How ATT&CK® Grows and Evolves

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Welcome to the 8th and final lesson of Module 1.
00:00
How ATT&CK grows and evolves.
00:00
In this lesson, we will explore
00:00
how and why ATT&CK changes over time.
00:00
Recognize how to track and monitor these changes,
00:00
and finally, identify how
00:00
to access previous versions of ATT&CK.
00:00
Adversaries, malware, and
00:00
the behaviors evolve every day,
00:00
and to keep up with this, ATT&CK
00:00
is very much a living framework.
00:00
Techniques group software and the various objects within
00:00
ATT&CK were all designed to evolve and grow over time.
00:00
As I need to add, deprecate
00:00
or even enhanced content is very much needed.
00:00
The MITRE ATT&CK team has
00:00
continuous processes for vetting
00:00
and modifying ATT&CK content,
00:00
including keeping up with
00:00
publicly available cyber threat intelligence and
00:00
making appropriate changes to
00:00
techniques and sub-techniques,
00:00
as well as their mappings to groups and software.
00:00
To highlight this growth, let's take a look at one of
00:00
the first matrix is produced by the ATT&CK team.
00:00
This is the enterprise matrix from around 2014.
00:00
As you can see, this matrix only has
00:00
eight tactics and around 60 techniques.
00:00
Compare that to the most recent version
00:00
of ATT&CK, version 8,
00:00
where the enterprise matrix has
00:00
14 tactics and over
00:00
500 combined techniques and sub-techniques.
00:00
This may seem like a lot of growth,
00:00
but think about how many hash values,
00:00
IP addresses, and domain names and
00:00
other artifacts have been produced
00:00
by adversaries since 2014.
00:00
ATT&CK is typically updated twice a year,
00:00
and there are various ways you can track these changes.
00:00
The first of which is updates and modifications to
00:00
the STIX content hosted in
00:00
this MITRE CTI GitHub repository.
00:00
This STIX content is what populates the ATT&CK website.
00:00
But you can also see these changes
00:00
either update logs hosted on the site,
00:00
which will include descriptions
00:00
and notes for each release.
00:00
While ATT&CK continues to grow and evolve over time,
00:00
there may come a need to
00:00
access previous versions of ATT&CK.
00:00
Version dating back to version
00:00
3 are still hosted on the website.
00:00
While the ATT&CK team does a lot of work
00:00
to grow and evolve ATT&CK,
00:00
we really do depend on the
00:00
community to keep ATT&CK growing.
00:00
Contributor guidance as well as
00:00
examples is available on the site,
00:00
and definitely feel free to reach
00:00
out to attack@mitre.org for
00:00
any ideas or intelligence that can
00:00
be in use to grow and enhance the model.
00:00
With that, we've reached the end of Lesson 8.
00:00
In our knowledge check, complete the following sentence.
00:00
ATT&CK is, please pause
00:00
the video and take a second to
00:00
select the correct answer before proceeding.
00:00
As much as I would love to say ATT&CK is perfect,
00:00
the correct answer is C. ATT&CK is constantly
00:00
evolving over time and
00:00
anyone can submit the contribution.
00:00
In summary, ATT&CK grows to
00:00
keep up with the evolution of threats and adversaries,
00:00
and these changes can be monitored
00:00
through update to the STIX
00:00
or updates tracked in our logs on the site.
00:00
Finally, previous version of ATT&CK
00:00
are still hosted on our site going back to Version 3.
00:00
With that, we've reached the end of Module 1.
00:00
In summary, ATT&CK was created
00:00
based on the need to understand and adapt to
00:00
our adversaries and captures the TTP's of
00:00
real-world adversary behaviors and maps
00:00
these TTPs to groups
00:00
and software which execute these behaviors.
00:00
I definitely recommend visiting our site attack@mitre.org
00:00
to get a hands-on feel for
00:00
the ATT&CK and all the information captured.
00:00
But for more great information,
00:00
check out our designer philosophy paper
00:00
as well as our Getting Started Guide.
Up Next