Use ATT&CK to map defenses and understand gaps
The natural inclination of most security teams when looking at MITRE ATT&CK is to try and develop some kind of detection or prevention control for each technique in the enterprise matrix. While this isn’t a terrible idea, the nuances of ATT&CK make this approach a bit dangerous if certain caveats aren’t kept in mind. Techniques in the ATT&CK matrices can often be performed in a variety of ways. So blocking or detecting a single way to perform them doesn’t necessarily mean that there is coverage for every possible way to perform that technique. This can lead to a false sense of security thinking that because a tool blocks one form of employing a technique that the technique is properly covered for the organization. Yet attackers can still successfully employ other ways to employ that technique without any detection or prevention in place.
The way to address this is the following:
- Always assume there is more than one way to perform an ATT&CK technique
- Research and test known ways to perform specific techniques and measure the effectiveness of the tools and visibility in place
- Carefully log the results of the tests to show where gaps exist for that technique and which ways of employing that technique can be prevented or detected
- Note which tools prove to be effective at specific detections and note gaps where there is no coverage at all
- Keep up with new ways to perform techniques and make sure to test them against the environment to measure coverage
For example, if antivirus detects the presence of Mimikatz, that doesn’t mean that Pass the Hash (T1075) and Pass the Ticket (T1097) are covered as there are still several other ways to perform these techniques that don’t involve the use of Mimikatz. Keep this in mind if trying to use ATT&CK to show defensive coverage in an organization.
Source: Use ATT&CK to map defenses and understand gaps
The new MITRE ATT&CK™ tool helps security practitioners to build an Attempted Attack Matrix —
- Identify the most active threat actors targeting an environments
- Understand techniques most commonly used by threat actors
- Prioritize each technique based on probability and potential impact
- Assess current defenses, understand gaps, and plan improved defenses
To know more about MITRE Attack Metrics
SANS-Measuring-and-Improving-Cyber-Defense-MITRE-ATTCK-Anomali-Report
