Katie Nickels [MITRE]
Fred Wilmot [DEVO]
Ryan Kovar [Splunk]
Host: Sean Martin
I was trying hard for a couple of months to organize a chat with Katie Nickels [Lead Cyber Security Engineer at MITRE] and Fred Wilmot [VP, Security Engineering at Devo] to dig into the topic of MITRE ATT&CK. I wanted to know more about the framework, how it works, why it was getting so much traction, and how organizations were successfully operationalizing the framework within their risk and security management programs.
It turns out, Katie and Fred are both extremely busy. I found it a nearly-impossible task bringing these two experts together to talk about MITRE ATT&CK. They both wanted to—however, we couldn’t get the calendars to work in our favor. Until … we were all in the same town during the same week for the same set of events—can you say Hacker Summer Camp!?
Knowing this, I took one more shot at connecting with Katie and Fred in an attempt to meet them in person in Las Vegas; low and behold—I had success! Not only did I succeed in bringing Katie and Fred together for this podcast, but I also got a chance to meet Ryan Kovar [Principal Security Strategist at Splunk]—who happened to be presenting on ATT&CK at Black Hat with Katie [Note: link opens a PDF] that week. I asked Ryan to join us for the conversation as well. He agreed. BONUS!
To top it all off, we got to meet in a 39th-floor suite overlooking the Las Vegas Strip—a pretty chill environment from which to have our chat, indeed.
Once we were all together and mic’d up, we got to talking. We talked a lot. We looked at what MITRE ATT&CK is, what it’s for, who it’s for, how to get started with it, how to be successful with it, and what scenarios could be leveraged to learn from others’ successes and challenges.
We covered the obvious: MITRE ATT&CK is a framework that is threat intelligence derived. What started as a grassroots efforts from the ground up now has a groundswell of support from the community. We pulled back the covers to learn more about how and why this is the case.
According to Katie, one great place to start on the threat intel side is to focus on a technique, group or malware sample that your org is concerned about and map what the adversaries are doing to where the gaps are in your controls. If the adversary is doing something you can’t protect against, that’s an excellent place to start.
We also covered the role vendors can play in ensuring a successful implementation of the framework; plan to lean on them for translating the data (and its source/s) to be utilized within the organization. One of the main benefits of MITRE ATT&CK is that it provides a universal language that can use across vendors—by having security vendor competitors that are mapping to ATT&CK means you can build a better coverage map across those vendors that you use (or are considering). However, don’t forget that it’s ultimately up to the organization to understand their environment, specific business needs, relevant threat vectors, and the countering adversary cesspool that matter to their business risk profile.
As we continued the conversation, it became crystal clear that storytelling is—and must be—front and center in the definition and application of MITRE ATT&CK within your environment. This is important to avoid the possibility of the framework becoming just another checkbox item.
Want to learn more from the fantastic group of experts? Good! Have a listen!
The At The Edge podcast series is made possible by the generosity of our sponsors.
If you’d like to learn more about supporting our conversations here at the Intersection of IT Security and Society, we invite you to explore our column sponsorships.