New MITRE ATT&CK certification course could boost framework’s adoption

Cyber Security News

The MITRE ATT&CK Defender certification program offers courses in ATT&CK fundamentals, threat intelligence and SOC assessments.

A newly launched training and certification program could finally provide the much-needed guidance security professionals need to more effectively and comprehensively integrate the respected MITRE ATT&CK framework into their SOC assessments and threat intelligence operations. Some security experts, however, have expressed mixed feelings over the program’s re-certification process, which requires professionals to promptly retrain any time the curriculum changes as the result of a major change to the threat landscape.

Despite MITRE ATT&CK’s standing as a leading global repository of cyberattack methodologies, only 8% of security pros recently polled by Cybersecurity Insiders on behalf of MITRE said that they use the framework regularly, while 84% said they have not mapped their data and analytics to ATT&CK techniques. Meanwhile, a recent CardinalOps study found that, on average, SIEM rules and policies cover only 16% of the tactics and techniques listed in the framework.

Indeed, Yair Manor, co-founder and CTO at CardinalOps, noted that while most security professionals are quite familiar with the framework’s reputation, “actually leveraging ATT&CK in a systematic manner can seem daunting, given the sheer scope of cross-referenced data that’s contained in ATT&CK.”

But Manor and other experts believe the new certification program — dubbed MITRE ATT&CK Defender (MAD) — could finally lay the foundation needed to promote more widespread adoption. Jointly developed by MITRE Engenuity — MITRE’s tech foundation for public good — and cyber professional development platform Cybrary, the MAD catalogue will initially include three courses, focusing on ATT&CK fundamentals, SOC assessments and threat intelligence. Future training courses could include case studies, “deep dives into techniques and maybe adversary engagement,” according to Steve Luke, director of content at MAD.

Courses are free to take, but the assessment will require a paid subscription. According to Cybrary, 2,000 to 3,000 enrollees signed up in just the first few days.

Count Brandon Hoffman, CISO at Netenrich, among the believers. Hoffman said that even though ATT&CK is a “great framework,” security practitioners are often reluctant to devote a lot of time and energy to incorporating it into their operations out of concern there will be “nothing tangible to show for your efforts.” But a certification would lend credibility to such efforts and, thus, encourage practitioners to “spend designated time on it and get formal assistance or approval from their management.”

James Carder, chief security officer at LogRhythm, agreed that there is value in possessing a certification “associated with the most referenced cybersecurity framework for security operations, detection and response.” And, in the long run, having more informed MITRE experts in the field can only help, “as it means a more trained and skilled workforce in cybersecurity operations,” he added.

The training courses and curricula

Stefano De Blasi, threat researcher at Digital Shadows, said he believes most organizations will benefit from the ATT&CK fundamentals course, which provides a “gentler introduction to ATT&CK” and its “threat-informed mindset,” including “how to read and make sense of the ATT&CK map, how to identify the organization’s strengths and gaps given the existing toolset, and how to build a plan for systematically closing the gaps in order of priority.”

De Blasi said that, ideally, the course will demonstrate the practical benefits of the framework itself, including how mapping campaigns to MITRE “can help identify threat actor behavior and increase knowledge sharing among relevant parties” and how incorporating ATT&CK into day-to-day operations can “increase the effectiveness of security programs and serve security managers to report solid metrics to the C-suite.”

“It’s intended to be the starting point for someone,” Luke said. “It gives you an overview of why ATT&CK exists, and why it’s different and useful. … And then it gives an overview of different use cases.”

Among the more valuable use cases for participants are “applying threat intelligence to operations, enhancing detection engineering, and controls gap assessment using TTPs,” Hoffman said.

The threat intelligence course, meanwhile, will focus on two key lessons. The first is how to take information that is not yet mapped to ATT&CK — info gleaned from malware analyses or intelligence reports — and map it to TTPs established in the framework. The second is how to manage and leverage ATT&CK-mapped cyber threat intelligence, including storage and analysis, information sharing and making intel actionable. “How do you create recommendations to the defenders to actually do something to block or detect those techniques?” Luke said.

The final piece is the SOC assessment course.

“A lot of places are already collecting a lot of data, running analytics,” Luke said. “And so the idea with SOC assessment is: How can you look at the data that you’re collecting currently, and the analytics that you’re running currently, and map that on to ATT&CK so that you can identify where you’re already strong and the key areas for improvement that you should focus resources on next?”

While the lessons themselves are delivered via one to two hours of 10-minute videos, the assessments are designed to be more hands-on “so that you’re demonstrating that you can apply [your] knowledge to a real use case,” Luke said.

For instance, an assessment might show you an attacker’s command lines and ask you to identify the corresponding ATT&CK technique. “Or we’ll give you a narrative threat report, and you’ll have to extract the ATT&CK techniques out of it, or we’ll ask you to go create a heat map of what the SOC currently has coverage over, given a scenario,” Luke said.

Carden said taking a hands-on approach is key to driving home the lessons. “Don’t just tell people about the MITRE TTPs but have them put that into practice using scenarios and real-live incidents that they see and that are applicable to the threats targeting their business,” Carden said. “I think hands-on training and labs to demonstrate knowledge in this area are always the best approach.”

Manor also noted that while these knowledge- and assessment-based courses will likely increase familiarity with and use of ATT&CK, additional obstacles are impeding wider adoption of the framework, including “the lack of tooling and automation for the manual and mundane security engineering processes, which are required to achieve comprehensive threat coverage optimization.”

Re-certification a possible sticking point

According to MITRE and Cybrary’s joint press release, the MAD program features an unusual policy toward recertification. Unlike most certifications, MAD does not set an official expiration date at which time participants must recertify their qualifications. Instead, certificate holders must recertify whenever the framework is significantly modified as threat actor tactics continue to evolve.

“Practitioners will have to recertify within 90 days of an update to the curriculum to ensure MAD-certified defenders continuously stay ahead of adversaries,” the joint press release states.

On one hand, this dynamic approach to recertification will help keep security practitioners current with the latest threat intelligence on attack methodologies. On the other, participants might repeatedly have to keep going back to update their training, which could become a tiresome process.

In speaking with SC Media, MITRE acknowledged the potential pitfalls of this policy but asserted that the organization would take a measured approach. While the framework is updated two to four times a year, the MAD program will only require recertification following a truly substantial modification of the framework, Luke said.

“TTPs really don’t change that frequently,” Luke said. “There’s still only a couple hundred of them in ATT&CK after about a decade of this, and a lot of them have stayed pretty consistent and are still in use, so defenders can afford to invest in mitigating or detecting those things.”

Still, “we don’t want [the certifications] to become outdated and irrelevant. And so the guiding principle there is to not be driven by some kind of artificial schedule…but be more event driven,” Luke said. “So when we think that the fact that you have a particular badge is no longer really reflecting the latest best practices and latest knowledge, that’s when we’re going to go for the update.”

If MITRE can hold to that promise, then the recertification policy could be a nonissue. Still, experts were split on the matter.

“In our minds, this reflects MITRE’s commitment to keeping ATT&CK alive and evolving, which is required given the evolution of the threat landscape,” Manor said. “We believe that security practitioners will benefit from the recertification and will not find it too burdensome, since they are used to investing efforts in remaining up to date on modern threats.”

“I think this is a good thing to help make people stay relevant and stay aware of the critical changes,” Hoffman said. However, “there is the potential to turn people off. … Many people need designated time and possibly money from their management to work on certifications. If they need to factor that in to this equation, decertification could present a real challenge.”

Carder also sees the benefit of “staying current” but similarly acknowledged that multiple recertifications would be onerous. “Many security practitioners and leaders have a hard enough time reporting continuing professional education to maintain their CISSP certifications,” he said. “If there is risk that they could lose their certification status every 90 days or so, then I think that could make it less attractive to get — or you’ll see folks getting the initial certification so they can use it for their résumés or to demonstrate growth, development and skills, and then letting it lapse.”