categories":["Video","Detection Engineering"],"contents":"In this interview at ATT\u0026amp;CKcon 4.0, October, 2023, Michaela Adams, Senior Cybersecurity Engineer at the Center for Threat-Informed Defense, speaks with David Bianco, Creator of the Pyramid of Pain.\n","link":"/videos/summiting-the-pyramid-attackcon-4/","tags":[],"title":"Summiting the Pyramid: An Interview with the Creator of the Pyramid of Pain","type":"videos"},{"banner":"img/banners/gcp-leadership-spotlight.png","categories":["Video"],"contents":"In Episode 7 of the Center for Threat-Informed Defense\u0026rsquo;s \u0026ldquo;Leadership Spotlight” series, Ivan Ninichuck, Solutions Architect at Google Cloud, discusses the Center’s “Security Stack Mappings-Google Cloud Platform” R\u0026amp;D project.\nVisit the Center’s Security Stack Mappings-Google Cloud Platform Project Summary page for links, including the project resources and research participants.\n","link":"/videos/leadership-spotlight-gcp/","tags":["Leadership Spotlight","Cloud"],"title":"Leadership Spotlight: Security Stack Mappings with Ivan Ninichuck (Google Cloud)","type":"videos"},{"banner":"img/banners/summiting-the-pyramid.jpg","categories":["Archived Projects"],"contents":"Many analytics are dependent on specific tools or artifacts. Adversaries can easily evade these with low-cost changes that exploit the dependencies. This project developed a method to evaluate analytics relative to the adversary’s cost to evade. We further created approaches and tips for defenders to make their analytics less evadable. We demonstrated the methodology with a core set of analytics.\nThis is an old version of the Summiting the Pyramid project. For the latest version, see: Summiting the Pyramid.\n","link":"/projects/summiting-the-pyramid-v1/","tags":[],"title":"Summiting the Pyramid v1","type":"projects"},{"banner":"img/banners/attack-sync-demo.png","categories":["Video"],"contents":"Sync Up With ATT\u0026amp;CK Sync! ATT\u0026amp;CK Sync improves the process of staying up to date with MITRE ATT\u0026amp;CK®. As ATT\u0026amp;CK releases two new versions per year, tracking each release and staying in sync had created churn and tedious work. ATT\u0026amp;CK Sync will now help keeping up to date far easier!\nWe created ATT\u0026amp;CK Sync to improve our own team’s ability to keep projects fresh and relevant, and quickly learned there was a need across the ATT\u0026amp;CK community to keep up to date. As with all our resources, those that make up ATT\u0026amp;CK Sync are open-sourced, freely available, and applicable to any organization that relies on ATT\u0026amp;CK. Read our blog and get started with ATT\u0026amp;CK Sync.\n","link":"/videos/attack-sync-demo/","tags":["Cyber Tools"],"title":"ATT\u0026CK Sync Hands-on Demonstration","type":"videos"},{"banner":"img/banners/tram2.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"The cybersecurity community has been working for years to automatically identify adversary tactics, techniques, and procedures (TTPs) in cyber threat intelligence (CTI) reports. With some advances in machine learning and artificial intelligence, TRAM is a solution that is measurably effective at solving that problem.\nPrevious iterations of the Threat Report ATT\u0026amp;CK Mapper (TRAM) focused on creating a data annotation tool and using supervised learning methods to extract and predict TTPs. Our latest project improves the quality of the training data and makes effective use of fine-tuned Large Language Models (LLMs) for model training and predictions. We have improved the speed and accuracy of TTP mappings to meet the demands of defenders.\n","link":"/projects/threat-report-attck-mapper-tram/","tags":["Machine Learning"],"title":"Threat Report ATT\u0026CK Mapper (TRAM)","type":"projects"},{"banner":"img/banners/attack-workbench2.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"The Workbench project expands the functionality of the current platform to enable teams to explore, create, annotate, and share extensions of the ATT\u0026amp;CK knowledge base. This work increases the utility of using Workbench as a local knowledge base that can be extended with a team’s new or updated techniques, tactics, mitigations groups, and software.\n","link":"/projects/attck-workbench/","tags":["Cyber Tools"],"title":"ATT\u0026CK Workbench","type":"projects"},{"banner":"img/banners/cti-blueprints.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"This project developed an approach and prototype tool for creating narrative cyber threat intel reports that analysts need in the form they need them. Reports produced using CTI Blueprints include structured STIX content, are tagged with ATT\u0026amp;CK reference, and enable operational defensive cyber analysis, analytics testing, and adversary emulation. We will establish a new normal for cyber threat intelligence. Producers will create actionable intelligence for their consumers, and consumers will take specific threat-informed action.\n","link":"/projects/cti-blueprints/","tags":["Cyber Tools"],"title":"CTI Blueprints","type":"projects"},{"banner":"img/banners/leadership-spotlight-cve.png","categories":["Video","Mappings"],"contents":"In Episode 6 of the Center for Threat-Informed Defense’s “Leadership Spotlight” video series, Carl Wright, Chief Commercial Officer at AttackIQ, discusses the Center’s “Mapping ATT\u0026amp;CK to CVE for Impact” R\u0026amp;D project.\n","link":"/videos/leadership-cve-mapping/","tags":["Leadership Spotlight"],"title":"Leadership Spotlight: Mapping ATT\u0026CK to CVE for Impact with Carl Wright (AttackIQ)","type":"videos"},{"banner":"img/project-screenshots/attack-sync.png","categories":["Published Projects"],"contents":"The ATT\u0026amp;CK Sync project streamlines upgrades to new versions of MITRE ATT\u0026amp;CK® by providing tools and resources to migrate existing projects to current ATT\u0026amp;CK versions in a timely and efficient manner. The ATT\u0026amp;CK knowledge base is updated twice per year and with each new ATT\u0026amp;CK release, these projects fall behind and become outdated. ATT\u0026amp;CK Sync provides tools and a methodology that organizations can use to implement their own solutions for keeping up with latest version of ATT\u0026amp;CK, saving time and effort for all.\n","link":"/projects/attack-sync/","tags":["Cybersecurity Tools"],"title":"ATT\u0026CK Sync","type":"projects"},{"banner":"img/banners/top-attack-techniques-spotlight.png","categories":["Video"],"contents":"In Episode 4 of the Center for Threat-Informed Defense’s “Leadership Spotlight” video series, Carl Wright, Chief Commercial Officer at AttackIQ, discusses the Center’s Top ATT\u0026amp;CK Techniques project.\nVisit the Center’s Top ATT\u0026amp;CK Techniques Project Summary page for links, including to the Github downloads, online builder and more.\n","link":"/videos/leadership-spotlight-top-attack-techniques-attackiq/","tags":["Leadership Spotlight","Cyber Tools"],"title":"Leadership Spotlight: Top ATT\u0026CK Techniques with Carl Wright (AttackIQ)","type":"videos"},{"banner":"img/banners/leadership-spotlight-attack-flow.png","categories":["Video"],"contents":"In Episode 3 of the Center for Threat-Informed Defense’s “Leadership Spotlight” video series, Steve Benton, VP Research \u0026amp; General Manager at Anomali, discusses the Center’s Attack Flow Project.\n","link":"/videos/leadership-spotlight-attack-flow/","tags":["Leadership Spotlight","Attack Flow"],"title":"Leadership Spotlight: Attack Flow with Steve Benton (Anomali)","type":"videos"},{"banner":"img/banners/level-up-threat-intel.png","categories":["Video"],"contents":"From the 2023 Purple Hats Conference: Mark Haase, Chief Engineer at the Center for Threat-Informed Defense, highlights how Attack Flow models sequences of ATT\u0026amp;CK techniques to make threat intelligence more powerful and visual. https://www.purplehats.org/\n","link":"/videos/level-up-threat-intel/","tags":["Attack Flow"],"title":"Level Up Threat Intel with Attack Flow with Mark Haase (at Purple Hats!)","type":"videos"},{"banner":"img/banners/veris2.jpg","categories":["Published Projects","Mappings"],"contents":"This project updates and expands the translation layer between VERIS and ATT\u0026amp;CK allowing ATT\u0026amp;CK to describe the adversary behaviors that were observed in an incident coded in VERIS. These connections allow for joint analysis of the information that ATT\u0026amp;CK describes well alongside the incident demographics and metadata that VERIS describes well.\nThe VERIS mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/attck-integration-into-veris/","tags":[],"title":"ATT\u0026CK Integration Into VERIS","type":"projects"},{"banner":"img/banners/adoption-top-attack-techniques.png","categories":["Video"],"contents":"Center for Threat-Informed Defense’s Cyber Engagement Lead Maggie MacAlpine talks to Picus Lab leaders (Co-Founder and Vice President, Dr. Suleyman Ozarlan, and Product Marketing Leader Simon Monahan) about their adoption of the Center’s Top ATT\u0026amp;CK Techniques project.\n","link":"/videos/adoption-spotlight-top-attack-techniques/","tags":["Adoption Spotlight"],"title":"Adoption Spotlight: Picus Adopts Top ATT\u0026CK Techniques","type":"videos"},{"banner":"img/banners/micro_emulation_plans.png","categories":["Video","Adversary Emulation"],"contents":"Adversary emulation plans are an excellent way to validate defenses against known adversarial behaviors, but they can be cost prohibitive and very complex to execute. We wanted to lower the barrier to entry by creating smaller scale adversary emulation plans that are easy to automate and focus on compound adversary behaviors. This should enable any organization, even those without a red team, to validate their defenses quickly and easily. Each attendee will be able to take away our open-sourced Micro Emulation Plans and the framework to build their own.\n","link":"/videos/micro-emulation-plans/","tags":[],"title":"Micro Emulation Plans: Making Adversary Emulation Accessible","type":"videos"},{"banner":"img/banners/leadership-spotlight-attack-flow-fortinet.png","categories":["Video"],"contents":"In this second episode in the Center for Threat-Informed Defense’s “Leadership Spotlight” video series, Derek Manky, Chief Security Strategist \u0026amp; VP Global Threat Intelligence at Fortinet’s FortiGuard Labs, discusses the Center’s Attack Flow project.\n","link":"/videos/leadership-spotlight-attack-flow-fortinet/","tags":["Leadership Spotlight","Attack Flow"],"title":"Leadership Spotlight: Attack Flow with Derek Manky (Fortinet)","type":"videos"},{"banner":"img/banners/leadership-spotlight-tat-crowdstrike.png","categories":["Video"],"contents":"In this first episode of the Center for Threat-Informed Defense’s “Leadership Spotlight” video series, Joel Spurlock, Senior Director of Malware Research at CrowdStrike, discusses the Center’s Top ATT\u0026amp;CK Techniques project.\n","link":"/videos/leadership-spotlight-top-attack-techniques-crowdstrike/","tags":["Leadership Spotlight","Cyber Tools"],"title":"Leadership Spotlight: Top ATT\u0026CK Techniques with Joel Spurlock (Joel Spurlock, Senior Director of Malware Research, CrowdStrike)","type":"videos"},{"banner":"img/banners/attack-powered-suit-demo.png","categories":["Video","Cyber Threat Intelligence"],"contents":"In this video we showcase ATT\u0026amp;CK Powered Suit, a freely available Chrome Extension that puts the MITRE ATT\u0026amp;CK® knowledge base at your fingertips. This extension enables quick searches for tactics, techniques and more without disrupting your workflow.\n","link":"/videos/attack-powered-suit/","tags":["Cyber Tools"],"title":"Center Demo: Introducing ATT\u0026CK Powered Suit","type":"videos"},{"banner":"img/banners/defending-iaas.jpg","categories":["Published Projects","Defensive Measures"],"contents":"Defending IaaS with ATT\u0026amp;CK developed an ATT\u0026amp;CK matrix that enables users to easily understand and work with the techniques applicable to Infrastructure-as-a-Service (IaaS) environments, regardless of whether the attacks target the cloud management layer, the container technology, or the hosted infrastructure. The project also developed documentation and tools to simplify creating overlays for other domains like Industrial Control Systems (ICS) or Operational Technology (OT).\n","link":"/projects/defending-iaas-with-attack/","tags":["Cloud"],"title":"Defending IAAS with ATT\u0026CK","type":"projects"},{"banner":"img/banners/attack-flow2.jpg","categories":["Archived Projects","Cyber Threat Intelligence"],"contents":"Attack Flow is a data model with supporting tooling and examples for describing sequences of adversary behaviors. Attack flows help defenders understand, share, and make threat-informed decisions based on the sequence of actions in a cyber-attack. Flows can be analyzed to identify common patterns in adversary behavior, overlayed on ATT\u0026amp;CK Navigator layers to understand defensive coverage, and create a foundation for intel-driven adversary emulation plans.\nThis is an old version of the Attack Flow project. For the latest version, see: Attack Flow.\n","link":"/projects/attack-flow-v2/","tags":["Cyber Tools"],"title":"Attack Flow v2","type":"projects"},{"banner":"img/2021_impact_report.png","categories":[],"contents":"Illustrating Our Approach to Collaborative R\u0026amp;D The Center for Threat-Informed Defense’s first annual Impact Report delivers insight into the impact of the Center’s public interest R\u0026amp;D and the latest advancements in threat-informed defense. Inside this impact report you’ll find summaries of our first thirteen published projects spanning topics including adversary emulation, advancing our understanding of threats to cloud technologies, and linking security controls to the actual threats that they help defend against. True to our public interest mission, all of these projects are freely available to the global community, and we encourage you to explore, use, and help improve these resources. As impressive as this initial set of published releases are, this is just the beginning.\nDownload the 2021 Impact Report See Other Annual Impact Reports 2022 Impact Report 2023 Impact Report 2024 Impact Report Become a Member If your organization is interested in becoming a member of the Center for Threat-Informed Defense, complete the form below and we will follow up by email. First Name Last Name Email Job Title Organization Sign up for the \"Stay Informed\" newsletter ","link":"/resources/2021-impact-report/","tags":["Impact Reports"],"title":"2021 Impact Report","type":"resources"},{"banner":"img/banners/micro-emulation-plans.jpg","categories":["Published Projects","Adversary Emulation"],"contents":"Micro Emulation Plans help organizations validate their defenses quickly and easily by building smaller scale adversary emulation plans that are fully automated using compatible tools and focused on common threats. The Micro Emulation Plans help scale the impact of the Adversary Emulation Library beyond those with sophisticated red teams to allow even those without a red team to run scenarios in compatible breach and attack simulation or automated adversary emulation tools, make improvements, and validate improvements.\n","link":"/projects/micro-emulation-plans/","tags":[],"title":"Micro Emulation Plans","type":"projects"},{"banner":"img/banners/cloud-analytics.jpg","categories":["Published Projects","Detection Engineering"],"contents":"The Cloud Analytics project sought to advance the state of the practice by developing a blueprint for writing analytics for cloud platforms. To create the blueprint, the team “learned by doing” – exercising adversary behaviors, developing analytics, and refining them. Lessons learned were gathered along the way and incorporated into the analytics blueprint shared with the community.\n","link":"/projects/cloud-analytics/","tags":["Cloud"],"title":"Cloud Analytics","type":"projects"},{"banner":"img/banners/google-cloud.jpg","categories":["Published Projects","Mappings"],"contents":"This project identified and mapped security capabilities available as part of GCP to the ATT\u0026amp;CK techniques to which they can detect, protect, or respond. This allows cyber defenders of cloud platforms to make threat-informed decisions about which capabilities to use and how to use them.\nThe Google Cloud mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/security-stack-mappings-google-cloud-platform/","tags":["Cloud"],"title":"Security Stack Mappings – Google Cloud Platform","type":"projects"},{"banner":"img/banners/attack-powered-suit.jpg","categories":["Published Projects"],"contents":"ATT\u0026amp;CK Powered Suit is a freely available browser extension that puts the MITRE ATT\u0026amp;CK® knowledge base at your fingertips. This extension enables quick searches for tactics, techniques, and more without disrupting your workflow. Easily copy snippets into a notebook to streamline your research. Export selected techniques to ATT\u0026amp;CK navigator. The extension supports context menus, omnibar, and more.\nThis project would not have been possible without our valued partnership with Fujitsu. We are especially grateful to Mr. Toshitaka Satomi for proposing the original concept and for his hard work providing the initial source code.\nGet the App Install ATT\u0026amp;CK Powered Suit in Chrome or Firefox in less than a minute.\n","link":"/projects/attack-powered-suit/","tags":["Cybersecurity Tools"],"title":"ATT\u0026CK Powered Suit","type":"projects"},{"banner":"img/banners/top-attack-techniques.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"Top ATT\u0026amp;CK Techniques provides defenders with a systematic approach to prioritizing ATT\u0026amp;CK techniques. Our open methodology considers technique prevalence, common attack choke points, and actionability to enable defenders to focus on the ATT\u0026amp;CK techniques that are most relevant to their organization.\nThe Top ATT\u0026amp;CK Techniques Calculator makes building customized top technique lists easy. Users can create a top 10 technique list tailored to their organization.\nThe Top Ransomware Technique List provides a starting point for defending against ransomware attacks and demonstrates how the Top ATT\u0026amp;CK Techniques methodology can be tailored to different use cases.\nThis is an old verison of the Top ATT\u0026amp;CK Techniques project. For the latest version, see: Top ATT\u0026amp;CK Techniques\n","link":"/projects/top-attack-techniques-v1/","tags":null,"title":"Top ATT\u0026CK Techniques V1","type":"projects"},{"banner":"img/banners/attack-flow.jpg","categories":["Archived Projects","Cyber Threat Intelligence"],"contents":"Defenders typically track adversary behaviors atomically, focusing on one specific action at a time. While this is a good first step toward adopting a threat-informed defense, adversaries usually use multiple actions in sequence—we call these sequences attack flows. Toward the goal of visualizing, analyzing, and sharing attack flows, the Attack Flow project is developing a data format for describing sequences of adversary behaviors, a set of attack flow examples, and a GUI-based attack flow builder tool.\nThis is an old version of the Attack Flow project. For the latest version, see: Attack Flow.\n","link":"/projects/attack-flow-v1/","tags":["Cyber Tools"],"title":"Attack Flow v1","type":"projects"},{"banner":"img/banners/sightings.jpg","categories":["Archived Projects","Cyber Threat Intelligence"],"contents":"This project provides cybersecurity defenders and researchers with critical insight into real-world, in the wild adversary behaviors mapped to ATT\u0026amp;CK. The ecosystem aims to fundamentally advance the collective ability to see threat activity across organizational, platform, vendor and geographical boundaries. Voluntarily contributed raw “sightings”, or observations, of specific adversary TTPs are mapped to ATT\u0026amp;CK, anonymized, and aggregated to produce intelligence describing insights from that data.\nThis is an old version of the Sightings Ecosystem project. For the latest version, see: Sightings Ecosystem.\n","link":"/projects/sightings-ecosystem-v1/","tags":["Data Contributions"],"title":"Sightings Ecosystem V1","type":"projects"},{"banner":"img/banners/insider-threat-ttp-kb.jpg","categories":["Archived Projects","Cyber Threat Intelligence"],"contents":"The Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base aims to advance our collective understanding of the technical mechanisms that insider threats have used. With this knowledge, Insider Threat Programs and Security Operations Centers will detect, mitigate, and emulate insider actions on IT systems to stop insider threats. Utilizing the Knowledge Base, cyber defenders across organizations will identify insider threat activity on IT systems and limit the damage. Capturing and sharing the Design Principles and Methodology for developing the Knowledge Base is a foundational step to establishing this community resource and enabling its broad adoption and ongoing development.\nThis is an old version of the Insider Threat project. For the latest version, see: Insider Threat.\n","link":"/projects/insider-threat-ttp-knowledge-base-v1/","tags":["Data Contributions","Insider Threat"],"title":"Insider Threat TTP Knowledge Base V1","type":"projects"},{"banner":"img/banners/nist-800-53.jpg","categories":["Published Projects","Mappings"],"contents":"This project created a comprehensive set of mappings between MITRE ATT\u0026amp;CK® and NIST Special Publication 800-53 with supporting documentation and resources. These mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT\u0026amp;CK knowledge base and provide a foundation for integrating ATT\u0026amp;CK-based threat information into the risk management process. With over 6,300 individual mappings between NIST 800-53 and ATT\u0026amp;CK, this resource greatly reduces the burden on the community to do their own baseline mappings– allowing organizations to focus their limited time and resources on understanding how controls map to threats in their specific environment.\nThe NIST 800-53 mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/nist-800-53-control-mappings/","tags":[],"title":"NIST 800-53 Controls to ATT\u0026CK Mappings","type":"projects"},{"banner":"img/banners/cve-mappings.jpg","categories":["Published Projects","Mappings"],"contents":"This research defines a methodology for using MITRE ATT\u0026amp;CK® to characterize the potential impacts of vulnerabilities. ATT\u0026amp;CK’s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them. Vulnerability reporters and researchers use the methodology to describe the impact of vulnerabilities, enabling defenders to easily integrate vulnerability information into their risk models and identify appropriate compensating security controls. This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls.\nThe CVE mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/mapping-attck-to-cve-for-impact/","tags":[],"title":"Mapping ATT\u0026CK to CVE for Impact","type":"projects"},{"banner":"img/banners/center-conversations.png","categories":["Video","Mappings"],"contents":"The Center for Threat-Informed Defense’s ATT\u0026amp;CK Integration into VERIS project aims to help practitioners connect VERIS with MITRE ATT\u0026amp;CK and obtain more context about the threats they face. Verizon participated in this project and Alex Pinto, Senior Manager of their Data Breach Investigations Report, works to help the cyber community better understand the current threat landscape.\nIn this Center Conversation, Alex and Center Director Richard Struse discuss the vital work of building bridges to help cyber experts connect the dots between frameworks and also what the future of the threat-informed defense looks like.\n","link":"/videos/center-conversations-veris-mappings/","tags":["Center Conversations"],"title":"Center Conversations: Building the Language of Threat-Informed Defense with Alex Pinto (Verizon)","type":"videos"},{"banner":"img/banners/tram.jpg","categories":["Archived Projects","Cyber Threat Intelligence"],"contents":"TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT\u0026amp;CK®. TRAM enables researchers to test and refine Machine Learning (ML) models for identifying ATT\u0026amp;CK techniques in prose-based threat intel reports and allows threat intel analysts to train ML models and validate ML results.\nThrough research into automating the mapping of cyber threat intel reports to ATT\u0026amp;CK, TRAM aims to reduce the cost and increase the effectiveness of integrating ATT\u0026amp;CK into cyber threat intelligence across the community. Threat intel providers, threat intel platforms, and analysts should be able to use TRAM to integrate ATT\u0026amp;CK more easily and consistently into their products.\nThis is an old version of the TRAM project. For the latest version, see: Threat Report ATT\u0026amp;CK Mapper (TRAM).\n","link":"/projects/threat-report-attck-mapper-tram-v1/","tags":["Machine Learning"],"title":"Threat Report Attack Mapper V1","type":"projects"},{"banner":"img/banners/aws.jpg","categories":["Published Projects","Mappings"],"contents":"This project empowers organizations with independent data on which native AWS security controls are most useful in defending against the adversary TTPs that they care about. It achieves this by mapping security capabilities of AWS to the ATT\u0026amp;CK techniques that they can protect, detect, or respond to. This will allow organizations to make threat-informed decisions when selecting which native security capabilities to use to protect their workloads.\nThe AWS mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/security-stack-mappings-amazon-web-services/","tags":["Cloud"],"title":"Security Stack Mappings – Amazon Web Services","type":"projects"},{"banner":"img/banners/veris.jpg","categories":["Archived Projects","Mappings"],"contents":"This project created a mapping and translation layer between VERIS and ATT\u0026amp;CK that allows ATT\u0026amp;CK to describe the adversary behaviors that were observed in an incident coded in VERIS. This creates the opportunity for a joint analysis of the information that ATT\u0026amp;CK describes well (the behaviors adversaries use to attack systems) alongside the incident demographics and metadata that VERIS describes well.\nThe VERIS mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/attck-integration-into-veris-v1/","tags":[],"title":"ATT\u0026CK Integration into VERIS V1","type":"projects"},{"banner":"img/banners/atomic-data-sources.jpg","categories":["Archived Projects","Detection Engineering"],"contents":"Cyber threat detection starts with understanding the data sources and sensors that can be used to detect a given adversary TTP. Motivated by a lack of detailed data source definitions in MITRE ATT\u0026amp;CK® to support defensive cyber operations use cases, we wanted to greatly expand the set of data sources in ATT\u0026amp;CK and research creating an open data model for data sources that would enable defenders to quickly determine if they have the data necessary to detect the adversary TTPs they care about. We worked with Center participants to develop a prototype model for describing data sources, as well as identifying and documenting a set of data sources that would ultimately be contributed to the ATT\u0026amp;CK Data Sources project.\n","link":"/projects/atomic-data-sources/","tags":[],"title":"Atomic Data Sources","type":"projects"},{"banner":"img/banners/azure.jpg","categories":["Published Projects","Mappings"],"contents":"This project empowers organizations with independent data on which native Azure security controls are most useful in defending against the adversary TTPs that they care about. It achieves this by mapping security capabilities of Azure to the ATT\u0026amp;CK techniques that they can protect, detect, or respond to. This will allow organizations to make threat-informed decisions when selecting which native security capabilities to use to protect their workloads.\nThe Azure mappings are part of our Mappings Explorer program. Use the Mappings Explorer website to navigate, explore, search, and download our mappings of security capabilities to MITRE ATT\u0026CK®. ","link":"/projects/security-stack-mappings-azure/","tags":["Cloud"],"title":"Security Stack Mappings – Azure","type":"projects"},{"banner":"img/banners/attack-workbench.jpg","categories":["Published Projects","Cyber Threat Intelligence"],"contents":"ATT\u0026amp;CK Workbench is an easy-to-use open-source tool that allows organizations to manage and extend their own local version of ATT\u0026amp;CK and keep it in sync with MITRE’s knowledge base.\nWorkbench allows users to explore, create, annotate, and share extensions of the ATT\u0026amp;CK knowledge base. Organizations or individuals can run their own instances of the application to serve as the centerpiece to a customized version of the ATT\u0026amp;CK knowledge base, attaching other tools and interfaces as desired. Through the Workbench this local knowledge base can be extended with new or updated techniques, tactics, mitigations groups, and software. Additionally, Workbench provides means for a user to share their extensions with the greater ATT\u0026amp;CK community facilitating a greater level of collaboration within the community than is possible with current tools.\nThis is an old version of the ATT\u0026amp;CK Workbench project. For the latest version, see: ATT\u0026amp;CK Workbench.\n","link":"/projects/attck-workbench-v1/","tags":["Cyber Tools"],"title":"ATT\u0026CK Workbench V1","type":"projects"},{"banner":"img/banners/center-conversations.png","categories":["Video"],"contents":"As a vital piece of advancing threat-informed defense is ensuring that we have the most accurate and up-to-date understanding of adversary behavior, the Center for Threat-Informed Defense launched the Sightings Ecosystem project, which collects and analyzes reports of MITRE ATT\u0026amp;CK® techniques observed in the wild.\nIn this Center Conversation, Derek Manky, Chief of Security Insights and Global Threat Alliances at Fortinet’s FortiGuard Labs, and Richard Struse, Director of the Center for Threat-Informed Defense, discuss the Sightings Ecosystem and more broadly, why data sharing and collaboration is key to ensuring stronger cybersecurity operations.\n","link":"/videos/center-conversations-sightings/","tags":["Center Conversations","Data Contributions"],"title":"Center Conversations: Building a Sightings Ecosystem with Derek Manky (Fortinet)","type":"videos"},{"banner":"img/banners/attack-for-containers.jpg","categories":["Archived Projects","Cyber Threat Intelligence"],"contents":"This project investigated the viability of adding container-related techniques into MITRE ATT\u0026amp;CK, leading to the development of an ATT\u0026amp;CK for Containers matrix. This work covers both orchestration-level (e.g., Kubernetes) and container-level (e.g., Docker) adversary behaviors in a single Containers platform which has been incorporated in version 9 of ATT\u0026amp;CK. The project team worked with contributors from around the world to identify and refine both existing ATT\u0026amp;CK techniques as well as completely new container-specific ones.\n","link":"/projects/attck-for-containers/","tags":[],"title":"ATT\u0026CK for Containers","type":"projects"},{"banner":"img/banners/center-conversations.png","categories":["Video"],"contents":"Facing ever-evolving cybersecurity threats, organizations of all sizes need to be better able to assess potential threats and assess their security posture. This is where an effective threat-informed defense can play an important role.\nIn this Center Conversation, Carl Wright, Chief Commercial Officer at AttackIQ and Richard Struse, Director of the Center for Threat-Informed Defense, discuss the value of a comprehensive threat-informed defense and why it\u0026rsquo;s vital for IT and cybersecurity leaders to make key cybersecurity investments now in order to prevent potential attacks down the road.\n","link":"/videos/center-conversations-carl-wright/","tags":["Center Conversations"],"title":"Center Conversations: Enabling Threat-Informed Defense with Carl Wright","type":"videos"},{"banner":"img/banners/center-conversations.png","categories":["Video","Adversary Emulation"],"contents":"As cyber adversaries become more sophisticated and creative, organizations of all sizes need to be able to assess their defenses against potential threats. This is where adversary emulation plans, like the Center for Threat-Informed Defense’s recent menuPass and FIN6 research projects, can have a big impact.\nIn this Center Conversation, Ryusuke Matsuoka, Research Principal at Fujitsu System Integration Laboratories and Richard Struse, Director of the Center for Threat-Informed Defense, discuss the importance of adversary emulation in understanding the risks posed by different adversary groups. They also discuss what the future of threat-informed defense looks like and the important role MITRE ATT\u0026amp;CK® has played in providing a common language for cyber defenders.\n","link":"/videos/center-conversations-adversary-emulation/","tags":["Center Conversations"],"title":"Center Conversations: Advancing Adversary Emulation w/Ryusuke Masuoka (Fujitsu System Integration)","type":"videos"},{"banner":"img/banners/menupass.jpg","categories":["Published Projects","Adversary Emulation"],"contents":"menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company. menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university. This project developed an adversary emulation plan for menuPass and added it to the Adversary Emulation Library.\nThe Adversary Emulation Library is a freely available resource to help red teams and other cyber defenders systematically test their defenses based on real-world adversary TTPs. Each adversary emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. We research and model each threat actor, focusing not only on what they do but also how and when. We then develop emulation content that mimics the underlying behaviors utilized by the threat actor. This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.\n","link":"/projects/menupass-adversary-emulation-plan/","tags":[],"title":"Menupass Adversary Emulation Plan","type":"projects"},{"banner":"img/banners/attack-for-cloud.jpg","categories":["Archived Projects","Cyber Threat Intelligence"],"contents":"This project refined and expanded MITRE ATT\u0026amp;CK’s coverage of adversary behaviors in cloud environments. Through our research, we refactored and consolidated the cloud platforms into IaaS, SaaS, Office365, and Azure AD. Next, we overhauled cloud data sources to better align with enterprise ATT\u0026amp;CK. Finally, we expanded cloud technique coverage adding and updating existing techniques.\n","link":"/projects/attck-for-cloud/","tags":["Cloud"],"title":"ATT\u0026CK for Cloud","type":"projects"},{"banner":"img/project-screenshots/caldera-pathfinder.png","categories":["Published Projects","Adversary Emulation"],"contents":"This open-source CALDERA plugin helps you understand what a vulnerability exposes to an adversary and what potential destructive paths an adversary could take within the network as a result of those vulnerabilities. Pathfinder aims to push the boundaries on vulnerability scanning, moving them to the next generation by integrating vulnerability scan data with the CALDERA automated adversary emulation platform. Pathfinder first conducts a scan of a target network, and the results of the scan are ingested into CALDERA’s knowledge store, where it can then map out the network. Pathfinder is then able to combine the information from the scan with the power of a breach and attack simulation tool in order to map out potential attack paths within the target network.\n","link":"/projects/caldera-pathfinder/","tags":["Cyber Tools"],"title":"Caldera Pathfinder","type":"projects"},{"banner":"img/banners/caldera-announcement.png","categories":["Video"],"contents":"In this video we showcase the CALDERA™ Pathfinder, an open-source CALDERA plugin developed through the Center for Threat-Informed Defense’s research program in collaboration with Siemens AG. Pathfinder aims to transport vulnerability scanning into the next generation by integrating vulnerability scan data with the CALDERA automated adversary emulation platform.\n","link":"/videos/caldera/","tags":["Cyber Tools"],"title":"Center Demo: Introducing CALDERA™ Pathfinder","type":"videos"},{"banner":"img/banners/center-demo-fin6.png","categories":["Video","Adversary Emulation"],"contents":"Take a tour of the MITRE Center for Threat-Informed Defense’s FIN6 Adversary Emulation Plan, the first entry in the Center’s public library of adversary emulation plans. The plan includes the FIN6 Intelligence Summary, a curated collection of available cyber threat intelligence, comprised of an intelligence overview of the FIN6 cyber crime group (describing who they target, as well as how and why where possible) and the scope of their activity (i.e., the breadth of techniques and malware used). The Summary outlines 15 publicly available sources to describe FIN6, their motivations, objectives, and observed target industries.\n","link":"/videos/adversary-emulation-library-fin6/","tags":[],"title":"Center Demo: FIN6 Adversary Emulation Walkthrough","type":"videos"},{"banner":"img/banners/fin6.jpg","categories":["Published Projects","Adversary Emulation"],"contents":"FIN6 is a cyber-crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. This project developed an adversary emulation plan for FIN6 and added it to the Adversary Emulation Library.\nThe Adversary Emulation Library is a freely available resource to help red teams and other cyber defenders systematically test their defenses based on real-world adversary TTPs. Each adversary emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. We research and model each threat actor, focusing not only on what they do but also how and when. We then develop emulation content that mimics the underlying behaviors utilized by the threat actor. This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.\n","link":"/projects/fin6-adversary-emulation-plan/","tags":[],"title":"FIN6 Emulation Plan","type":"projects"},{"banner":"img/full_vs_micro_plans.png","categories":["Adversary Emulation"],"contents":"A Set of Common Emulation Plans The Adversary Emulation Library includes a collection of adversary emulation plans that allow organizations to evaluate their defensive capabilities against the real-world threats they face. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses actually fare against real-world threats.\nWhy Use Adversary Emulation Plans? Adversary Emulation mimics the behavior of real world threat actors in a safe and repeatable manner. Executing adversary emulation in your environment helps you answer questions such as:\nHow do we build a resilient defense that is not based on static (and easily evaded) IOCs? How well do we detect, mitigate, respond to, or prevent against threat actor X? Are we collecting the right data and running the right queries to detect technique Y? How do we build the experience and skills on our team to defend against real-world threats? How do we tune our tools and processes to maximize efficacy against real-world threats? Adversary Emulation Plans The library contains two types of adversary emulation plans: full emulation and micro emulation.\nFull Emulation Plans A comprehensive approach to emulating a specific adversary, e.g. FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT\u0026CK tactics \u0026 techniques and are designed to emulate a real breach from the designated adversary.\nAPT29 APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation. The group is reported to have been …\nLearn More Blind Eagle Blind Eagle is a suspected South American threat actor that has been active since at least 2018. Targets are typically Colombian government institutions, as well as entities in the financial, …\nLearn More Carbanak Not to be confused with FIN7, Carbanak is a threat group that has been active since at least 2013. Using malware that shares its name, Carbanak has been known to target financial institutions, as well …\nLearn More FIN6 FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. Seen as early as 2015, this group has aggressively targeted and compromised point of …\nLearn More FIN7 Not be confused with the Carbanak Group, FIN7 is a financially motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since 2013. FIN7 traditionally …\nLearn More menuPass menuPass is thought to be motivated by collection objectives that align with Chinese national interests. menuPass has targeted healthcare, defense, energy, within Japan and USA.\nLearn More OceanLotus OceanLotus is a cyber threat actor aligning to the interests of the Vietnamese government. First seen in 2012, OceanLotus targets private corporations in the manufacturing, consumer product, and …\nLearn More OilRig OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 with operations directed against …\nLearn More Sandworm Responsible for the Ukranian power outage of 2017, Sandworm is a destructive threat group attributed to Russia\u0026#39;s General Staff of the Armed Forces, Main Intelligence Directorate (GRU). Sandworm is …\nLearn More Turla Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries.1 The group has targeted government agencies, diplomatic …\nLearn More Wizard Spider Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware. In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of …\nLearn More Micro Emulation Plans A focused approach to emulating compound behaviors seen across multiple adversaries, e.g. webshells. These plans emulate a small amount of ATT\u0026CK techniques that are typically performed as part of one adversary action\nActive Directory Enumeration Active Directory Enumeration emulates multiple Discovery behaviors through commonly abused interfaces and services such as Active Directory (AD).\nLearn More Data Exfiltration Data Exfiltration emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files.\nLearn More DLL Side-loading DLL Side-loading emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload. Learn More File Access and File Modification File Access and File Modification emulates file access and modification behaviors commonly associated with Collection as well as Data Encrypted for Impact.\nLearn More Log Clearing This micro emulation plan targets malicious activity associated with clearing Windows Event Logs. Adversaries and malware often target clearing and/or disabling the native logging provided by Windows …\nLearn More Named Pipes Named pipes are shared memory used for inter-process communication (IPC). Named pipes are commonly abused by malware (ex: Cobalt Strike) while injecting/retrieving payloads and commands.\nLearn More Process Injection Process Injection emulates the compound behavior of Process Injection followed by execution of arbitrary commands.\nLearn More Reflective Loading Reflective Loading emulates an adversary running malicious code within an arbitrary process to perform Reflective Code Loading. Learn More Remote Code Execution Remote Code Execution emulates an adversary performing remote code execution against a vulnerable web server as documented. Learn More User Execution User Execution emulates the compound behavior of delivering a malicious .one, .doc, .lnk, or .iso file (e.g. via Spearphishing Attachment) and then executing arbitrary commands after a user invokes …\nLearn More Web Shells Web Shells emulates the compound behavior of planting a web shell and then executing arbitrary commands through it.\nLearn More Windows Registry Windows Registry emulates a few common methods that adversaries use to modify the Windows Registry.\nLearn More ","link":"/resources/adversary-emulation-library/","tags":[],"title":"Adversary Emulation Library","type":"resources"},{"banner":"img/banners/introducing-the-center.png","categories":["Video"],"contents":"Interview with Richard Struse, Center for Threat-Informed Defense director and Laurie Giandomenico, MITRE Engenuity CEO.\n","link":"/videos/presenting-the-center-for-threat-informed-defense/","tags":[],"title":"MITRE Engenuity Presents the Center for Threat-Informed Defense","type":"videos"},{"banner":null,"categories":null,"contents":"Benefactors Make a Positive Impact by Directly Funding Threat-Informed Defense Programs The Benefactor Program enables the global community to advance critical, public interest cybersecurity programs such as MITRE ATT\u0026amp;CK®, MITRE Caldera™, MITRE Engage™, and the Center for Threat-Informed Defense through charitable giving. Our benefactors are globally recognized for supporting independent research in the public interest.​\n","link":"/donate/","tags":null,"title":"Benefactor Program","type":"page"},{"banner":null,"categories":null,"contents":"","link":"/ctidio-404/","tags":null,"title":"CTID.io Shortlink – Not Found","type":"page"},{"banner":null,"categories":null,"contents":"","link":"/form-submit/","tags":null,"title":"Form Submission Success","type":"page"},{"banner":null,"categories":null,"contents":"","link":"/get-involved/","tags":null,"title":"Get Involved","type":"page"},{"banner":null,"categories":null,"contents":"","link":"/our-mission/","tags":null,"title":"Our Mission","type":"page"},{"banner":null,"categories":null,"contents":" Diverse Participants for Greater Impact The Center for Threat-Informed Defense brings together the most sophisticated cybersecurity teams from around the world for one cause and one purpose … to change the game on the adversary in threat-informed defense. Our roster of Center Participants – Founders, Partners, Sponsors, and Non-Profit Participants – is intentionally diverse to enable global and cross-sector impact. These organizations bring thought leadership and commitment to the Center’s mission. Learn More about Joining the Center Founders These Founding Participants are the keystone of the Center. They partnered to establish the Center and created a whole new approach to collaborative R\u0026D in the public interest. Their leadership, strong commitment to the Center's mission, and determination to create a level playing field for all cyber defenders is critical to the Center's success.\nIt is a true privilege to collaborate with other leading members of the cybersecurity community and MITRE in the Center for Threat-Informed Defense. We believe deeply in threat-informed defense and in validating those defenses using MITRE ATT\u0026amp;CK.\n- Stephan Chenette, Chief Technology Officer and Co-Founder, AttackIQ\nCTA is proud to be a founding member of the Center for Threat-Informed Defense. While we know that certain actions can improve our collective cybersecurity, there are still problems that require research and development to get to the right answer. Since many current practices are not based on robust, empirical findings, the Center’s focused R\u0026amp;D efforts will help the global community address the most pressing problems.\n- J. Michael Daniel, President and CEO of the non-profit, Cyber Threat Alliance\nCybersecurity has become a team sport. As the threat landscape continues to evolve rapidly, collaborative research and development focused on improving cyber defense, at scale, is of critical importance. That’s why we are proud to be partnering with Center for Threat-Informed Defense to help better protect not just JPMorgan Chase but the communities that we operate in and other institutions.\n- Jason Witty, Global Chief Information Security Officer, JPMorgan Chase\nResearch Partners As top tier participants, Research Partners contribute significant resources to the Center’s R\u0026D program and, indeed, the future direction of threat-informed defense. These organizations have taken a hands-on approach to changing the game on the adversary and improving the state of the art and the state of the practice in threat-informed defense.\nFounder\nFounder\nFounder\nFounder\nFounder\nFounder\nResearch Sponsors Research Sponsors make up the largest segment of the Center's membership and are the backbone of our work. The expertise, staff, and resources Research Sponsors bring to the table is instrumental to advancing the Center's research program in the public interest.\nFounder\nFounder\nNon-Profit Participants Non-Profit Participants are the grass roots of the Center for Threat-Informed Defense. Working hand-in-hand, Non-Profit Participants are advocates for the cyber defender and are instrumental to expanding the reach of our work.\nFounder\n","link":"/participants/","tags":null,"title":"Participants","type":"page"},{"banner":null,"categories":null,"contents":"","link":"/stay-informed/","tags":null,"title":"Stay Informed","type":"page"}]