Join Sean Martin as he discusses the present and future of cybersecurity threats with Jon Baker from MITRE, discussing cutting-edge research projects and the mission to advance threat informed defense globally.
The cybersecurity landscape is ever-evolving, and staying ahead of threats requires constant innovation and collaboration. At the recent RSA Conference, industry experts gathered to discuss the latest trends and advancements in the field. One of the On Location Coverage with Sean Martin and Marco Ciappelli was the insightful conversation between Sean and Jon Baker, shedding light on the groundbreaking work being done at MITRE's Center for Threat Informed Defense.
The Art of Possible: A Glimpse into RSA Conference 2024
The RSA Conference provided a platform for cybersecurity professionals to come together and discuss pressing issues in the industry. Sean Martin and Jon Baker's conversation touched upon the theme of this year's conference, "The Art of Possible." This theme resonated with the audience as they delved into the dynamic nature of cybersecurity and the need for continual learning and growth.
MITRE: A Beacon of Innovation in Cybersecurity
Jon Baker, Director of the Center for Threat Informed Defense at MITRE, shared insights into the organization's rich history and its mission to solve problems for a safer world. With a focus on advancing threat informed defense globally, MITRE has been a driving force behind initiatives like the ATT&CK framework and the CVE program.
Collaborative Research and Development at MITRE
One of the key pillars of MITRE's work is collaborative research and development. Through projects like the Technique Inference Engine and Summoning the Pyramid, MITRE is pushing the boundaries of what is possible in cybersecurity. These projects not only aim to enhance detection capabilities but also empower security teams to proactively defend against threats.
Engaging the Community: How You Can Get Involved
The Center for Threat Informed Defense encourages active participation from the cybersecurity community. By leveraging resources like the Top Attack Technique Calculator and M3TID, organizations can enhance their threat intelligence capabilities and improve their defenses. MITRE also hosts global events and training sessions to promote awareness and facilitate knowledge sharing.
Join the Movement: Embracing Innovation in Cybersecurity
As the cybersecurity landscape continues to evolve, embracing innovation is key to staying ahead of cyber threats. MITRE's Center for Threat Informed Defense offers a roadmap for organizations looking to enhance their security posture and adapt to the changing threat landscape. By getting involved, providing feedback, and leveraging the tools and resources available, organizations can contribute to a safer and more secure digital ecosystem.
Closing Thoughts
The conversation between Sean Martin and Jon Baker at the RSA Conference highlighted the critical role of collaboration and innovation in cybersecurity. MITRE's Center for Threat Informed Defense is at the forefront of driving impactful research and development efforts that benefit the entire cybersecurity community. By embracing the spirit of continual learning and advancement, organizations can strengthen their defenses and create a more resilient cybersecurity posture.
Stay tuned for more insights and updates from MITRE's Center for Threat Informed Defense and join the movement towards a safer digital world.
Learn more about MITRE:https://itspm.ag/mitre-eng24
Note: This story contains promotional content. Learn more.
Guest: Jon Baker, Director , Center for Threat-Informed Defense, MITRE [@MITREcorp]
On LinkedIn | https://www.linkedin.com/in/jonathanobaker/
Resources
Learn more and catch more stories from MITRE: https://www.itspmagazine.com/directory/mitre
View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Innovations in Cybersecurity and Threat Intelligence Solutions | A Brand Story Conversation From RSA Conference 2024 | A MITRE Story with Jon Baker | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Alright, here we are. We are at RSA Conference. It's a good time, isn't it, John?
[00:00:06] Jon Baker: It is a great time of year. It is a good time of year. It's wonderful to be here and kind of have a chance to reconnect with so many people.
[00:00:11] Sean Martin: I know.
The world lands in San Francisco and comes together to talk cyber security. This year's theme is The Art of Possible.
[00:00:18] Jon Baker: Yeah.
[00:00:19] Sean Martin: Which I'm a huge fan of. Yeah. Yeah. I think you can take that a lot of different ways, right? You can take it from a program's perspective, you can take it from a business perspective.
I also like to remember the teams that bring all this stuff to life in the company. Security programs and the practitioners and the business leaders, security leaders. It's a tough job keeping up with everything going on, right? And mapping it to all the stuff
[00:00:43] Jon Baker: That's one of the things about cybersecurity that I love.
It's a really dynamic environment. Um, the technologies we all use and rely on are always changing. Um, the threat landscape is always changing. So, uh, it creates this opportunity for continual learning, continual growth, um, and a need to just be continually connecting with others, understanding, you know, the challenges they're facing, uh, solutions that they maybe have developed, um, that sort of thing.
So Uh, I love that it's, uh, it's a field where there's just that demand for continual learning throughout.
[00:01:14] Sean Martin: Continual and continuity, I think, is also important, right? Some consistency in how we, how we approach things. We have a common way of speaking about it, approaching it, solving the challenges we face.
And, um, we've already started chatting. I want to know who John Baker is. Yeah. John, you're joining us today, uh, from MITRE and the Pacific Center. So tell us a little bit about it. You and your role and what you're up to.
[00:01:38] Jon Baker: Yeah. Thanks. Um, well, so yeah, I'm John Baker. I'm the director of the Center for Threatened Form Defense.
I co founded the organization about four years ago. I've been at MITRE for a little over 20 years. And, uh, you know, in that time, I've had a really unique opportunity to Often work under, like, U. S. government sponsorship trying to solve problems that would help benefit the entire cybersecurity community.
So I used to work on the CVE program where we're trying to identify, you know, all of the known vulnerabilities, give them standard names to enable coordination and communication around vulnerabilities. Um, you know, I had that experience and it kind of informed what we ended up doing here when we created the Center for Threat Informed Defense.
Uh, where ultimately what we're trying to do is bring the community together to advance the state of the practice and the art of the possible, really.
[00:02:29] Sean Martin: Yeah, exactly. So, maybe a quick word about the broader MITRE organization, if you don't mind. I'm sure a lot of people want to know ATT& CK and some things bubble to the top very quickly.
Of course. But maybe give an overview of what's going on for MITRE.
[00:02:45] Jon Baker: Yeah, so, uh, MITRE is a company that in cybersecurity is incredibly well known because of our work on CVE, our work on CWE, where we're identifying software weaknesses, and our work on ATT& CK. Um, across MITRE's 60 plus year history though, we run federally funded research and development centers for the U.
S. government. Um, doing everything from focusing on like aviation, safety, and security, obviously cyber security to, you know, the latest threats to AI systems. Um, really far ranging, uh, sort of, uh, span of work that we have at MITRE. Um, I'm fortunate to have been at MITRE, as I said, for a long time, really focused on the work that we do in cybersecurity, where we have over a thousand cybersecurity professionals, really across all disciplines and tons of flexibility to take on new challenges.
The thing that I like about MITRE that's really unique is, you know, our mission broadly is to solve problems for a safer world. And obviously we apply that across different domains, different technology stacks, um, that sort of thing. But it's always that constant focus of what can we do that will be impactful for the whole community, right?
How do we, how do we make things better for everyone?
[00:03:57] Sean Martin: What I, I'm a huge MITRE fan is, uh, for many reasons, but one is that It's one thing to have a vision, and a set of objectives, and another thing to actually act on it, and see results. And you, I mean, you already said it, but ask anybody here at the conference, I'm certain they're going to know and actually, not just know of, but actually get involved with and leverage a lot of the tools and frameworks and other things that MITRE puts together, which is great.
To me it's incredible to actually see it in action and see the results and not such an uptick.
[00:04:32] Jon Baker: Yeah, absolutely. Um, you know, I think of the word stewardship for the role that we often play. We created the ATT& CK framework a little over 10 years ago now and first published that and I see us really as being sort of stewards for the community, helping to bring this knowledge of what adversaries are currently doing or have been seen doing and distill it down into one easy to understand resource.
That, as you said earlier, really is enabling communication across teams. And so when you walk the show floor here, you'll see, uh, probably not an exaggeration, hundreds of security teams and vendors talking about, um, how they use ATT& CK. Uh, if you go up to a booth and ask them if they're talking about threat, you can probably ask them about how they use MITRE ATT& CK and they'll tell you.
[00:05:16] Sean Martin: Yeah. I'm not mistaken, I think the CVE logo's on a lot of the, uh, pieces as well.
[00:05:20] Jon Baker: Absolutely. Um, like CVE, it is. CHAT GPT is the way people talk about vulnerabilities and ATT& CK really has become the way people talk about threats.
[00:05:31] Sean Martin: So now let's talk about the center. Because those are two big programs, but the center does so much more as well.
I think constantly releasing new resources for teams. So tell me a little background on the center and some of the things you've been up to.
[00:05:44] Jon Baker: Yeah. So, you know, I've been, as I said, I've been at MITRE for a long time. A lot of experience working across our different research programs. Um, I had the good fortune of overseeing the work that we did on CVE for a while.
The work that we did on, uh, ATT& CK and overseeing the ATT& CK team. Um, in those roles, I had organizations reaching out to me asking how we can collaborate with MITRE. How can we accelerate the development of ATT& CK? How can we accelerate research into applying ATT& CK to solve a particular problem, right?
Um, so looking at Mitre and how we've set up these enduring relationships with our government sponsors, I wanted to come up with something that would give us that continuity of focus, like you said, that would allow us to have these enduring relationships with industry where we're working together to solve problems for the whole community.
Kind of following that, that mission of Mitre solving problems for a safe world, working
[00:06:34] Sean Martin: groups, essentially. Is that, is that what they're, or,
[00:06:36] Jon Baker: so what I, what I did is I built a venue where we do collaborative r and d. I bring industry together. We have 38 members today, where we systematically identify problems, uh, challenges, and pick some of those to solve.
And we do it in a way that benefits the whole community.
[00:06:53] Sean Martin: Super cool.
[00:06:54] Jon Baker: Yeah, it's incredibly rewarding actually.
[00:06:55] Sean Martin: I'm sure it is. And to have, I'm sure the room is just filled with super smart people. Yeah. Looking at problems and, so is it hard to find the problems?
[00:07:05] Jon Baker: Uh, well, so, so, there's two things I'd say, so.
The room is definitely filled with smart people. So we have, as I said, you know, the 38 member organizations, they all have sophisticated security teams, but one of the side effects that I hadn't really planned on when we created the organization was it's an environment for continual learning. We learn from each other, we learn together, we create resources that then benefit the whole community, really trying to move that state of the art and state of the practice forward, right?
[00:07:30] Sean Martin: Are these members, sorry, Yeah. And, and government entities as well, or
[00:07:40] Jon Baker: is it private or? So we, we actually tried to create a separation where we worked explicitly or exclusively, sorry, with industry. Right. Okay. Um, but at the same time we're also global in cross sector. What I wanted to do was build a membership base that was global cross sector to help ensure that we were focused on the most pressing problems, um, and get that diversity of perspective to guide what we do within the research program.
But I also want to make sure that when we run a research project and we publish the results, that they're going to be impactful. They're going to be easily picked up and adopted, right? And so having that diversity of perspective within the membership base ensures that not only are we solving the right problems, but the solutions we create can be fielded at a large scale, can be readily integrated into security operations by teams all over the world.
So when we think about our goals as an organization, I want to create resources that are picked up, used, and impactful. Our goal is to, or our mission is to advance threat informed defense globally. Advancing both the state of the art and the state of the practice for everybody. To do that, we need a global organization, we need global membership, we need global adoption.
[00:08:50] Sean Martin: I like the diversity aspect of it. So give me, give me an example. We'll pick one to start and we'll see where we go from there. But something that's come out of the work that the Center's doing.
[00:09:00] Jon Baker: Um, So in a little over four and a half years, we've published over 30 different research projects. It's all up on our website, um, all open freely and available.
Uh, this year has been off to a really strong start. We've published five projects already. We've started up four new projects. So we have a very active R and D program. Any given year, we publish and kind of run 12 or so, you know, projects per year, right? So projects are always coming in, being published, released, and uh, you know, transitioning on to the next.
[00:09:31] Sean Martin: When you say R& D, I'm going to stop you for a second. Are you actually developing tools? Or, sometimes I think frameworks and documentation and best practices and things like that. But R& D to me also says coding stuff.
[00:09:46] Jon Baker: Yeah, yeah. Um, I think about our research program across sort of a, uh, continuum. There's absolutely development tools.
There's absolutely research. There's research that's relatively high risk that, you know what, we might miss the mark and that's okay. That's part of a research program that happens. There's others that are kind of low risk, but high, high impact as well. Um, and so you kind of think about the work that we do across that sort of continuum, uh, this year we released a project called Mappings Explorer.
Um, Mappings Explorer is very much a development project. It's a web application that connects, uh, the. Security controls that you care about, like NIST 853, to the attack techniques that you care about. So, making it really easy for security teams to understand how a particular adversary behavior in attack can be mitigated by a particular security control in say, NIST 853, or the security capabilities in Azure, or AWS.
So, for this whole set of security capabilities, you can now go and browse through Mappings Explorer And see what threats those controls mitigate, or if you're thinking about threats, what controls are available to mitigate those threats. Right, so that's very development focused. On the other hand, we're running a project right now which I'm really excited about that will come out in a couple of months here called the Technique Inference Engine.
There, this is one of those kind of higher risk but hopefully high impact projects if we get it right. We're collecting a set of attack flows. So, sequences of adversary behaviors that we've seen in attacks. And we're analyzing that to create an inference engine. So that a threat hunting team can see one or two techniques in their environment and then know what to look for next.
So imagine, you know, uh, based on this knowledge of what adversaries have done in the past being able to predict what's going to happen next. And using that to guide a threat intel team or a threat hunting team or an incident response team as they're trying to do cleanup.
[00:11:45] Sean Martin: So how does that work? How does that look to, I presume that sits in a SOC threat, threat, threat hunting team.
Maybe. Maybe a SOC analyst might have this tool. Yeah. What, what are, what are they doing with it? Is it, is it alerting them or are they just taking an alert from their sim and then moving to this tool? How Yeah, the maybe that flow,
[00:12:05] Jon Baker: so the usage model that we've come up with for the technique inference engine.
Um, would allow an analyst to say, you know, I have this technique and I have this technique. And then it would provide back to you, well, you should look for this one or this one as a, is probably the next step in that attack sequence based on the intel that we have from previous attacks. Right, so, lightweight user interface, it's going to take as input, you know, two previous techniques and then tell you what, uh, what to look for next.
So how do you get that data? Yeah, um, data is a big challenge for us, right? Right. So, you know, we have our members that work together, that fund our research program, that we learn together with, that we do the research with. Um, but we also rely heavily on the community as a whole to contribute data. Um, we're collecting a corpus of what we call attack flows, which is that data model for representing sequences of adversary behaviors.
And that drives things like the technique inference engine. Um, those data contributions come from our members, they come from the community. We're always looking for help from the community. Community support looks like data contributions, looks like simply using our work and telling us what works, what their experience was, how we can refine it.
Um, there's some really great innovative teams out there that have picked up our work, um, inspired by it, gone and created, you know, whole new capabilities around it, and then contribute that back to us to help better the entire community. Got it.
[00:13:28] Sean Martin: So this is coming in a couple months.
[00:13:29] Jon Baker: Technique Inference Engine is going to be out this summer.
[00:13:32] Sean Martin: Is it in pilot anywhere? Any results you can share?
[00:13:35] Jon Baker: So we're in development with it right now. So it's still too early to share any early results. I'm excited to hear it. I wish we could. I mentioned that one because I'm particularly excited about it. It is, I think, the highest risk research project we've taken on.
Just because of the nature of the data that we need to collect. And, you know, we have this hypothesis that we'll be able to predict. But we don't know. Right, as opposed to, you know, mapping to explore. It's a very valuable resource, but it's a development project.
[00:14:04] Sean Martin: Nice one. So what else you got going? I mean, you mentioned five already this year.
[00:14:09] Jon Baker: Yeah, so the program's been incredibly busy over the last quarter, right? So I mentioned Mappings Explorer, I mentioned that we started off Technique Inference Engine. Um, other big impactful projects that I'm excited about are the work that we did on Summoning the Pyramid. Um, that project came out last fall.
Summoning the Pyramid is, you know, you asked earlier about frameworks or best practices. Um, well we've observed that across the community there's large collections of detections that are mapped to MITRE ATT& CK. And that's great because, you know, the idea is that when one of those detections triggers, it is an indicator that, you know, this particular behavior is happening in your environment.
But what we found is many of those detections are easily available by adversaries. And so, you know, kind of thinking about how our research model works. We worked through this with our members. They all agree, yes, this is a problem that we have. And yes, this is something that we should try to solve, not just for ourselves, but for the whole community.
And the goal was, the question was, can we make a resource to help guide all detection engineers to create more robust detections? So robust in that it's harder for an adversary to evade them. So with summoning the pyramid, it kind of harkens back to the, David Bianco's Pyramid of Pain. What we've done is we've put together a set of best practices and a framework for helping you systematically evaluate a detection and move it up the Pyramid of Pain.
Um, inflicting more pain on the adversary and making a more robust detection, right? Um, so that project has been out. We've gotten tremendous feedback from both our members that some of them are security vendors that are deploying it at scale. So it's now like, you know, Integrated into, um, EDRs and that sort of thing that are out on, like, millions of endpoints.
But it's also used by sophisticated security teams and their own internal detection engineering practices. It's used by some of the global consultancies that go in and will help, um, a security team evaluate their detection capabilities and mature them. Um, well based off of that impact and the feedback that we've gotten so far, we're kicking off the next round of research on that right now as well.
Thanks again. Where we're going to be expanding that methodology out to look at network observables. We're going to be trying to bring in more automation into that methodology. We're going to try to drive down, um, that false positive rate that we create as well. Um, just creating a much more robust capability that's also broader.
Um, to, again, it, it's all about how do we help essentially upskill all detection engineers across the community. And we're doing that leveraging the knowledge and expertise. of our members of our internal research team working together to create this resource for the whole community.
[00:16:56] Sean Martin: Nice. Yeah. I mean, sounds fun.
A lot of, a lot of cool projects.
[00:17:01] Jon Baker: It's incredibly fun. It's impactful. It feels great to get to work with the community, um, in a way that benefits everybody. Um, and as I said at the beginning, it's an environment where all of our members and us, we're all continually learning, Um, when we're doing really well, research often begets the next research project, right?
So with Summiting, we did work that was well received, we learned a lot, and we identified several new opportunities along the way. Love it.
[00:17:30] Sean Martin: Let's speak to the community now, um, how can they get involved? What should they do? Maybe, maybe present it in a way, a recommendation for how they could redefine security, leveraging the center and the work that MITRE does.
[00:17:47] Jon Baker: Yeah. Um, so with the Center for Threat Informed Defense, you know, our mission is to advance threat informed defense globally. And so what we're trying to do is help organizations leverage threat intelligence, um, their deep technical understanding of adversary behaviors to systematically evaluate and improve their defenses.
Um, and I want to help the whole community do that at, at a global scale. Right. Um, and so we've created resources that are designed to kind of help, uh, an organization kind of onboard into threat informed defense. We have a project called the Top Attack Technique Calculator that'll give you kind of guidance towards, you know, which techniques in the attack matrix should you focus on first and kind of help you prioritize.
We've created a project called, um, M3TID that's all about taking more of a strategic look at how you apply threat intelligence across your security operations. And so we've created these resources, they're up on our website at ctid. io, um, so easily findable there under our work, um, and the whole idea is to help the whole community understand these resources.
We run a series of global events where we do trainings, that sort of thing, um, we make the work open, freely available. We have conversations like this to help advance sort of the awareness, but from there we're always looking for, uh, Your feedback on your experience using the work. We want to make the work accessible to the whole community And then, you know, of course, we're looking for a select set of organizations that See themselves as really sophisticated practitioners of miter attack and threatened form defense to join us And to help expand the research program.
[00:19:25] Sean Martin: Perfect. Well, John fantastic work congratulations on all the success and to Yeah, obviously I encourage everybody to look at the center and the rest of the work that MITRE does. Get involved, use the tools, give feedback. And I don't know, maybe we'll have another chat at some point where we can bring some of the members on and get their experience on what it's like to be part of, part of the center and I would love to do that.
Love it. So thanks everybody for listening and watching this episode from RSA Conference. Connect with John, connect with MITRE. Stay tuned to ITSP Magazine. Thanks everybody.