Making sense of hackers


Making sense of hackers' actions after a breach

Perimeter security is vital, but it has long since ceased to be sufficient for government systems. Cyber intruders will breach networks and often are able to navigate internally for months before being detected. And because attackers change their methods frequently, intrusions can be difficult to detect by traditional means.

Dig IT Award Finalists

The GCN Dig IT Awards celebrate discovery and innovation in government IT.

There are 36 finalists this year. Each will be profiled in the coming days, and the winners for each category will be announced at the Oct. 13 Dig IT Awards gala.

See the full list of 2016 Dig IT Award Finalists

MITRE, which operates multiple federally funded research and development centers (FFRDCs) and supports the Defense Department on a wide range of cybersecurity initiatives, has worked to close that knowledge gap. Its Adversarial Tactics, Techniques and Common Knowledge behavioral model is the first detailed framework to describe the actions a malicious cyber actor takes once inside a network.

ATT&CK grew out of MITRE's previous cybersecurity research, particularly red team/blue team exercises. Officials realized that there are only so many variations in the ways adversaries behave once they've successfully breached a system. Make that universe of options better understood, and defenders have a much better chance of mitigating a breach before too much damage is done.

Central to the project is a matrix of post-exploitation tactics and techniques. Organized into categories such as privilege escalation, later movement, defense evasion and exfiltration, the ATT&CK matrix provides a much-needed common frame of reference.

MITRE cultivated a community around ATT&CK to raise awareness and continue to refine the shared knowledge. As a constantly growing and freely available reference base, ATT&CK can help agencies deter and respond to breaches. They can also use the model to create a blueprint for monitoring and assessment, make decisions about cybersecurity investments and more easily share information thanks to a standardized vocabulary.

Although the project grew out of an FFRDC that supports DOD, ATT&CK is open-source and applicable to any government agency and the commercial sector.

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected