Fortinet is now an official Research Partner with MITRE Engenuity’s Center for Threat-Informed Defense (Center), a nonprofit organization with a global mission to “advance the state of the art and the state of the practice in threat-informed defense.”
As a new Research Partner, Fortinet will have a more prominent role in the organization’s high-profile projects. The ultimate goal for the Center, Fortinet, and other Center Participants is to change the game on the adversary by continually advancing our understanding of cyber adversaries and their tactics, techniques, and procedures and applying that knowledge to systematically advance the community’s ability to defend against those threats.
Center leadership considers Fortinet’s new Research Partner status as a very positive development. Jonathan Baker, Center Director and Co-Founder says, “Fortinet has taken a hands-on approach to changing the game on the adversary and advancing threat-informed defense. I appreciate their active engagement in the Center’s research program and their commitment to enabling defenders around the world to understand and defend against the latest threats. Fortinet has been a great Research Sponsor and now as a Research Partner, I am looking forward to seeing Fortinet continue to help us change the game on adversaries and advance threat-informed defense.”
The Beginnings of the Center for Threat-Informed Defense
In the fall of 2019, the Cyber Threat Alliance along with several other organizations, including major banks and high-tech corporations, came together as founders to create the Center and “a whole new approach to collaborative R&D in the public interest.” Currently, the Center is comprised of 29 member organizations (partners, sponsors, nonprofits, and affiliates) from around the globe and has 17 published projects.
Within a year of its founding, Fortinet was collaborating with the Center. In fact, Fortinet was instrumental in helping create a recently published research paper titled 2021 ATT&CK Sightings Report.
This paper is based on a research project run by the Center in collaboration with some of our FortiGuard Labs staff and several other Center participants’ employees. The researchers analyzed more than one million attacks using the MITRE ATT&CK® framework, collected over 28 months (April 1, 2019, to July 31, 2021), to provide contextual and actionable threat intelligence that details how attackers are conducting their criminal activity.
The key intelligence found in the Sightings Report is that 90% of all cyberattacks use one of just 15 techniques across six tactics. This takeaway is extremely helpful because it significantly reduces the number of likely threats from the entire list of more than 370 possible techniques across 14 tactics. Therefore, defenders can focus their efforts on the “usual suspects,” instead trying to use limited resources to protect against hundreds of unlikely threats. Imagine trying to play Whack-a-Mole with almost 400 possibilities instead of just 15 or 20 “moles.”
Where the Action Is
In the Center’s collaborative R&D process, Fortinet has found the results extremely beneficial and the experience rewarding. An additional Center project that Fortinet was deeply involved in along with the Sightings Report is called Attack Flow. This project’s goal was to show how the latest attacks are moving from left to right on the kill chain or the ATT&CK framework. The data acquired not only indicates how attackers are moving through compromised networks but also what assets attackers are targeting. The Attack Flow findings provide a window into where actions occur, enabling IT security teams to deploy specific defense strategies to use in response.
Lacking attack flow data, leadership cannot see how attacks map to specific assets in their network, especially when multiple attack flows are possible. The Center described the problem as “Defenders often track adversary behaviors atomically, focusing on one specific action at a time. This makes it harder to understand adversary attacks and to build effective defenses against those attacks.” This enables more realistic attack scenarios for red team exercises and more focused threat hunting. Shortening the dwell time is paramount to limiting the exposure after a breach.
The attack flow intelligence that the Center collaboration generated in this project assists defenders on what techniques, tactics, and processes to keep an eye out for and which assets to keep under close scrutiny. Attack Flow helps “defenders and leaders understand how adversaries operate and compose atomic techniques into attacks to better understand defensive posture.”
Fortinet is committed to new projects that extend the work invested into Sightings and Attack Flow, with the intent to help build corpus, develop tools for visualization, and add further contextual insight into the data.
Fortinet’s FortiGuard Labs believes that helping to drive these projects will have a meaningful and positive impact on the abilities of cyber defenders worldwide to continue to detect and mitigate the latest attack vectors.
Fortinet is looking forward to continuing to work with the Center for Threat-Informed Defense on important projects as a Research Partner. Stay tuned as we’ll share here about them when they are published.