MITRE Engenuity’s Center for Threat-Informed Defense expands cybersecurity community resources

MITRE Engenuity announced Wednesday that its Center for Threat-Informed Defense (Center) is releasing two new resources, Mappings Explorer and M3TID, to support the cybersecurity community with the implementation of threat-informed defense. Created with open-source software, methodologies, and frameworks with input from 38 Center members, these new resources along with the Center’s other R&D projects are freely available to cyber defenders through the Center’s website.

Understanding the relationship between security capabilities and adversary behaviors is foundational to threat-informed defense.

The center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The center’s mission is to advance the state of the art and the state of practice in threat-informed defense globally. Composed of participant organizations from around the globe with highly sophisticated security teams, the center builds on MITRE ATT&CK, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the center operates for the public good, the outputs of its research and development are available publicly and for the benefit of all. 

Mappings Explorer is a hub for defenders to explore security capabilities mapped to MITRE ATT&CK that enables cyber defenders to understand how security controls and capabilities protect against the adversary behaviors cataloged in the ATT&CK knowledge base. These mappings bridge the threat-informed approach to cybersecurity with traditional cyber hygiene through the deployment of security controls.

Mappings Explorer presents threat and mitigation data in easily accessible and customizable ways. This centralized collection enables threat-informed decision-making by relating real-world cyber threats to corresponding mapped security capabilities.

The resource also consolidates the Center’s collection of open, independently developed mappings between security capabilities and ATT&CK into a central hub that is searchable and customizable. Cyber defenders now have easy access to explore mapped security capabilities— making their defenses more efficient and effective against the threats that matter most to them.

M3TID— short for measure, maximize, and mature threat-informed defense— helps security operations centers (SOC) determine how well they are optimally leveraging threat information. By leveraging M3TID to understand their current maturity level and identify areas for improvement, organizations can make targeted investments and strategic decisions to strengthen their defenses, whether it be in cyber threat intelligence, defensive measures, or testing and evaluation. 

This resource, combined with the MITRE Engenuity ATT&CK Evaluations of vendors and managed service providers against specific adversaries, offers more objective data on which cybersecurity products and services may best fit their individual needs.

“Through our collaborative R&D program, we’re working with our member’s cybersecurity teams from around the world to advance the state of the art and the state of the practice in threat-informed defense,” Jon Baker, director for the Center for Threat-Informed Defense, said in a media statement. “We aim to improve cyber defense globally by fundamentally shifting the economics of cyber-attacks in favor of the defenders and changing the game on the adversary.”

Beyond these two new tools, the Center also expanded its Sightings Ecosystem, where MITRE ATT&CK tells defenders what they can look for, and the Sightings Ecosystem provides additional contextual information needed to make informed decisions about how to respond to the threat. The Center compiled a second round of sightings of adversary behaviors in the wild over two years. Out of the 353 unique techniques from 198 countries that were sighted, the Center analyzed the top 15 techniques and provided that analysis free of charge.

MITRE also expanded the Security Stack Mappings aligning MITRE ATT&CK to the security capabilities available in widely used cloud platforms helping defenders understand and apply these capabilities. The Center developed mappings for Google Cloud Platform, AWS, and Azure, and will release mappings for M365 by the end of April.

Lastly, it also broadened the scope of the Insider Threat TTP Knowledge Base, wherein this open knowledge base of the tactics, techniques, and procedures (TTP) used by insiders in IT environments enables SOCs to detect, mitigate, and emulate insider actions on IT systems to stop insider threats. Version 2.0 adds a new data source, called Observable Human Indicators, to help identify insiders and expand the knowledge base with new insider TTPs.

Earlier this month, MITRE announced that its Engage team has introduced new mappings for techniques from the ATT&CK for Mobile and ICS Matrices. Defenders can now apply the same process of identifying engagement opportunities from adversary behavior for operations based in ICS and Mobile environments. The MITRE Engage mappings can be viewed through the Engage Matrix Explorer or in the raw data found on Github.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.