MITRE crowdsourcing analytics to bolster cybersecurity

Threat detection response is more reactive than proactive but MITRE engineer explains how sharing threats within a trusted environment can bolster security programs.
By Jessica Davis
02:08 PM
Share
crowdsourcing analytics

Sample code of ATT&CK from Mitre. Credit: Mitre

Threat detection response has historically been more reactive than proactive. Organizations often wait until suspicious activity occurs on the system to find bad actors, and intrusions are commonly difficult to detect.

While perimeter security is crucial, in this era of highly-sophisticated cyberattacks, it’s no longer enough. To that extent, MITRE has been working to partner with the National Health Information Sharing and Analysis Center (NH-ISAC) to research cyberthreat tactics and share those results with hospitals and communities through its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) analytics method. 

[Also: What to know before buying AI-based cybersecurity tools]

“Healthcare is one of the first examples of a sector or group doing this crowdsourcing approach to developing analytics,” said Julie Connolly, principal cybersecurity engineer for MITRE. “We have different ways to engage the community and we put the framework out there. It takes time, but it’s been very successful.” 

ATT&CK is really two things: A framework for organizations trying to characterize adversary behavior across the different phases of its lifecycle and a knowledge base of threats, said Connolly.

A framework is an orienting tool, which helps to map out an organization’s network to help organizations prioritize its defense strategy, explained Connolly. It’s also a framework against threats being developed, providing structure and context to implement a defense and mitigation strategy.

[Also: New cybersecurity threats unwrapped: Hidden Cobra, public safety apps, Western Digital My Cloud]

“It’s a proactive method to fill in the gaps,” she said. As such, MITRE has documented how attacks come about and characterized threats said Connolly. “It’s a growing repository of mitigating threats.”

ATT&CK is a public, open source tool, Connolly said. In the past, ATT&CK focused on Windows programs. But MITRE has since expanded into Linux, Mac, mobile and others, due to overwhelming interest. MITRE is working on some other ATT&CK frameworks, as well.

“There are so many different ways for the adversary to get at us,” Connolly said. “It’s a team sport.” 

As many organizations are using the same cyber defense tools, actively sharing threat data can bolster security programs. If one organization knows some of those persistent models, they can fight off that bad actor using a shared, success technique from ATT&CK to fight threats on the network.

Connolly and NH-ISAC President Denise Anderson will be discussing the progress of MITRE’s ATT&CK Analytics and their organization’s collaboration at HIMSS18 at 10 a.m March 7 in Las Vegas at the Venetian Convention Center, Marcello 4401. 

HIMSS18 Preview

An inside look at the innovation, education, technology, networking and key events at the HIMSS18 global conference in Las Vegas.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com