I think MITRE did a very good job in writing up the details here. If I were a system or security engineer, these seem to be immediate actionable items laid out for me.

Such transparency should serve as a model.

I don’t see any real details shared?

additional statement from CTO Charles Clancy and cybersecurity engineer Lex Crumpton:

https://medium.com/mitre-engenuity/advanced-cyber-threats-im...

How serious was this? As someone close to it do you have a picture? :)

Considering the quote:"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

It seems like anything connected to it was fully compromised for quite some time.

Based on this I'd say they didn't realize until some suspicious VMs started popping up...

Wonder what their time to detect was

It manages federally funded research and development centers (FFRDCs) supporting various U.S. government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields https://en.m.wikipedia.org/wiki/Mitre_Corporation

Here, let me wikipedia that for you:

> MITRE formed in 1958 as a military think tank, spun out from the radar and computer research at the MIT Lincoln Laboratory. Over the years, MITRE's field of study had greatly diversified. In the 1990s, with the winding down of the cold war, private companies complained that MITRE had an unfair advantage competing for civilian contracts; in 1996 this led to the civilian projects being spun off to a new company, Mitretek. Mitretek was renamed Noblis in 2007.

CVE database. That’s basically the only value they provide to the world.

They are an FFRDC, and do a lot more beyond the CVE database. You simply pointed out what they are most known for.