Jeff Man 0:02
Welcome to this edition of Security and Compliance Weekly. We’re going on the ATT&CK today. Mitre ATT&CK that is and to help us in our journey, we are joined today by Richard Struse. He is the founding director of the Center for Threat Informed Defense at Mitre. Wait, we’re talking ATT&CK , but we’re defending, I might be a little confused. Good thing he’s here to help us. So join us as we figure it all out today, and as we continue on our journey of tearing down silos and building bridges, all of this on Security and Compliance Weekly.
This is a Security Weekly Production. And now, it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates, building effective programs and current compliance news. It’s time for Security and Compliance Weekly.
Jeff Man 1:06
Welcome to episode number 71 of Security and Compliance Weekly recorded on April 27 2021. And where I’m living, it’s the first day of the year that we’re going to hit 80 degrees. So I’m looking forward to getting outside later. I’m of course, your host, Mr. Jeff Man, and joining me today as my illustrious co-hosts are Mr. Frederick “Flee” Lee, Mr. Josh Marpet. And Mr. Scott Lyons. Gentlemen, welcome.
Scott Lyons 1:33
Hey, you know, before we get moving, you know, we recently had a death that shook the entire information security community with somebody that had a very big impact in the way that we do things and the way the internet runs. So, yeah, just want to put that out there. So it’s very solemn. It’s a very solemn episode for us.
Jeff Man 1:57
It is solemn, and it’s, I feel like we’ve been having these types of solemn episodes too frequently recently. And we will certainly provide more complete coverage to the recent passing in case anybody hasn’t heard Dan Kaminsky passed away over the weekend. We’re definitely going to provide coverage on that probably on the news segment and Pauls Security Weekly this week.
But as far as other announcements go, Security Weekly listeners can save $100 on their RF RSA conference 2021 all-access pass. The RSA conference is going to be fully virtual again this year and it’s from May 17th – May 20th. And Security Weekly will be live streaming Monday through Thursday in the virtual broadcast alley. We’re going to be interviewing some of the top sponsors and as well as some of the RSA speakers. And to register using the discount code to get the $100 off go to securityweekly.com/RSAC2021 use the code about we’re here we go, 5U1CYBER! – or as we like to say bang, we hope to see you there. Also, if you want to stay in the loop on all things security weekly, visit securityweekly.com/subscribe to subscribe, on your favorite podcast catcher, subscribe on the YouTube channel, sign up for our mailing list, join our Discord server and, or follow us on our newest live streaming platform Twitch. Alrighty.
As I mentioned in the tag we are joined today by Mr. Richard Struse. He is the founder and director of the Center for Threat Informed Defense. He’s been at MITRE for a few years of course, I will introduce him and let him tell us all about himself. So without further ado, Richard, welcome to Security and Compliance Weekly.
Richard Struse 4:02
Well, thanks for having me. I’m super excited to talk to all of you today.
Jeff Man 4:08
Well, we are super excited to hear what you have to say and to tell us all about Mitre ATT&CK and probably a little bit about your, your center for um, I left my notes the thing about defense and to start off, you know, just tell us a little bit about yourself your background, how you ended up, first of all being at MITRE maybe tell us a little bit about MITRE to and how you ended up starting your center and getting involved in Mitre ATT&CK .
Richard Struse 4:38
Yeah, so though, I think the arc of the story is as follows. I, you know, I spent most of my career as a technology entrepreneur, developing software. And about 11 or 12 years ago, I wound up deciding to try to give back and went to work for the US government in particular at the Department of Homeland Security, and within a short time period, he became the chief technology officer for cyber security operations at DHS, which was known as the end kick at the time. In that role, I probably best known as the person who saw a need for sharing real-time cyber threat intelligence and led the creation of the Stix and taxi cyber threat intelligence standards, which are now Oasis standards. And my work at DHS, it’s actually the thing that I think sort of crystallized so much of what I do today. And then I spent so much time in context where there was a lot of excitement and interest in technical people who saw problems want to solve them. But it was really, really difficult to have effective and meaningful collaboration, the mechanics of collaboration are often too difficult to frictions to was too great. And so when I moved to MITRE in 2017, I immediately set out to work to solve that problem. And co-founder of the center, John Baker and myself, really got to work to create an environment where we could actually do research and development with the private sector on a repeatable and scalable basis. And so that’s the Center for Threat informed defense, which we announced in November and launched in 2019. So my path has been one of going from not really being in cybersecurity at all to being in cybersecurity to, to now really being in the business of helping people collaborate effectively in the domain of cyber security. And, you know, at mitre, the big news in cybersecurity in the last few years has been the ATT&CK knowledge base. And so, you know, that that has been kind of a revolution, I think, at least in certain parts of the security landscape. And while I can lay no claim whatsoever to the creation of AATT&CK , you know, that’s a great team of people who worked on that over the years, and is currently led by Adam Pennington. It’s really formed the foundation of really everything we do at MITRE, with respect to cyber security.
Jeff Man 7:25
Interesting, so. So you’re, you’re coming to the party at MITRE a little bit, you know, some years after the formation of ATT&CK, and, and you’ve set up the Center for Informed Threat Defense. I mean, do you do you have a lot of overlap? I mean, do you have a lot of interaction on a daily basis between what you’re doing and the MITRE ATT&CK framework?
Richard Struse 7:50
Oh, absolutely. So you know, let me step back and actually answer a question you asked a couple minutes ago. So for your listeners who are not familiar with MITRE, MITRE is a 63, almost 64 year old, nonprofit corporation that operates federally funded research and development centers. And people may are probably aware of MITRE is the original creator and operator of CVE Conover book, common vulnerabilities and exposures. And but MITRE, you know, exists to solve federal government problems. It exists to work with federal government departments and agencies to identify critical technical problems to solve and then work to solve them in a non-commercial, non-competitive manner. But MITRE is really all about dealing with the government. And so a couple of years ago in 2019, MITRE created MITRE ingenuity, which is a nonprofit foundation, a technology Foundation, which shares miters mission, but is really focused on working with the global private sector, because the problems we face are bigger than any any single country or sector or company. So the Center for Threat Informed Defense is, is an entity or is an initiative within MITRE ingenuity, so they work through transfers,
Josh Marpet 9:18
sorry, like, a sipper? Does that do the technology transfer pieces? Is that what that does?
Richard Struse 9:23
In part we can you know, there’s a technology transfer aspect. Really what in MITRE ingenuity has a number of different focus areas, not just cyber, including healthcare, and 5g and getting into semiconductor. But yeah, I mean, so you can look at it a little bit as a silver kind of thing, but it’s also about providing that the mechanism so to get back to the original question of ATT&CK , so ATT&CK it lives within MITRE. It’s curated by MITRE ATT&CK team and said led by Evan Pennington. With a great group of researchers, our role here in MITRE ingenuity in the center is, is to take that work and try to make it as relevant and build on it as much as possible. So one of the things I’m sure we’ll touch on later is the mapping work that we’ve done and are doing around ATT&CK . And we see that as sort of filling some of those gaps in the ecosystem that might or by itself can’t fill.
Jeff Man 10:25
So before we get too far out in front of our skis, I do need to ask you, you know, because we’re a show that’s feature, feature and compliance as much as security and trying to explore the misconceptions and misunderstandings between the two worlds of security and compliance, and really trying to foster understanding between the two, we’d like to ask all of our guests what we call the hot seat question, which is simply and I put the question to you. Where do you kind of fall on what we like to call the security versus compliance continuum?
Richard Struse 11:04
Josh Marpet 11:06
Good. Answer. Yeah. Well done, sir. Well done. I say again, sir. Well, done.
Scott Lyons 11:18
Richard Struse 11:22
I, I sometimes get frustrated that I think in particular, in the cybersecurity community, we seem to think that there is a shortage of battles to be fought in the last time I checked, there is no shortage. You know, I commented on something a few weeks ago on LinkedIn, it’s like, you know, we have enough adversaries, we can we stop arguing just, you know, focus on the adversaries that we face? But I think it’s a perfectly reasonable question. And I guess, as I look at it, it’s really hard to imagine how you have security without somehow demonstrating compliance. That is, you know, you can’t manage what you can’t what we don’t measure. So the formalism of, you know, establishing sort of baseline requirements, whether they’re insecurity or outside of security, and then building the organizational muscle memory for what it means to ideally, efficiently and effectively demonstrate compliance with whatever criteria you are you choose to be compliant with are your mandate to be you’re compliant with I think that dovetails perfectly with security. Because if we don’t have some sort of quantifiable metrics, we don’t have some goalposts. How do we know that we’re doing enough? How do we know if we’re doing too much? How do we know if we’re putting our resources in the right place? And when we get into talking about ATT&CK , in a few minutes, one of the key things I think that ATT&CK is good at is helping people sort of prioritize and understand if they are in fact focusing on the right problem. So I really think it’s a bit of a cop-out answer. But I really do think you can’t have one with the other. It’s really hard to imagine how you could convince someone that you’re you’re really doing a great job and security looks on security if you have none of the elements of a compliance program.
Scott Lyons 13:30
So that’s a great answer, and absolutely love it. And thank you for being on the show with us today. There are industry experts, and there are non-industry experts that state that the US is woefully unprepared when it comes to cyber battlespace, and that we need to upgrade not only your defenses, but our methodologies as well as the standards that we do things by how is the ATT&CK framework that mitre has put out helping to further the mission of defense against other state-sponsored attacks or even corporate espionage?
Richard Struse 14:12
Well, you take ATT&CK and you grind it into a fine powder and then you sprinkle it over your security infrastructure and…
Josh Marpet 14:22
350 degrees according to the men wall.
Richard Struse 14:27
So I think if I may, let me just a to help your listeners who may not be as familiar with ATT&CK. Understand that what we’re talking about when we talk about ATT&CK is a curated knowledge base of publicly reported intelligence on adversary tradecraft and technology. So you know, ATT&CK is about to finding what are the adversaries goals, their technical goals, not their strategic goals, not their you know, they want to steal a lot of money. Or they want to destabilize the government, but what are their actual marketing technical goals, I want to achieve persistence, I want to escalate privileges, I want to move laterally, I want to exfiltrate I want to, I want to, you know, you know, encrypt files for a ransomware ATT&CK. And then within each of those categories or tactics, we have specific techniques that adversary groups have been publicly reported to, to us to achieve that technical goal. So it’s very much a series, it’s a way of looking at adversary behavior. And, you know, so as we, as we think about the challenges we face, one of you know, in, in the country, but this is really, I don’t think specific to the US. You know, there’s such a range of ways that adversaries attack us successfully achieve their objectives. You know, they, you know, they only have to be successful once we have to be successful 100% of the time. But ATT&CK, I think, is a way of if you understand the adversaries that are facing you, if you start to build out that threat model, you can then use ATT&CK, which is freely available to anyone in the world who wants to use it at attck.mitre.org. You can use that to then understand, okay, if this these are the kinds of adversaries that are attacking my organization, or I believe or attacking or targeting by organization, then here is the tradecraft that they’ve been reported to have used in the past and therefore, lacking any other intelligence about where to start. That’s a good place to start.
Jeff Man 16:47
Yeah, I have to interject very quickly that you know, I’ve known about MITRE is an organization probably since my god times back in the 80s. I’ve known several people that have worked not just in cyber security at MITRE because they do is that tank stuff for other departments of the government.
Josh Marpet 17:05
Jeff, was that when the rocks were soft in the dirt was young?
Jeff Man 17:08
Yeah, and I used to ride my dinosaur to work.
Scott Lyons 17:13
Hey, don’t knock the T Rex, bro.
Jeff Man 17:15
Thinking of MITRE, or knowing what I know of MITRE is being you know, very, you know, kind of a and then this is just my perception, I guess, you know, very Brainiac organization, you know, think tank, bringing the best of the brightest to solve the hardest problems, you know, tend to be a little bit nerdy, geeky, twitchy sometimes, and then lay the government roll over top of that, especially classified projects and things like that. all that to say it’s very refreshing because you come from the private industry first and are only recently indoctrinated into mitre. the caliber of some of your responses so far has been very refreshing. I attribute that to the fact that you haven’t been at MITRE too long. So keep it up, keep going. It’s been fun. People are enjoying it on the discord.
Richard Struse 18:06
I’m sure my mind I love that. What I’d say though, is, you know, the great thing about MITRE is, you really is a rare beast. And that while most of the work that MITRE does is is focused on the federal government, we also have the ability to carve out small research projects. And that’s actually how attacks started back around 2012. And, like strong gender where I was born and a couple of other people got together in we’re trying to solve an operational problem that MITRE had, at one of their sites was trying to understand, frankly, about the movements of adversaries, and could they detect and how could they even reason about adversary behavior in that led to the organic development, you know, someone fired up Excel one day, and, you know, they started putting stuff into rows and columns and next thing, you know, ATT&CK was born fast forward to 2015. And a really, I think wise decision was made to make this work publicly available. Again, this is MITRE internal research is not government information at all. And when it was opened up in 2015, MITRE is not known for its world-class marketing. And but word of mouth spread. By the time I arrived, arrived to MITRE in 2017, ATT&CK was already a growing phenomenon a rapidly growing phenomenon, simply based on the quality of the work, the quality, the thoughtfulness of the team that has was curating the ATT&CK contributions, and just to be clear, ATT&CK, The data and ATT&CK knowledge in ATT&CK is actually contributed largely now by external entities. You know, the ATT&CK team that’s in correlates that information make sure that it’s It’s sort of stands up, but everything in ATT&CK, we footnote, all our work. So you can go and check our homework. So it’s a really, it’s a really great body of work, again, internal research, project and MITRE. Now the Center for threatened form defense is helping sustain that. And that’s why, you know, we’re really excited about the kinds of additional resources that we’re able to bring in to the community, like the mappings that I’m sure we’re going to talk about, because, yeah, ATT&CK by itself is super useful for people with the resources and sophistication. But for somebody who’s just trying to answer a simple question of, am I good enough? Am I compliant enough? You know, do I have a control that mitigates this particular kind of behavior? It can be kind of hard to do that. So we’re trying to make that easier?
No, I love the direction that ATT&CK has been going on. Richard, that’s you got a curious because, I mean, it feels like mitre ATT&CK is now almost like a de facto standard slash benchmark. And we’re seeing a lot of people in the industry build this into their tools. I’m actually kind of curious, like, you know, what you would like to see from the private sector with regard to key, you know, utilization of the ATT&CK framework? And also, what do you think about the mechi also contributing back and I love the fact that now MITRE is really being a little bit more prominent in getting the industry involvement. I you know, it’s phenomenal now that you’re seeing people that were formerly competitors, difficulty collaborating now, to make, you know, some fundamentally just basic security standards.
Richard Struse 21:38
Yeah, no, that’s great. Yeah, thanks. I mean, what what, you know in MITRE ingenuity, play this interesting role. You know, we’re not government, but we’re also not competing against the, you know, the commercial entities out there in any particular way. And that allows us to be agile, it allows us to be really innovative. But at the same time, we can be that sort of agreed to common language for describing whether it’s adversary behavior, we have some work that’s going on now, in the deception space, tell people to sort of bring some order to that to that landscape. And I think that’s the thing that, you know, both the vendors and customers really appreciate is that they can come to MITRE look at ATT&CK as the resources and ATT&CK in all speak the same language. And it sounds so simple. But it is actually a really big deal that we have a consistent way of referring to terminology of vendors now mapping their products and their capabilities to ATT&CK. So they’ll give you a stoplight chart of what they have, what they protect against an attacker what they can detect. And then my colleague, Frank Duff, and in MITRE ingenuity, has the MITRE ATT&CK evaluations program, where vendors come, and Frank and his team are there, you know, basically red team, their products in a test environment. And they, and they released the results for everyone to see. And if they just released those results last week. Really, really, really interesting to sort of level the playing field there with information.
I love that y’all are doing that. And this is like a, you know, a shout out I think to MITRE in general, I think it’s one of the things that a lot of people aren’t aware of like MITRE, at least in my experience is also kind of function as almost like a underwriters lab, let me let me go and actually testing out products and effectively giving an unbiased opinion. You know, on my site, I went through that with static analysis. And I’m actually I’m kind of curious, like, how are vendors responding to having these assessments done by MITRE and the results published, you know, literally, just publicly?
Richard Struse 23:53
Well, first of all, you know, if you were tracking last week, you know, every vendor, you know, came out and claim they won. You know, the interesting thing is, the ATT&CK evaluations doesn’t rank or score or declare winners or losers, they just do the evaluations and they do a really, really good job of documenting everything they’ve done, and then making every last bit of that information available to the public. So the vendors, I think, ultimately, welcome. The fact that there’s a common way of looking at the landscape and instead of trying to convince your customers and explain to your customers half of what’s going on, you know, you can start to the vendors can start to come into an environment that’s already sort of ATT&CK knowledgeable, knowing that they already know enough. So you can just very quickly say we do this, this, this, this, this and the matrix, so I think it makes it actually easier for the vendors and Frankly, you know, the vendors who have good technology and bright people, they don’t fear the sort of having the information out there about how they’ve done in an objective test. I think they welcome that. And honestly, what we’ve seen it and again, this is my colleague, Frank Duff’s program, not mine. But we’ve seen vendors really, you know, when they, when they don’t do well, in a particular part of the evaluation, they very quickly address that, you know, that’s the great thing about it being you know, evidence-based, you know, they really can’t hide behind too much. So we’ve seen the vendors really up their game in a lot of different areas, I think Frank’s has written about that some that we’re seeing the vendors step up. So the vendors, when they get real clear feedback about their products, the customers win, because they get better products to choose from, they also have a have an information resource now that allows them to, you know, differentiate between, you know, if you really care about lateral movement, you know, you can look at a product suite and say, is that good at lateral movement detection? And, yeah, so So it’s, it’s really been exciting to see how that has evolved. The other thing that we’re doing in MITRE ingenuity is our MITRE ATT&CK defender program, which was just recently launched about a month and a half ago, which is really to try to democratize access to high quality, threatened form defense-related training, and then skills assessment. So it’s using a fundamentally different model to really lower and eliminate as many barriers as possible to people gaining expertise in the use of ATT&CK and related areas, and then demonstrating their proficiency. So we kind of see it a three legged stool, you have MITRE ATT&CK , defender, helping people get smart about all things threatened form defense, you have ATT&CK evaluations, that’s focused on bringing objective data about how products actually perform. And then my organization of center for threatened form defenses, they’re really trying to, you know, identify the either gaps in the state of the art or the state of the practice, and then develop impactful research and development projects to fill those gaps.
That third leg, I’m actually kind of curious, Richard, like, on the ingenuity side, are you seeing, you know, a sickie, adversaries adjusting based on things that, you know, is being listed in the tech framework saying, Okay, now, this is now public knowledge, faculty, these tactics are, you know, burned. Are you actually seeing attackers now, you know, effectively reacting to the fact that that ATT&CK is now a well-adopted framework.
Josh Marpet 27:47
Yeah, adapting to that.
Richard Struse 27:49
Yeah. So great, great question. And the answer is not yet. And the reason I say yet is we just launched and started publicly talking about a project we call our sitings ecosystem in the center, which is about collecting voluntary contributions of telemetry data, that is, you know, I saw technique 1-2-3-4 from the ATT&CK matrix, in my environment, at timestamp time, sending that to us, we anonymize it, we normalize it and put that in a giant data set to start to be able to look at, you know, relative frequency of different ATT&CK techniques, co-occurrence of techniques, either as a set or in sequence. And then look at that, how that data set changes over geography over targeted sector in overtime. So that work is just beginning, building on a pilot that MITRE had run for the last couple of years. But I really am hopeful because I think, in maybe the next three to six months, we’re going to start to have the ability to see the ability to answer that question. The ability to see if we are having an impact on the adversary is because ultimately, if we don’t impose costs on the adversary, if we don’t make it more difficult and more expensive for them, to do what they’re doing, why do we think they’re going to do anything different, you know, so, so I’m really excited about what that sightings ecosystem will be able to tell us. You know, we DHS was talking about shared situational awareness, which meant it means many things to many people, but to my mind, having an awareness and shared awareness of what adversaries are doing what’s trending, what’s falling off, how adversaries ATT&CK different industries, or different geographies differently I think it’s going to be really helpful data for defenders to use to help prioritize You know what, what they’re where they should be putting there are security investments in.
Josh Marpet 29:51
Richard some of the people on discord are joking and not joking about how security and compliance is still, like, you know, the different levels of maturity. I think we’ve got it as one no budget, no people to one person, no budget, it goes all the way up to four team, still no training, and then five effective. I mean, they’re joking, but STIX and TAXII are amazing. Don’t get me wrong, big fan, but only for a team that can actually make take advantage of them. Okay, what do they do? And what is on the what’s coming down the pike, if you will for the small to medium for the, for the company that doesn’t have a team that can take advantage of that kind of thing? Does that make sense?
Richard Struse 30:32
Oh, absolutely. I mean, they, you know, threatened intelligence, you know, direct use of ATT&CK , you know, quite frankly, is is a rich man’s game, you know, it’s for those organizations that have the resources and the expertise in the time in the day to actually focus on those things. And that’s a problem. I mean, that’s not to say that organizations, and those are all, you know, the center members, we have 25 private sector organizations that are members, and they’re all exactly those kinds of sophisticated well-resourced entities. But if that’s all we help, you know, we’re missing the boat, which is why, right, the center research and development we make freely available to the world, just like ATT&CK makes everything available to the world. But in terms of actually applying it, that’s where we look to the vendor community, we look to NGOs, you know, whether it’s Global Cyber Alliance, Cyberthreat Alliance, Center for Internet Security, they’ve been great partners with us, in the ISACs and ISAOs. But But ultimately, I think, you know, the solution for 95% of businesses, they’re never going to know what STIX and TAXII, they’re never going to know a bit of a bad ATT&CK . But that doesn’t mean we shouldn’t make sure that all of those technologies and all of that knowledge, is it, we should do everything possible. Make sure that’s baked into whatever solutions they use, however, you know, so they’re blissfully ignorant but being protected by that work.
Josh Marpet 32:06
Transparency, so basically, make it transparent to them, but make it so that they are protected, even if they don’t know it.
Richard Struse 32:12
Right. I mean, we don’t expect people to be come mechanics to drive a car, right? So but we kind of expect that to safely and securely operate any kind of non trivial computer environmental.
Josh Marpet 32:23
Total makes sense. I respect that.
Jeff Man 32:26
Hey, we need to take a break. But before we do, could you expound just for the benefit of those who may not be aware of certain acronyms? You’re very briefly, Richard. Or, or even Josh, since you brought it up? What what are and is are STIX and TAXII?
Richard Struse 32:47
Ah, well, TAXII is back there. See? STIX and TAXII…
Jeff Man 32:54
Trust me, the first 10 minutes of discord people were talking about your license plate and it just went off…
Josh Marpet 33:01
the knots Butch and the license plate and yeah.
Richard Struse 33:04
You know how many license plates I had to steal to make that? So no, I didn’t steal any license.
If only you had the website that someone just shared.
Scott Lyons 33:13
Would you say that you were working as threat actor?
Richard Struse 33:16
Anyway, what are STIX and TAXII. So STIX and TAXII are technical standards, now governed by oasis in the cyber threat intelligence Technical Committee, which I have the honor of co-chairing along with my colleague, Trey Darley. They are technical standards for the representation and in transfer of actionable threat intelligence, so indicators of compromise. You know, information about threat actors and campaigns TTPs. Those are just STIX is the data representation. So how you describe those things in the in TAXII is a communications protocol writing on top of HTTPS that allows entities to exchange that information. For example, all of the stacks.. stacks?… all of the ATT&CK knowledge base is represented as an underlying STIXII representation. And if you go to the ATT&CK GitHub site, you can actually you know, get that STIX to JSON. And MITRE actually operates a TAXII server that people use from around the world to get access to it. So they’re really just plumbing, I mean, important plumbing. But again, most of humanity should never know what they are. But they’re important plumbing to get, you know, seamless. The goal is seamless up, multi-vendor interoperability. So if I have threat intelligence, and I won’t send it to you, we just exchange it as opposed to worrying about formats and, you know, either the syntax or semantics of the underlying data. That’s all taken care of, with the STIX and TAXII standards.
Jeff Man 34:51
Okay, great. All right. So we’ll take a quick break, we’ll come back and, as Richards alluded to, a couple times, we’ll sort of dig in a little bit. For the mechanics of ATT&CK, what is it? What does it look like? How does it work? And we’ll hopefully explore further the way it impacts and can impact security and compliance. So, take a quick break. We’ll be right back.