Exploring the MITRE ATT&CK® Matrix in SE Education

Abstract

Cybersecurity is a multidisciplinary field that requires understanding of human behavior. To reinforce this idea and encourage non-technical students to participate in cybersecurity, an experiential learning project was implemented in an upper-level undergraduate criminal justice class. This paper is focused on that proof-of-concept class project in which groups of students mapped a social engineering case study onto the MITRE ATT&CK framework to understand the adversarial mindset. The paper provides background information on the ATT&CK framework, compares groups’ mappings to others within the class as well as against a mapping done by an ATT&CK representative, and it offers a discussion on the lessons learned and opportunities to expand our application and understanding of educational cybersecurity principles. This paper emphasizes that while someone with more knowledge and experience using a framework that focuses on the technical aspects of cybersecurity may map a SE case study differently than multidisciplinary students who are experiencing it for the first time, there is not a single correct way to interpret and correspondingly defend adversary behaviors. Having students experience this mapping project allows them to understand the breakdown of an adversary’s behavior and contextualize key tactics and techniques in a way that fits their perspective and skillset. This paper also demonstrates how a SE case study can be mapped onto the ATT&CK framework despite SE not being the focus of the framework, and that SE uses tactics and techniques that are also prevalent within more technical cyber campaigns. The authors hope to encourage more interdisciplinary cybersecurity education by sharing this experiential learning course project.