WEBVTT 00:00.000 --> 00:03.630 >> Welcome to the 8th and final lesson of Module 1. 00:03.630 --> 00:06.060 How ATT&CK grows and evolves. 00:06.290 --> 00:08.550 In this lesson, we will explore 00:08.550 --> 00:10.800 how and why ATT&CK changes over time. 00:10.800 --> 00:13.860 Recognize how to track and monitor these changes, 00:13.860 --> 00:15.660 and finally, identify how 00:15.660 --> 00:18.220 to access previous versions of ATT&CK. 00:19.670 --> 00:22.020 Adversaries, malware, and 00:22.020 --> 00:23.850 the behaviors evolve every day, 00:23.850 --> 00:25.270 and to keep up with this, ATT&CK 00:25.270 --> 00:27.450 is very much a living framework. 00:27.450 --> 00:30.870 Techniques group software and the various objects within 00:30.870 --> 00:34.065 ATT&CK were all designed to evolve and grow over time. 00:34.065 --> 00:36.375 As I need to add, deprecate 00:36.375 --> 00:39.840 or even enhanced content is very much needed. 00:39.840 --> 00:42.080 The MITRE ATT&CK team has 00:42.080 --> 00:43.490 continuous processes for vetting 00:43.490 --> 00:45.140 and modifying ATT&CK content, 00:45.140 --> 00:46.940 including keeping up with 00:46.940 --> 00:49.220 publicly available cyber threat intelligence and 00:49.220 --> 00:50.390 making appropriate changes to 00:50.390 --> 00:51.740 techniques and sub-techniques, 00:51.740 --> 00:54.570 as well as their mappings to groups and software. 00:56.540 --> 00:59.360 To highlight this growth, let's take a look at one of 00:59.360 --> 01:01.655 the first matrix is produced by the ATT&CK team. 01:01.655 --> 01:05.600 This is the enterprise matrix from around 2014. 01:05.600 --> 01:07.460 As you can see, this matrix only has 01:07.460 --> 01:10.650 eight tactics and around 60 techniques. 01:11.920 --> 01:14.780 Compare that to the most recent version 01:14.780 --> 01:16.035 of ATT&CK, version 8, 01:16.035 --> 01:17.750 where the enterprise matrix has 01:17.750 --> 01:19.220 14 tactics and over 01:19.220 --> 01:22.240 500 combined techniques and sub-techniques. 01:22.240 --> 01:24.510 This may seem like a lot of growth, 01:24.510 --> 01:26.210 but think about how many hash values, 01:26.210 --> 01:28.700 IP addresses, and domain names and 01:28.700 --> 01:30.140 other artifacts have been produced 01:30.140 --> 01:32.850 by adversaries since 2014. 01:35.980 --> 01:38.880 ATT&CK is typically updated twice a year, 01:38.880 --> 01:41.735 and there are various ways you can track these changes. 01:41.735 --> 01:44.900 The first of which is updates and modifications to 01:44.900 --> 01:46.460 the STIX content hosted in 01:46.460 --> 01:49.120 this MITRE CTI GitHub repository. 01:49.120 --> 01:53.380 This STIX content is what populates the ATT&CK website. 01:53.710 --> 01:55.940 But you can also see these changes 01:55.940 --> 01:58.280 either update logs hosted on the site, 01:58.280 --> 02:00.350 which will include descriptions 02:00.350 --> 02:02.820 and notes for each release. 02:06.010 --> 02:09.145 While ATT&CK continues to grow and evolve over time, 02:09.145 --> 02:10.540 there may come a need to 02:10.540 --> 02:12.980 access previous versions of ATT&CK. 02:13.840 --> 02:16.220 Version dating back to version 02:16.220 --> 02:19.490 3 are still hosted on the website. 02:22.520 --> 02:24.955 While the ATT&CK team does a lot of work 02:24.955 --> 02:26.590 to grow and evolve ATT&CK, 02:26.590 --> 02:27.640 we really do depend on the 02:27.640 --> 02:30.205 community to keep ATT&CK growing. 02:30.205 --> 02:32.260 Contributor guidance as well as 02:32.260 --> 02:34.800 examples is available on the site, 02:34.800 --> 02:36.640 and definitely feel free to reach 02:36.640 --> 02:38.260 out to attack@mitre.org for 02:38.260 --> 02:40.090 any ideas or intelligence that can 02:40.090 --> 02:42.950 be in use to grow and enhance the model. 02:44.840 --> 02:48.670 With that, we've reached the end of Lesson 8. 02:48.670 --> 02:52.500 In our knowledge check, complete the following sentence. 02:52.500 --> 02:54.680 ATT&CK is, please pause 02:54.680 --> 02:56.165 the video and take a second to 02:56.165 --> 02:59.040 select the correct answer before proceeding. 03:01.600 --> 03:04.610 As much as I would love to say ATT&CK is perfect, 03:04.610 --> 03:07.100 the correct answer is C. ATT&CK is constantly 03:07.100 --> 03:08.450 evolving over time and 03:08.450 --> 03:10.980 anyone can submit the contribution. 03:12.670 --> 03:15.380 In summary, ATT&CK grows to 03:15.380 --> 03:18.100 keep up with the evolution of threats and adversaries, 03:18.100 --> 03:20.255 and these changes can be monitored 03:20.255 --> 03:21.755 through update to the STIX 03:21.755 --> 03:26.110 or updates tracked in our logs on the site. 03:26.210 --> 03:29.370 Finally, previous version of ATT&CK 03:29.370 --> 03:32.700 are still hosted on our site going back to Version 3. 03:34.130 --> 03:37.365 With that, we've reached the end of Module 1. 03:37.365 --> 03:40.550 In summary, ATT&CK was created 03:40.550 --> 03:43.790 based on the need to understand and adapt to 03:43.790 --> 03:46.910 our adversaries and captures the TTP's of 03:46.910 --> 03:49.220 real-world adversary behaviors and maps 03:49.220 --> 03:50.960 these TTPs to groups 03:50.960 --> 03:53.880 and software which execute these behaviors. 03:55.910 --> 04:00.085 I definitely recommend visiting our site attack@mitre.org 04:00.085 --> 04:01.760 to get a hands-on feel for 04:01.760 --> 04:04.535 the ATT&CK and all the information captured. 04:04.535 --> 04:06.755 But for more great information, 04:06.755 --> 04:08.615 check out our designer philosophy paper 04:08.615 --> 04:11.040 as well as our Getting Started Guide.