In November 2019, a group of cybersecurity researchers founded a non-profit agency to offer free solutions to defenders for a wide range of problems.
Just over two years later the Center for Threat Informed Defense has issued its first report card to boast of 13 projects available for advanced cybersecurity teams.
- mapping of the National Institute for Standards and Technology (NIST) to the MITRE ATT&CK knowledge base of adversary tactics and techniques. This helps defenders find ways to fight tactics seen in their environments;
- a plan that maps the MITRE ATT&CK framework to specific attacks seen against containers;
- plans that emulate the attack strategies of the FIN6 and menuPass threat groups. This helps red teams figure out if their defences can meet attacks from these particular groups;
- and maps of how security controls in Microsoft Azure and Amazon AWS can best be used against threat actors
The center is operated by MITRE Engenuity, a subsidiary of MITRE Corp., which manages several U.S. federally-funded research centers. MITRE Engenuity is a foundation that collaborates with the private sector on issues in cybersecurity, infrastructure resilience, healthcare effectiveness, microelectronics, quantum sensing, and next-generation communications.
In an interview, Jonathan Baker, the center’s co-founder and director of research and development, said its goal is to help sophisticated security teams of security vendors and service providers collaborate on cybersecurity research programs and publish solutions.
Founded with the support of 13 organizations, the membership has grown to 30, including IBM Security, Microsoft, Google, Crowdstrike, the Bank of America, Citi Bank, JP Morgan Chase, and the Center for Internet Security.
Many have been working privately on the same problems, he said, so their work previously wouldn’t have been shared.
Arguably one of the most valuable projects is the mapping of NIST controls to the MITRE ATT&CK framework. It’s been downloaded almost 7,000 times since it was released, Baker said.
“Typically our resources to date have focused on helping organizations understand how security capabilities available to them can be used to defend against threats they care about,” Baker said.
For example, one member asked how the centre could help it better understand the security controls of Azure. That led to the Azure-ATT&CK mapping project.
“As we dug into it, what we found was it wasn’t easy to understand how these security capabilities could defend against a given attack technique. It takes a fair amount of resources and analysts to dig in and understand,” Baker noted. “So we developed a methodology and approach for examining the security capabilities to a platform, describing how they can help you mitigate techniques in the ATT&CK knowledge base. That organization now has part of their problem solved. They could see how the capabilities in Azure could help them. They then had to decide what other capabilities might they want to procure or develop on their own.”
The emulation library includes projects for a number of threat groups, Baker said. “We study open intelligence sources, put together a plan that describes how a particular adversary works — what are their goals, how they work to achieve the goals, how they move laterally, how they achieve persistence, what tools to they use to steal data, how they do exfiltrations — which a red team could use as faithfully as possible to emulate how a threat actor would work. That allows them to test their defences against a particular threat.”
At the core of the center’s work is the belief that defenders need to increasingly understand adversaries and focus on their behaviour rather than what Baker called “lower-level variables” like indicators of compromise.
“Orient defensive capabilities around the behaviour [of adversaries] to help build more resilient defences,” he advised.
There are so many great cybersecurity teams and individuals, he added, who lack incentives to collaborate to have more impact than they do separately. The centre hopes to be one of the places they can do that.
Now that the center has some work rhythm, Baker said, it hopes to publish 10 to 15 projects a year.