Collaborating with MITRE to Help Non-Security Stakeholders Understand ATT&CK

Man And Woman Coworkers Looking At A Lock Icon

At ATT&CKcon last October, I presented on how CrowdStrike® evolved the MITRE ATT&CK™ framework by adding more conversational language. The framework is a valuable tool that provides consistent, industry-standard terminology for describing and analyzing detections. However, not every stakeholder knows what “exfiltration via automated exfiltration” means at first glance and not every analyst knows how to explain it. Using CrowdStrike’s user experience (UX) design methods, we developed a mental model and more conversational terms to help anyone quickly parse the big picture of an attack.

Working With the MITRE ATT&CK Team

Not only did the presentation get great reactions from folks in the industry, it opened up some really fruitful discussions with the MITRE team. MITRE does a fantastic job of encouraging contributions to develop more effective cybersecurity. In 2018, about 70 percent of the new content in ATT&CK came from the community. Contributions tend to center on improving techniques and threat intelligence, but the team is supportive of anything that makes ATT&CK more useful for the community.

After ATT&CKcon, I suggested bringing conversational language to the matrix itself. As always, the team was enthusiastic about making ATT&CK easier to understand. I worked closely with Blake Strom, principle cyber security engineer at MITRE, on tactic descriptions that would be more approachable. As of July 31, all ATT&CK for Enterprise tactic descriptions are written in clear, straightforward language — the way a mentor would explain them to their mentees. As I said in the presentation, this isn’t “dumbing them down,” but rather opening them up to a wider audience. We hope you find the new descriptions helpful.

New, Clearer ATT&CK Descriptions

Each tactic description starts with a single sentence you can use to quickly describe its general goal, and then summarizes how its techniques are used to achieve that goal. For example, Exfiltration is now:

The adversary is trying to steal data: Exfiltration consists of techniques adversaries use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting it out of a target network are typically over their command and control channel or an alternate channel and may include putting size limits on the transmission.

See the official ATT&CK website for more information.

Enterprise Tactics table with single sentence for each tactic

Quick high-level descriptions from MITRE’s ATT&CK for Enterprise landing page

The MITRE ATT&CK Framework Benefits All Participants

For any technical discipline, having common terminology is essential and cybersecurity is no exception. The MITRE ATT&CK framework is widely adopted across industries and with good reason — it plays a valuable role by providing standardized terminology. Effective, efficient responses to attacks require clear communication. MITRE’s focus on making ATT&CK straightforward, uniform, and easy to understand increases accessibility for important non-technical stakeholders.CrowdStrike chose to standardize on ATT&CK terminology not only to help more clearly explain security incidents in the moment, but because it also enables security teams to categorize behaviors and identify trends and patterns over time. It also makes us better players with our customers’ third-party tools. This helps make teams more efficient — able to respond to incidents with improved speed and precision and also enhances their ability to “future-proof” their environments.

Helps Address the Skills Gap

Another benefit we’ve seen from standardizing on the ATT&CK framework is everyone involved grasps detections and their meaning much faster. When testing the new tactic and technique mappings with our customers, experienced analysts called out how it would reduce onboarding and training time for new hires. This approach helps companies address the global shortage of highly trained security personnel. Improved ease of use also helps save time and resources for smaller organizations that often don’t have large dedicated security teams in place.

Continued Collaboration with MITRE

MITRE does a fantastic job of bringing communities together to develop more effective cybersecurity, and we appreciate the opportunity to contribute. We’re excited to help make cybersecurity more accessible for everyone, and look forward to continuing CrowdStrike’s productive collaboration with the MITRE ATT&CK team in the future.

Additional Resources


CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial