Blog

CISA RELEASES BEST PRACTICE GUIDANCE TO HELP ORGANIZATIONS MAP ADVERSARY BEHAVIOR TO MITRE ATT&CK FRAMEWORK

Released
Revised

By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency

Over the last decade, the cybersecurity community has steadily adopted, embraced, and matured the concept of cyber threat intelligence–or CTI–to better support operational and executive decision-making. When optimized, CTI provides the community—from network defenders to C-Suite executives—with timely, accurate, objective, and relevant analysis that creates a better understanding and appreciation of the risks from malicious cyber activity.

Today’s release of the Best Practices for MITRE ATT&CK® Mapping guide supports robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks and data. This guide—developed by CISA in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI), which worked with the MITRE ATT&CK team—is an example of a successful collaboration by committed partners with a shared mission.

The guide provides analysts detailed step-by-step instruction to best map adversary behavior to the MITRE ATT&CK framework. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is freely open and available to any person or organization in the hopes of bringing communities together to develop more effective cybersecurity.

The MITRE ATT&CK framework can be used to align resources and exchanged across the public and private sectors. Specifically, it provides improved CTI analysis through better, more informed use of the MITRE ATT&CK framework—a robust knowledge base of adversary tactics and techniques based on real-world observations. To that end, the guide includes a recent CISA-FBI Joint Cybersecurity Advisory as an example of how this framework can be used in practice.

The better we understand adversary behavior, the better we are at guarding our systems, networks and data and building increased resilience. By providing clear guidance and examples, Best Practices for MITRE ATT&CK® Mapping shows network defenders how to utilize ATT&CK in both analysis of raw data and finished reporting more fully. This enhanced understanding will improve their ability to proactively detect adversary behavior.

Finally, today’s release takes an important step toward bridging a CTI communications gap that has constrained the cybersecurity community. It is essential for the cyber defense community to rally around a common lexicon of adversary behavior. Such an evolution would be a major step forward, and CISA is proud to be part of this important work.