The MITRE ATT&CK threat framework is seemingly everywhere these days, and with good reason. It is an invaluable tool for understanding the various methods, or as MITRE refers to them Tactics and Techniques, employed by threat actors. It offers annotated and curated details about those methods, and it provides the capability to visualize this data in useful and informative ways. It can be used to support a variety of aspects within a security organization including threat intelligence, threat detection, red/blue/purple teaming, and more. It can also inform strategic thinking and planning.
For purposes of this article, the focus is on how best to utilize MITRE ATT&CK in the threat detection space, and specifically the detection rules within your SIEM. To do that, we need to understand what ATT&CK does well, and where it is limited. To put it another way, what should your expectations be when it comes to ATT&CK and your SIEM rules?
Why Use ATT&CK in the First Place
The question that is perpetually asked by leaders responsible for an organization’s cybersecurity — either out loud to their teams or to themselves in the middle of the night is: how do I know the right defenses are in place to protect the organization?
Simply put, ATT&CK provides a construct of the known methods in which threat actors may attempt to compromise your organization. From this, you can determine which of these methods your organization is able to detect currently, those in which your detection capability is lacking, and then build a plan to close the gap.
ATT&CK can (and argu ..
Support the originator by clicking the read the rest link below.
