Students’ Application of the MITRE ATT&CK® Framework via a real-time Cybersecurity Exercise

Abstract

The MITRE ATT&CK framework enables practitioners to understand and track cyber adversary behaviors. Concepts such as social engineering (SE) are not directly captured in current version of ATT&CK as an individual technique, though the application of SE is relevant to many technical behaviors. Utilizing the ATT&CK framework in an educational setting, specifically within a competition focused on SE, allows students to explore adversarial behavior through experiential learning and understand how SE is relevant within cybersecurity. The structure of the framework allows students to see and describe each behavior from the perspective of the adversary, motivating them to compile and question “why” and “how” each individual action contributes to the operational objectives. This paper shares students’ mappings of the ATT&CK framework to playbooks they developed during a real-time SE penetration testing competition. Students were given numerous flags to pursue during the competition and this paper will share their playbooks and mappings to the ATT&CK framework. This paper demonstrates that while someone with more knowledge and experience using the framework may map a SE case study differently than multidisciplinary students who are experiencing it for the first time, there is not a single correct way to map onto the matrix. Having students experience this mapping process allows them to understand the breakdown of an adversary’s behavior and interpret key tactics and techniques in a way that fits their mapping needs. This paper also demonstrates how a SE case study can be mapped onto the ATT&CK framework despite SE not being the focus of the framework, and that SE uses tactics and techniques that are also relevant to technical cyberattacks. The authors hope to encourage more interdisciplinary cybersecurity education by sharing this experiential learning event.