The MITRE ATT&CK threat framework is seemingly everywhere these days, and with good reason. It is an invaluable tool for understanding the various methods, or as MITRE refers to them Tactics and Techniques, employed by threat actors. It offers annotated and curated details about those methods, and it provides the capability to visualize this data in useful and informative ways. It can be used to support a variety of aspects within a security organization including threat intelligence, threat detection, red/blue/purple teaming, and more. It can also inform strategic thinking and planning.

For purposes of this article, the focus is on how best to utilize MITRE ATT&CK in the threat detection space, and specifically the detection rules within your SIEM. To do that, we need to understand what ATT&CK does well, and where it is limited. To put it another way, what should your expectations be when it comes to ATT&CK and your SIEM rules?

Why Use ATT&CK in the First Place

The question that is perpetually asked by leaders responsible for an organization’s cybersecurity — either out loud to their teams or to themselves in the middle of the night is: how do I know the right defenses are in place to protect the organization?

Simply put, ATT&CK provides a construct of the known methods in which threat actors may attempt to compromise your organization. From this, you can determine which of these methods your organization is able to detect currently, those in which your detection capability is lacking, and then build a plan to close the gap.

ATT&CK can (and arguably should) be used across all your organization’s security controls and technologies to obtain a full coverage picture. Using it to understand your SIEM’s detection capability, however, should provide much of that picture and is a logical place to start. The reason for this is because, in theory, your SIEM is the centralized point for security alerting.

By mapping each SIEM rule to the Tactic(s) and Technique(s) on which the rule can alert, two things begin to happen. First and obviously, you begin to gain a reasonably accurate picture of what detection capability exists in your ruleset. Second, and arguably more important, you begin to gain an understanding of your ruleset. These two are not the same thing. The first enables you to answer the question as to what coverage exists, while the second enables you to defend that position and answer why. Knowing your ruleset at this level as it relates to ATT&CK enables you to explain the nuances of the coverage that exists, which better positions you to be able to improve it over time.

For example, if you have rules in place to detect 25 different types of ransomware, your ruleset will look as if it is heavily skewed to the Impact Tactic. However, if you have one rule that is constructed in such a way that it detects those same 25 types of ransomware, the graphical representation of your coverage map can look very different. Obviously, both scenarios have the same net effect, and neither is right or wrong as a strong argument can be made for both approaches. But depending on your coverage visualization(s), it can look quite different. Knowing your ruleset at that level of detail will allow you to understand and explain why it looks the way that it does. Both are important for different reasons but knowing why puts you in a stronger position to make the right decisions from a SIEM rule roadmap perspective.

What to Expect From Using ATT&CK

This leads to what your expectations should be for ATT&CK when utilizing it for SIEM rule coverage mapping and planning. There is a natural inclination to want to compare your organization’s coverage to other similar organizations. While that is understandable and can provide some value, that provides very little actual benefit in improving your threat detection capability for at least two reasons:

  1. There is a built-in assumption that the organizations against which you are comparing are very mature with their detection capability and you won’t know how valid that assumption is. Besides, if you have a breach that went undetected, it will not be a reasonable item to list on the postmortem that the peers in your industry didn’t have that coverage either.
  2. While they may be similar to your organization, they will have enough difference and nuance in their technological, organizational and architectural choices that it will almost certainly not be a worthwhile comparison.

Instead, use ATT&CK to compare your organization to an ideal vision of your organization’s detection capability. This will be your customized benchmark — although keep in mind that it changes over time due to changes both in your organization’s environment and the threat landscape itself. You create this customized benchmark by first understanding and documenting the Tactics and Techniques that are most applicable to your organization (there will be some that do not apply). Second, assess your capability against those Tactics and Techniques. Third, prioritize those for which you don’t have detection capabilities, and then create a plan to close the gaps.

The following visualization depicts the Techniques covered by SIEM rules before and after a rule enhancement effort. The darker colors represent a higher number of rules aligned to that Technique. In this example, specific attention was paid to the Techniques within Privilege Escalation and Defense Evasion.

ATT&CK Coverage Heat Map: Before

ATT&CK Coverage Heat Map: After

The following visualization depicts the number of rules aligned to each Tactic both before (blue) and after (purple) a rule enhancement effort. In this example, there was a focus to enhance the Techniques aligned to Privilege Escalation, Defense Evasion and Credential Access (the lower right quadrant of the radar graph).

Rules Mapped to ATT&CK: Before and After

ATT&CK Doesn’t Do Everything

As relevant and important as MITRE ATT&CK is, it is not advisable to solely rely on it for determining the rules in your SIEM. It provides one vitally important framework (detection of known Techniques used by threat actors), but there are other types of rules that your SIEM should have that go beyond ATT&CK. Examples of this include:

  • Anomaly rules: These are rules that detect a deviation from a known baseline. This could be user behavior that looks different than it has historically, or it could be anomalous levels of activity or events in the network such as traffic patterns.
  • Compliance rules: These are rules that exist either to detect the violation of a policy (think authorized use policies, as an example) or to detect the violation of a regulatory requirement such as GDPR.

These do not fit into any type of ATT&CK Tactic or Technique but may be a very important part of the security strategy for your SIEM.

The last reason you should not rely solely on ATT&CK for determining your SIEM rules is the human factor. Theoretically, no one and no technology knows your organization better than you as your organization’s security practitioner.

Using any framework (ATT&CK, NIST, etc.) as a guide is vital, but so is your own intuition, experience, and firsthand research capability when it comes to your organization. Use these frameworks as an indispensable guide and roadmap for detecting those things that are a threat to your organization, but also make sure you employ your own critical thought in the endeavor as well. Pay attention to those things that keep you awake at night, those nagging concerns over a Technique that isn’t adequately covered, or those Techniques that are concerning enough for your organization that secondary or tertiary detection capability is warranted. Combining that with ATT&CK and other threat or regulatory frameworks, along with technology, will put your organization in the best possible position.

The IBM Security Threat Management teams have extensive experience in helping customers to adopt and optimally utilize the MITRE ATT&CK frameworks for their specific environments and security considerations. Schedule a consultation here.

To get started learning about MITRE ATT&CK, visit this page as a great starting point to various introductory resources. You can also visit the main MITRE ATT&CK website to view the framework itself and for a full set of resources and tools.

More from Intelligence & Analytics

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read