SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework

New guide covers recommended methods of leveraging the MITRE ATT&CK knowledge base to improve security operations and threat intelligence capabilities.

Bethesda, Md. – A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture. Recommendations in the report will be shared and discussed in a trio of webcasts on July 21, July 28, and August 06.

The Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project by MITRE is an initiative started in 2015 with the goal of providing a knowledge base of adversarial tactics, based on real-world observations and accessible globally. With its rapid uptake by vendors and information security teams, ATT&CK now provides a key capability that many organizations have traditionally struggled with: A standard language of attack techniques, groups that use them, and the data sources that detect them.

“MITRE ATT&CK is a multi-faceted framework that can help you not only understand your attackers’ tactics, techniques, and procedures, but also prioritize and test your defenses in a variety of highly useful ways,” says John Hubbard, paper author, SANS Certified Instructor and course author. “It is a complete set of data giving you organized and actionable info on attackers and defensive strategies.”

The new SANS paper covers key ideas and strategies for using ATT&CK to inform security defense measures with valuable threat intelligence, allowing security operations teams to not only improve their defenses, but also quantify the improvement, demonstrate those improvements with evidence, and ultimately set the team on the path to long-term success.

“You wouldn't go into a physical fight without knowing anything about your enemy or your own defense capabilities, so why would a cyber war be any different?” says John Hubbard. “In order to give yourself the best chance at succeeding, teams need to know what they're up against so they can prioritize their defensive spending and optimize their resources against their attackers. MITRE ATT&CK allows teams to do this in a free and simple way.”

Webcast Details

Recommendations and guidance provided in the report will be presented in detail by report author John Hubbard in a webcast on Tuesday, June 21 at 1:00 p.m. EDT (17:00 UTC), sponsored by Anomali, AttackIQ, Corelight, CyberProof, ExtraHop, Infoblox, LogRhythm, and ThreatQuotient, and hosted by SANS Institute. Register to attend the webcast at

Get additional perspective on the report in a second webcast on Tuesday, July 28 at 1:00 p.m. EDT (17:00 UTC), in which representatives from AttackIQ will join a panel discussion with report author John Hubbard. Register to attend this webcast at

And join in a special SANS Roundtable webcast on Thursday, August 06 at 1:00 p.m. EDT (17:00 UTC), in which representatives from ExtraHop will explore additional themes from the paper. Register for this webcast at

Those who register for any of these webcasts will be among the first to receive their copy of the report, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” written by John Hubbard, SANS Certified Instructor and course author.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (