Does the Solution to the Cyber Skills Gap Already Exist?
When government agencies consider the MITRE ATT&CK Framework, most want to better understand and address adversary behavior. When it comes to combating an agency’s debilitating shortage of skilled cyber personnel, most are still looking for effective solutions. But, what if the MITRE ATT&CK Framework is as effective at enhancing cyber defense skills as it is at identifying the adversary’s antics?
A recent experiment using a robot and a team of interns has demonstrated that ATT&CK can also serve as an effective teaching tool that will sharpen security skills at every experience level—from the intern to the security researcher. Each year, my organization hires interns, from high school to college graduates, who are interested in pursuing a career in cybersecurity. During the early years of this program, we struggled with balancing too much information, too little information and keeping students engaged.
Our first attempt to remedy this was to have a team of interns from FIRST Robotics build an Internet-controlled robot. We taught them how it could be attacked and had them research strategies on defending these types of attacks. Since the ATT&CK Framework had become such an important part of our customers’ and our own security program, we wondered how we could use the framework to advance our students’ cyber skills. As it turns out, the ATT&CK Framework quickly became one of our most effective teaching tools.
First, we categorized how security practitioners generally address techniques best suited for their experience level:
- Techniques Only
- Exploitable to Anyone
- Additional Steps Required
- Cost Prohibitive
- Hard
As it turns out, ATT&CK fits nicely into one of the above categories and, most importantly, accomplishes three key learning objectives: It provides knowledge about security and insight into why the various techniques are important, and it helps with the actual application of the techniques.
Depending on the knowledge level of those being taught, the approach can be modified. Students and security analysts will need to know what information they can get out of ATT&CK and be able to use that information to improve security for their organizations.
Security researchers will need to know what they can get out of ATT&CK but also what they can provide back to The MITRE Corp. as feedback, since ATT&CK’s success is based on a curated knowledge base.
ATT&CK accomplishes the three key learning objectives for teaching cyber defense skills at every level. Here’s how:
It provides knowledge about security.
- At any skill level, the first outcome will always determine what is known now that wasn’t known before. For junior-level people, it will be quite a lot. For senior-level people, it may be subtle. For example, some may already know how to conduct red teaming, but now they may learn how to hide their techniques from the blue team.
It aids understanding of why the various techniques are important.
- Do the mitigation strategies work and can they be bypassed? If personnel are protecting an organization, they’ll need to think beyond the mitigation strategies.
It helps with the actual application of the techniques.
- Did the detection strategies work and can any detection strategies be added?
The solution to a problem can often be found in utilizing an existing tool in a different manner, as we experienced with the ATT&CK Framework and teaching our organization’s interns. While the government has tried many different approaches and has created many different tools in an effort to close the cybersecurity skills gap, it has to work with what it’s got in the meantime. In doing so, we challenge government organizations of all sizes and maturity levels to think of the ATT&CK Framework as a tool not only to understand adversary behavior but to enhance their security professionals’ cyber defense skills.
Travis Smith is the principal security researcher at Tripwire.
