icon-carat-right menu search cmu-wordmark

Automating Reasoning with ATT&CK?

Presentation
This presentation discusses limitations in MITRE's ATT&CK framework and proposes ways to restructure it to be more useful.
Publisher

Software Engineering Institute

Topic or Tag

Abstract

MITRE's ATT&CK framework is popular among computer network defense (CND) practitioners. One goal of ATT&CK is to enumerate adversary tactics and organize them under different strategies. This organization enables defenders to label observed adversary activity with tactics, then heuristically hypothesize what other adversary behaviors are likely, based on how that tactic is related to others in the framework. We evaluated how useful this approach would be. Our evaluation is based on measuring correlation and predictiveness among tactics in case studies curated by MITRE and labeled with ATT&CK tactics. We could not find any reliable relationships between tactics or strategies. We believe this is because the ATT&CK framework removed the structure provided by the diamond model. We will explain why model structure is important and what we might gain by restructuring ATT&CK to better capture temporal and structural relationships.

Part of a Collection

FloCon 2020 Presentations

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.