Skip to content

Advancing Threat-Informed Defense with ATT&CK’s Founder, Blake Strom

In my last post I shed some light into how threat-informed defense came into my universe, both in concept (through the work of the MITRE FMX project), as well as in name (through conversations with Rich Struse). Throughout that story, MITRE ATT&CK® was the cornerstone. It defined nearly 10 years of my career, from using it day-to-day to helping the community adopt it to using it as a lens to help measure how well security solutions stack up to defending against threats.


 

Looking back, ATT&CK’s success in those early days was extraordinary. It’s underlying assumption was a very different way of thinking about security, one that is more detailed and grounded in realism - focused on admitting adversaries will eventually get in despite your best efforts. This type of thinking could have easily been met with skepticism and push back, and in some cases, it did. But more often than not, it was accepted with a healthy realization that we needed to shift our focus to defense in depth vs a silver bullet. This way of thinking created an environment for new creativity, and ATT&CK led to a groundswell that would reshape the cybersecurity industry as we know it.

ATT&CK’s adoption was fascinating to watch. As popular as it is today, it got there mostly as a grassroots movement driven by a passionate community of red and blue teamers. It was a common language that we could use to share what we knew about threats and security with others, and then they with others. As a result, a community formed that could approach the challenges of cybersecurity together. And industry benefited from this open, collaborative dialog with increased understanding of adversary behavior, improved defensive capabilities, and more rigorous testing.

But despite these advances, there is still work to do. We have witnessed first-hand how hard it is for the most sophisticated organizations to fully adopt ATT&CK and threat-informed defense, as well as those at the beginning of their security journey. At Tidal, our mission is to make threat-informed defense practical and sustainable. We want organizations large and small to reap the benefits of threat-informed defense.  


 

So how do we do that? Well to start, we surround ourselves with people who understand the problems and who share a passion to help others fix them.

We recently announced the addition of our first two advisors, Rick Howard and Jenny Menna. Both bring unique perspectives and expertise, particularly around end-user needs related to threat-informed defense. Today we follow that news with another key addition, one that is meant to ensure we continue to remain true to the principles and vision of ATT&CK, while we work to evolve and advance threat-informed defense. We are proud to announce that Blake Strom has joined Tidal’s Advisory Board.

To see Blake’s impact on industry, we need to look no further than ATT&CK itself. Coming to MITRE from the NSA in 2013, he was tasked with the formidable task of leading an adversary emulation team to assess the FMX team’s post-compromise blue team research on behavioral defenses. Quickly identifying an understanding gap between red and blue teams, he conceptualized a framework that described red team actions and led a team that created a type of encyclopedia around it. He started pulling together a list of abstracted behaviors mapped to their corresponding goals into a spreadsheet. The spreadsheet grew. It got a catchy name. It grew. It became a wiki. It grew. And grew. And in 2015, Blake’s magnum opus, the MITRE ATT&CK knowledge base, was released to the world.

Blake oversaw ATT&CK up through his departure from MITRE in 2020. During this time, it expanded from 96 techniques to 156 techniques and 260 sub-techniques. It went from Windows-centric to also include Mac/Linux, “left of exploit” PRE, Mobile, Cloud, and ICS. The model itself was refined numerous times to better fit the needs of the community. And most importantly, it became a de facto industry standard that revolutionized cybersecurity.

Blake also led the team that created MITRE’s CALDERA “Automated Adversary Emulation Platform”, and he was a member of the ATT&CK Evaluations founding leadership team. As Blake has since moved on to become the lead of Microsoft’s M365 Defender threat research team, his impacts to the community through ATT&CK and its related efforts continue to be felt.  

With Blake’s guidance we can ensure that our SaaS platform and related services deliver threat-informed defense not only effectively, but with the incredibly high standards he set with the ATT&CK community through the years. We welcome Blake to the team, and thank him, Jenny, Rick, and all the others who have been sharing their insights to help shape our vision and platform so that we can deliver the impact we all aspire to.