Sharpen your skills with interactive cyber security training In-Person or Live Online. Learn more.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Collaborative Development of Att&ck Analytics

  • Wednesday, November 15, 2017 at 3:30 PM EST (2017-11-15 20:30:00 UTC)
  • John Wunder

You can now attend the webcast using your mobile device!



A group of organizations have kicked off work to develop and share cybersecurity analytics to detect ATT&CK techniques. Led by Bill Barnes from Pfizer and organized via MITRE's ATT&CK framework, the work consists of organizations picking a technique from ATT&CK, developing one or more analytics to detect that technique, and then sharing the analytic with the other participants. Participants get immediate operational benefits from their improved ability to detect malicious behavior, but the group is also documenting lessons learned and seeking to develop a repeatable methodology. The methodology will build on the ATT&CK methodology to allow organizations to identify gaps and understand how to get from where they are to where they want to be by developing their own analytics or sourcing analytics from others. It will discuss the transferability (or not) of analytics across organizations (due to differences in sensors, platforms, etc.), how to give feedback, and how to continually improve.

To learn more on the topic, join SANS for its Cyber Threat Intelligence Summit & Training in Bethesda, MD this January. The two-day Summit features in-depth presentations by top experts and practitioners addressing specific analytical techniques and capabilities that can be utilized to generate and maintain cyber threat intelligence for your organization.

Speaker Bio

John Wunder

John Wunder is a principal cybersecurity engineer at MITRE who gradually came to cybersecurity from the software development world over the past 10 years. John has been working on STIX since the early days of STIX 1 and is currently a co-chair of the STIX Subcommittee developing STIX 2.1. More recently, his work has focused on collaborative cybersecurity analytic development based on MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework. He believes that cybersecurity information sharing can improve security for everyone, and works across MITRE’s sponsors to make it easier, faster, and more effective.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.