Final Week to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training!


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework

New guide covers recommended methods of leveraging the MITRE ATT&CK knowledge base to improve security operations and threat intelligence capabilities.

  • Bethesda, MD
  • July 13, 2020

A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture. Recommendations in the report will be shared and discussed in a trio of webcasts on July 21, July 28, and August 06.

The Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project by MITRE is an initiative started in 2015 with the goal of providing a knowledge base of adversarial tactics, based on real-world observations and accessible globally. With its rapid uptake by vendors and information security teams, ATT&CK now provides a key capability that many organizations have traditionally struggled with: A standard language of attack techniques, groups that use them, and the data sources that detect them.

“MITRE ATT&CK is a multi-faceted framework that can help you not only understand your attackers’ tactics, techniques, and procedures, but also prioritize and test your defenses in a variety of highly useful ways,” says John Hubbard, paper author, SANS Certified Instructor and course author. “It is a complete set of data giving you organized and actionable info on attackers and defensive strategies.”

The new SANS paper covers key ideas and strategies for using ATT&CK to inform security defense measures with valuable threat intelligence, allowing security operations teams to not only improve their defenses, but also quantify the improvement, demonstrate those improvements with evidence, and ultimately set the team on the path to long-term success.

“You wouldn't go into a physical fight without knowing anything about your enemy or your own defense capabilities, so why would a cyber war be any different?” says John Hubbard. “In order to give yourself the best chance at succeeding, teams need to know what they're up against so they can prioritize their defensive spending and optimize their resources against their attackers. MITRE ATT&CK allows teams to do this in a free and simple way.”

Webcast Details

Recommendations and guidance provided in the report will be presented in detail by report author John Hubbard in a webcast on Tuesday, June 21 at 1:00 p.m. EDT (17:00 UTC), sponsored by Anomali, AttackIQ, Corelight, CyberProof, ExtraHop, Infoblox, LogRhythm, and ThreatQuotient, and hosted by SANS Institute. Register to attend the webcast at

Get additional perspective on the report in a second webcast on Tuesday, July 28 at 1:00 p.m. EDT (17:00 UTC), in which representatives from AttackIQ will join a panel discussion with report author John Hubbard. Register to attend this webcast at

And join in a special SANS Roundtable webcast on Thursday, August 06 at 1:00 p.m. EDT (17:00 UTC), in which representatives from ExtraHop will explore additional themes from the paper. Register for this webcast at

Those who register for any of these webcasts will be among the first to receive their copy of the report, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” written by John Hubbard, SANS Certified Instructor and course author.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner’s qualifications via over 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (