From Raw Intelligence to Validation: Thoughts on Operationalizing MITRE from a Cyber Threat Intelligence Director
Cyber threat intelligence (CTI) and the overall risk landscape is daunting. The nature of threats consistently changes and, with the rise of AI, attackers are only becoming faster—not necessarily at creating novel tactics, techniques, and procedures (TTPs), but certainly at exploiting known attack techniques.
More than ever, security teams need structured frameworks and matrixes on which to rely on. In this week’s episode of the Future of Threat Intelligence podcast, Will Baxter is joined by Scott Small, Tidal Cyber’s Director of Cyber Threat Intelligence. Small emphasises the value of MITRE ATT&CK and more.
How to Operationalize MITRE ATT&CK
MITRE ATT&CK is an unparalleled framework for helping to standardize threat intelligence and impose order on the amount of chaos inherent in this space. As the sheer volume of threat intelligence continues to grow, the community needs a system like MITRE ATT&CK to which to refer, Small says.
MITRE ATT&CK can be overwhelming; it has almost 800 techniques and subtechniques. Despite this number, MITRE ATT&CK is more “human, conceivable, referenceable” than the sheer volume of vulnerabilities or malicious IPs in the space, Small says. This ease of reference within the framework helps the community to consistently refer back to the same concepts amid the ever increasing scope of attacks and reports.
The community can operationalize MITRE ATT&CK beyond just correlating attack activity by focusing on the pre-attack portion of the framework. This phase is essential, Small says, since by successfully blocking or defending against these techniques, defenders “have won the game” and prevented an attacker getting onto the network in the first place.
Community members can also operationalize the framework by looking at the recent MITRE ATT&CK technique focused on the purchasing and sale of victim data on marketplaces. Combining knowledge of this technique with proactive means, such as using threat intelligence to identify stolen credentials, can allow defenders to perform targeted resets of stolen credentials and block attacker access.
How to Move Past Siloing and Blend Roles
Siloing of roles within the wider cybersecurity field remains a challenge, and MITRE ATT&CK continues to be primarily used by defenders, such as the SOC and detection engineering teams. However, threat intelligence, threat hunting, and detection engineering roles are increasingly blending, Small notes, even when this is not necessarily always formalized in organizational charts.
For example, Small is increasingly seeing team members within different roles gaining additional skills, like intelligence analysts picking up skills related to engineering or threat hunters becoming “mini intelligence analysts.” For instance, CTI analysts are increasingly having to be able to understand EDR logging capabilities, while threat hunters consult adversary behavior reporting to build out hunt hypotheses.
As community members pick up additional skills, Small noted a growing initiative to map TTPs to vulnerabilities. This hybrid approach allows for deprioritizing certain vulnerabilities if good defenses or coverage are in place.
Small also notes a major initiative Tidal Cyber is pursuing, focused on tracking procedures down to a granular level, such as specific commands, executed processes, and ports/protocols used in network activity. All together, Small notes they track almost 25,000 procedure-level instances mapped across MITRE ATT&CK, allowing for more specificity to which teams across the board can refer.
What is the Future of AI and Threat Intelligence?
AI is a double-edged sword in threat intelligence. On the one hand, Small has noticed adversaries leveraging CTI to accelerate and facilitate attacks; however, they are using AI largely for known TTPs, such as writing phishing emails or developing PowerShell scripts. AI, in this way, is lowering the barrier of entry into the cybercrime ecosystem and increasing the overall number of potential attackers.
But, Small notes, AI is not creating “net new, novel, never before seen TTPs.”
AI will also be highly beneficial for defenders, and it ties in well with MITRE ATT&CK. In fact, Small thinks MITRE ATT&CK and structured data in general is critical for the future use of AI models. The frameworks work as libraries for AI systems, functioning as reference models for AI systems to explain and correlate technical topics in plain, established terms.
Once trained and with a good operating framework, Small uses AI systems heavily in his CTI workflows to process unstructured data. For instance, AI systems and LLMs can extract structured technique data from unstructured threat reports. However, Small notes he would not use AI for the creation of finished intelligence or for report writing.
You can listen to the entire podcast at Apple podcasts, Spotify, YouTube, or on the Team Cymru website.
.png)
.png)
