The MITRE ATT&CK/VERIS collaboration aims to create a common dictionary for communicating information about security incidents. Credit: Thinkstock Incident responders work much like police detectives or journalists, in search of the who, what, when, why and how of incidents before they can take steps to address problems. One tool that helps responders address incidents after they occur and position organizations for better defense in the future is the widely used Mitre ATT&CK framework (with ATT&CK standing for Adversarial Tactics, Techniques, and Common Knowledge).The ATT&CK framework is deployed as a cyber intelligence tool during or after an incident to identify the relevant adversary and reveal appropriate mitigation steps. One recent example comes from McAfee, which used ATT&CK in a case that initially started as an investigation into a suspected malware infection but ended up as a surprise discovery of a long-term cyberattack by two Chinese threat groups, APT27 and APT4.MITRE ATT&CK relies on a detailed knowledgebase of adversary tactics and techniques based on real-world observations. In essence, the ATT&CK framework deals in a granular way with the who, what, and why of the attack.Another framework used by incident responders is the Vocabulary for Event Recording and Incident Sharing (VERIS), a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. It is used, among other things, to classify the incidents and breaches appearing in the widely-read annual Verizon Data Breach Investigation Report (DBIR). VERIS is a broader, higher-level framework than ATT&CK that relies on an open and free repository of publicly reported security incidents. It offers incident responders the when and how of attacks.Last month, Verizon and The Center for Threat-Informed Defense, a non-profit, privately funded research and development organization operated by MITRE Engenuity, an R&D foundation founded by MITRE, announced a “mapping and translation layer between VERIS and ATT&CK that allows for the usage of ATT&CK to describe the adversary behaviors that were observed in an incident coded in VERIS.” Bi-directional mapping is the goalThe two organizations intend for this connectivity between ATT&CK and VERIS to give a “bi-directional mapping” that links the behaviors that adversaries use to attack systems with demographics and metadata in the hopes of giving organizations better defenses aligned with the latest threats. “Even though VERIS is relatively popular and it’s fairly useful, it doesn’t have the kind of high-level visibility that something like ATT&CK provides,” Alex Pinto, senior manager, Verizon DBIR team, tells CSO. Nevertheless, VERIS functions as a useful strategy tool, and security leaders often use it to communicate to the board, he says.“But [VERIS] doesn’t help the defender with the nitty-gritty. ATT&CK is good on the practical side, but it doesn’t have the coverage VERIS has. VERIS is not just concerned with the actual ‘cyberattacks,’ like all the hacking and the malware. We’re also concerned about misuse and theft of devices.”So, MITRE Engenuity and Verizon decided to link them to make them work together more effectively. “We believe this would be a huge win for the information security community,” Pinto says.ATT&CK/VERIS collaboration available on GitHubThe goal is to allow defenders to create a more detailed picture of cyber incidents, encompassing the threat actor, technical behavior, targeted assets, and impact. The mapping created by this collaboration is available on GitHub for all defenders and incident responders to use.“We decided to make it as frictionless as possible,” Richard Struse, director, Center for Threat-Informed Defense at MITRE Engenuity, tells CSO. “We released this on the center’s website, and there’s a corresponding GitHub repository. We don’t try to track or control who uses this.”“This is a building block. This is a bridge that allows two communities that each are doing valuable work to now connect the work they’re doing in an impactful way and a really efficient way,” Struse says. “What we’re hoping to do is inform the community that this resource is out there and that it’s freely available. They can pick it up and use it today to either add more technical detail to their VERIS-centric view of the world or take it and add some more of that more strategic-level information if they’re sort of ATT&CK-centric.” Lingua franca for security incident communicationsAlthough it’s not yet clear how the integration between the two frameworks would provide practical benefits to defenders or incident responders, Pinto thinks one key benefit would be to provide a lingua franca to communicate about incidents. “It becomes way easier to understand the end-to-end, the flow of the kind of the contextualization. I should be doing ‘this’ to be protected against ‘that’ becomes so much simpler,” he says.Fundamentally, both frameworks, and the integration of the two frameworks, formalize what incident responders and defenders do all the time anyway. These models provide a more logical, systematic approach to this kind of work, Pinto says. “This is something that everybody has to do anyway. You’re always trying to figure out. ‘Okay, am I spending my money or my time in security on the things I should be doing?’ This is something that everybody has to do in a way. You try to guess most of the time if what you’re defending against aligns with what you should be defending against.”The VERIS-ATT&CK mappings “is the dictionary,” Pinto says. “It’s your translation dictionary. So, you really don’t have to think about it.” Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe