Katie Nickels untangled MITRE ATT&CK for cybersecurity teams
It was early 2019, and Sherrod DeGrippo knew she had a problem. Customers were asking for her company, cybersecurity vendor Proofpoint, to show how its products lined up with MITRE ATT&CK, a popular framework that describes the stages of a typical cyberattack. But attempts to do so weren't going smoothly.
That's when DeGrippo had a thought: "I'm just going to call Katie."
She didn't know Katie Nickels well. But Nickels, then the threat intelligence lead for MITRE ATT&CK, had earned a reputation for making the complex framework understandable and usable. And over the next six months, that's exactly what she did for DeGrippo over a series of five Zoom meetings, during which she helped DeGrippo rethink Proofpoint’s entire approach to implementing ATT&CK.
"It was huge for us," said DeGrippo, Proofpoint’s vice president for threat research and detection. “If you can say, 'Katie said … ,' that's all you need."
Nickels, who is now director of intelligence at managed detection and response vendor Red Canary, is one of the cybersecurity community's most respected leaders and communicators. Customers trust the reports produced by Nickels’ team to make decisions about their own security posture in a world where threats are growing both in numbers and sophistication.
Not only is she an expert in the tradecraft of cyberthreat intelligence, but Nickels is also proficient at "synthesizing complex and ambiguous topics in such a way that somebody can really pick it up and run with it," said Robert Lee, co-founder and CEO of industrial cybersecurity vendor Dragos.
Having that combination of abilities — expert, communicator and educator — is a rarity in cybersecurity, and "I can't think of any higher compliment to pay somebody" than that, Lee said.
Still, Nickels wouldn’t want anyone to think that she knows it all at this point, or is “untouchable.”
“Over my career, I've just learned and listened to people and connected with people,” she told Protocol. “I continue to be driven by trying to share with others. But like everyone else in this community, I'm still learning.”
Ultimately, getting involved in the information security community, Nickels said, is “about connecting with people. And anyone can do that, regardless of where they are in their career, regardless of the number of Twitter followers they have.”
A nontraditional path
Nickels didn't set out to enter the cybersecurity field.
After graduating from Smith College with a bachelor's degree in American studies, Nickels initially hoped to become a journalist. Instead, she became a corporate investigations researcher and then, in 2009, joined the Department of Defense.
She did so in part at the encouragement of her now-husband, Drew Nickels, a member of the intelligence community, who suggested that her interest in research might make her a fit for an intelligence analysis role.
It just so happened that the threats Nickels was tasked with analyzing were cyberthreats. "I was fortunate enough that someone gave me a chance," she said.
After leaving the DoD in 2011 and working as a cyberthreat analyst at Raytheon and then ManTech, Nickels joined MITRE, a not-for-profit organization that provides federally funded R&D, in April 2015. She joined the organization in the runup to the public release of ATT&CK, which was a "right place, right time" situation, Nickels said.
At its most basic level, MITRE ATT&CK is a set of offensive tactics and techniques known to be commonly used by adversaries. Initially created in 2013 as an internal project at MITRE, ATT&CK was first publicly released in mid-2015 without much promotion or fanfare, according to Adam Pennington, who is the current head of ATT&CK and was involved with the project since its early days. "We had no idea if anyone was going to use this," he said.
But ATT&CK caught on. In large part, that's because it gave the cyber defense profession something that had been sorely lacking: a universal language.
ATT&CK offers a "defined lexicon and ways to communicate," said Dragos' Lee. "Prior to having MITRE ATT&CK, everyone was kind of inventing their own language."
The core MITRE ATT&CK team members at RSA 2019. From left: Jen Burns, Blake Strom, Katie Nickels, Adam Pennington and Jamie Williams.Photo: Courtesy of Katie Nickels
Cybersecurity vendors have embraced the ATT&CK lexicon to demonstrate how their products align to real-world threats. For instance, because the framework identifies the stages of a typical attack using a common language, a vendor can say "we're experts at shutting down stages three to seven" and security chiefs will immediately know what the vendor means, said Joel Fulton, CEO of cybersecurity vendor Lucidum.
Meanwhile, many security leaders are fans of ATT&CK because it gives them a clearer way to describe their security strategy internally, Fulton said. Prior to ATT&CK, most chief information security officers pitched their strategies like a salesperson, relying on charisma and large helpings of fear, uncertainty and doubt to convince their fellow executives and board of directors to follow their lead, he said. With the arrival of ATT&CK, CISOs now have a concrete way to explain their strategy, Fulton said.
The communicator
From the get-go, Nickels had a major impact on shaping how ATT&CK describes threat groups and the software tools they use, MITRE's Pennington said.
"ATT&CK had started doing that even before Katie joined, but we hadn't published it yet. And frankly, it wasn't very good. It was sort of all over the place," he said.
Nickels "came in and cleaned it up, did some incredible analysis on it and built up our practices and our standards," Pennington said.
She would go on to take charge of ATT&CK's blog and Twitter account; she eventually became the group's go-to public speaker, starting in 2018 with a talk at the BSides Las Vegas event, according to Pennington. A year later, Nickels was speaking in front of thousands at the Black Hat cybersecurity conference. Her Twitter following grew steadily.
Nickels “definitely had an impact on getting ATT&CK out there for the world,” Pennington said.
Even though Nickels wasn’t one of the creators of ATT&CK, "everyone associates MITRE ATT&CK with her [because] she's that good," Lee said. "She had such an oversized impact that she has become, to some people, the face of it."
The role came with its own set of pressures, however. The growing popularity of ATT&CK meant that threat researchers were continually submitting new techniques that they hoped would be added. And that often meant rejecting submitted techniques, particularly those that were theoretical, Nickels said.
Saying "no" to unfit submissions was "an important role," she said. "But it's a tough one."
Eventually though, ATT&CK still reached a point where it had become a bit unwieldy, particularly when it came to how attacker techniques were organized.
The number of documented techniques used by attackers against enterprise IT environments had ballooned to 266 by October 2019. For months, lead ATT&CK creator Blake Strom, Nickels and Pennington debated what to do.
On one hand, the large number of enterprise techniques was proving a challenge for security teams when it came to learning, prioritizing and communicating about the techniques, Nickels said. But Nickels and the other leaders of the ATT&CK team knew that outsized changes would be painful for security teams, which would have to do significant additional work to account for the changes in the framework.
Ultimately, the team decided to restructure ATT&CK by creating a new category, "sub-techniques," that would appear underneath the broader technique categories.
"We knew that for the long-term good of this framework, it was a necessary decision," Nickels said.
The irony is that what Nickels did next gave her a firsthand view of the effects of the decision.
Doing their own thing
In early 2020, Nickels departed MITRE to join Red Canary, one of the pioneers in the growing field of managed detection and response. Founded in 2013, the company uses technology for ingesting and analyzing massive amounts of threat data, along with human threat intelligence, to manage security on behalf of customers. The approach has proven to be an increasingly popular option amid the shortage of talent in the market.
Nickels came aboard to steer the human threat intelligence side of things at Red Canary. The decision to leave MITRE was a difficult one, she wrote on Medium shortly after making the switch. But while ATT&CK was great at curating attacker techniques that had been observed, the chance to do the observing herself, using the raw data, was appealing.
"I wanted to hands-on be seeing what adversaries are doing," Nickels said.
While growing the Red Canary threat intelligence team from four to 11, she said her focus at the company — like it was at MITRE — has been on making threat intelligence useful. And as part of that, "we try to not accept what everyone else is doing in threat intelligence as the best thing," she said.
You'd be hard-pressed to find anyone in cyberthreat intelligence that hasn't learned from Katie Nickels.
For instance, Nickels said she doesn't start with the assumption that the actions of the nation-state threat actors, such as China or Russia, are a priority for customers. Instead, "we look at what we're actually seeing in environments," she said.
That's led to unique discoveries, such as a cluster of attacker activity that the team dubbed "Raspberry Robin," which involves a worm typically delivered through a USB drive. "When you don't just look at the shiny objects — the state-sponsored threats or the things everyone's talking about — you start to see things that are interesting," Nickels said.
To take a different approach like this, however, it's ideal to create a team with a mix of different backgrounds and skills. And like Nickels herself, several of those involved with Red Canary's threat intelligence reports do not come from traditional computer science or cybersecurity backgrounds.
For instance, in a previous life, Red Canary principal intelligence analyst Lauren Podber worked as a dancer for six years, including for the New Jersey Devils. Nickels, Podber said, is "really open-minded about [threat] analysis and about how different people can work together — and how to bring those strengths together."
And while he preceded Nickels at Red Canary, principal security specialist Brian Donohue was formerly a journalist for Threatpost. The philosophy behind Red Canary's threat intelligence reports, Donohue said, is that "we need to make things that everyone is able to comprehend, [including] the people who are actually doing these jobs" on corporate cybersecurity teams.
As part of doing that, Nickels is uncompromising when it comes to ensuring that the threat-intelligence reports Red Canary releases meet this bar, he said.
"There's a tendency in this industry for editors to be like, 'I don't fully understand the technical aspects of this. But I'm sure it makes sense,'" Donohue said. "But one thing that Katie has been very good about is never believing that."
Instead, Nickels pushes the analysts and writers to make sure that every Red Canary report fully makes sense and is understandable to security teams, he said. While writing the vendor's 2021 report, for instance, there needed to be substantial last-minute revising based on Nickels' feedback, Donohue said.
"At the time, I was like, 'This is incredibly annoying feedback,'" he said. "But the most annoying thing about it was that I knew [Nickels] was right."
Superpowers
Ryan Kovar has known Nickels for the past decade, prior to her joining MITRE. But from the beginning, Kovar said Nickels' communication abilities and self-confidence convinced him that "she was going to be someone who lit the world on fire a bit."
"One of Katie's superpowers is her ability to communicate with empathy," said Kovar, distinguished security strategist at Splunk, who teamed with Nickels for the Black Hat talk in 2019.
Beyond MITRE ATT&CK and her work at Red Canary, Nickels has stood out from many of her security community peers by publishing a series of posts that have "democratized some of the insider secrets of threat intelligence,” Kovar said.
In particular, her Medium posts on how to get started in cyberthreat intelligence and her two-part "self-study plan" for learning the trade — the second part of which went live in August — have been widely read and shared.
"She's been very open about some of the things that either people [in the field] don't want to talk about, or they don't realize is not common knowledge," Kovar said.
That's provided a tremendous amount of exposure on these topics for those who are interested in or new to the industry, often revealing the fact that "this isn't actually as hard as maybe you think it is," he said.
Nickels has also served as an instructor at the SANS Institute, a well-known provider of cybersecurity training and certifications, teaching the organization's course on cyberthreat intelligence since 2019.
Selena Larson, who previously covered cybersecurity for CNN, and is now a senior threat intelligence analyst at Proofpoint, said Nickels had a major influence on her as she switched to the field of cybersecurity. And Larson said she's far from alone in that.
"You'd be hard-pressed to find anyone in cyberthreat intelligence that hasn't learned from Katie Nickels," Larson said.
Gloss