Informing Defense with Adversary Sightings
Written by.
Sophisticated threats dominate information security headlines. MITRE ATT&CK® for enterprise includes over 560 unique adversary behaviors seen in the wild. Cyber defenders cannot focus on all these threats. Defending against this huge number of observed attacks is further complicated by the evolving nature of our IT environments and the threats against them. Both our environment and the threats against them are continually changing. Defenders need data to drive prioritization and understanding of how adversaries are evolving.
Our vision is to establish an ecosystem in which security teams, vendors, ISACs/ISAOs, and governments share when they see adversaries use specific behaviors — sightings of ATT&CK techniques — to give defenders unprecedented visibility into what adversaries are actually doing in the wild.
To establish this Sightings Ecosystem, the Center for Threat-Informed Defense (Center), in collaboration with participants including AttackIQ, Inc., Fortinet, Inc.’s FortiGuard Labs, The Global Cyber Alliance, and Verizon Business Services, collected and analyzed sightings of adversary behaviors in the wild. This analysis presented a clear look at the most commonly observed adversary behaviors and provides a roadmap for developing threat-informed defenses. We also packaged our methodology and tools and are releasing those alongside the report so organizations can perform similar analysis to develop a threat-informed defense specific to their organization.
With data contributions from ConnectWise Cyber Research Unit, FirstEnergy Corp, Red Canary, and others, we were able to collect over 6 million sightings of adversary behavior. After normalizing the data and narrowing our scope from April 2019-July 2021, we were left with 1.1m different observed techniques. Many of the findings confirmed what we knew or suspected about adversary behaviors, but it was comforting to have the data to back it up. Below is our list of the top 15 most common techniques that were observed. We focused on the top 15 because those techniques made up 90 percent of all techniques in our dataset.
Read full post:
https://medium.com/mitre-engenuity/informing-defense-with-adversary-sightings-3d54fe39290
Hugh Taylor
Hugh Taylor is a Certified Information Security Manager (CISM). In addition to editing Journal of Cyber Policy, he writes about cybersecurity, compliance and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google and Advanced Micro Devices. Prior to launching his freelance writing career, he served in executive roles at Microsoft, IBM and several venture-backed technology startups.