Automating Reasoning with ATT&CK?
• Presentation
Publisher
Software Engineering Institute
Topic or Tag
Abstract
MITRE's ATT&CK framework is popular among computer network defense (CND) practitioners. One goal of ATT&CK is to enumerate adversary tactics and organize them under different strategies. This organization enables defenders to label observed adversary activity with tactics, then heuristically hypothesize what other adversary behaviors are likely, based on how that tactic is related to others in the framework. We evaluated how useful this approach would be. Our evaluation is based on measuring correlation and predictiveness among tactics in case studies curated by MITRE and labeled with ATT&CK tactics. We could not find any reliable relationships between tactics or strategies. We believe this is because the ATT&CK framework removed the structure provided by the diamond model. We will explain why model structure is important and what we might gain by restructuring ATT&CK to better capture temporal and structural relationships.
Part of a Collection
FloCon 2020 Presentations
This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.