MITRE ATT&CK1 is an open framework and knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of the tactical objectives of adversaries and their methods. Having a taxonomy by itself has many valuable uses, such as providing a common vocabulary for exchanging information with others in the security community. But it also serves as a real technical framework for classifying your current detection efforts and identifying gaps where you are blind to certain types of attack behaviors.
This paper will introduce you to ATT&CK and related tools and resources based on ATT&CK. Then it will discuss how to make practical use of ATT&CK with a focus on threat hunting and detection.
Understanding MITRE ATT&CK
In this section, we’ll introduce you to ATT&CK’s structure, comprising tactics, techniques, examples, mitigation, and detection.
Using MITRE ATT&CK
After a quick overview of the wide range of ATT&CK uses cases, we’ll zero in on using ATT&CK to:
- perform a gap analysis of the malicious
behavior you are currently monitoring for - enhance your threat detection and
hunting efforts - test your detection rules to provide assurance
that you are alerted as intended
Threat Detection and Hunting
with Five Common Techniques In the closing section, we will look at five specific techniques from ATT&CK that were selected based on prevalence and other criteria that make them especially applicable to threat hunting and detection. We’ll explore each one of these techniques in-depth, highlighting how the attackers use them and how you can detect them. We will discuss which logs you need to collect, what audit policy you need to enable, and what you need to look for in those logs.
You will see how LogRhythm Labs has built detection logic for these techniques into the LogRhythm NextGen SIEM Platform.
Views: 3
