ATT&CK Threat Hunting Detection Engineering Certification Path

MITRE ATT&CK® subject matter experts continuously develop the training and mastery assessment built for the ATT&CK® Fundamentals Badge. Their focus is to validate a defender's ability to understand the ATT&CK framework (the data along with the philosophy that has shaped ATT&CK) as well as recognize how ATT&CK can be applied to operational challenges/opportunities. The ATT&CK® Fundamentals Badge validates that a defender: • Understands what knowledge is and isn't captured within ATT&CK • Understands how and why ATT&CK evolves • Can manipulate and extend ATT&CK to meet tailored needs Meet the training and mastery assessment author: Jamie Williams Lead Cyber Adversarial Engineer at MITRE Jamie Williams is a Cyber Adversarial Engineer for the MITRE Corporation. He works on various exciting efforts involving security operations and research, specializing in adversary emulation and behavior-based detections. He also leads teams that help shape and deliver the "adversary-touch" within ATT&CK® and ATT&CK Evaluations. Before joining MITRE, Jamie received his M.S. in Information Systems Engineering from Johns Hopkins University and his B.S. in Information Systems from the University of Maryland, Baltimore County (UMBC). Steve Luke Director of Content MITRE ATT&CK Defender ™ Steve Luke is the Director of Content for MITRE ATT&CK Defender™. He’s dedicated to empowering organizations with more effective ways to robustly detect and respond to cyber-attacks. Since 2007, Steve has focused on delivering innovative solutions to cyber missions, with a special focus on ATT&CK® and its application to hunting. Steve co-authored a paper on TTP-Based Hunting, developed and delivered educational materials about that methodology, and leads purple teaming events to explore ATT&CK techniques and develop robust analytic approaches to detect them. Steve earned a B.S. and Masters of Engineering in Electrical Engineering from Cornell University with a focus on digital signal processing. Prior to joining MITRE in 2005, he served as an officer in the United States Air Force.

Earning the ATT&CK® Threat Hunting Fundamentals badge verifies that you understand how ATT&CK can be used as a malicious activity model to conduct the six steps of the TTP-based threat hunt methodology. You will understand how to contrast key elements of TTP-based hunting with complimentary approaches, as well as fundamental considerations for characterizing malicious activity or behavior and how to use that information to execute a TTP-based hunt. Knowledge of this process continually shapes information needs and data requirements to inform and develop continual hunt efforts focused on advanced cyber adversary behaviors.

The ATT&CK Threat Hunting Hypotheses badge will signify that you demonstrated your ability to develop and refine hypotheses and abstract analytics that can be used to hunt for evidence indicative of malicious presence. Through this effort, you will learn how to develop a well-formed hypothesis while avoiding common traps such as cognitive bias that can impact hunting efforts and fine-tuning hypotheses to focus on potential attack behaviors. This knowledge will then be used to teach you how to discuss and formulate abstract analytics that help you conduct research to find candidate invariant behaviors.

Earning the ATT&CK Threat Hunting Data Collection Requirements badge indicates that you understand how to identify data requirements necessary to conduct TTP-based hunts. Through this program you will receive guidance on how to describe various types of data types and how to identify data collection requirements and how they map to analytics. By demonstrating how to research data collection sources, you will be able to create a collection plan.

After completing the ATT&CK Threat Hunting Addressing Data Collection Gaps badge, you will be able to identify gaps in your data collection strategy and develop a plan for addressing those gaps. This knowledge will enable you to reconfigure existing tools, deploy new sensors, establish dew data flows, and use alternative analytic approaches to close existing data gaps, resulting in new data collection configurations. You will also gain insights into how you can explain potential impacts to network owners to inform security-based decisions.

The ATT&CK Threat Hunting Tuning Analytics badge is based on knowledge gained surrounding your ability to convert hypotheses and abstract analytics into concrete analytics that can effectively find malicious adversary behaviors within a given environment. You will gain insights into the optimization of precision and recall through modification of Time, Terrain, and Behavior aspects of developed analytics.