The MITRE ATT&CK framework has become increasingly prevalent as a best practices approach to detection and response over the last few years, and for good reason. Rather than promoting an artificial methodology that advances a specific vendor-driven agenda, it aims to create and document a list of known attacker tactics used during a cyber-attack. That includes categorizing threats into Tactics, Techniques and Sub-techniques, with relevant detail about each individual technique. The framework is arranged in a matrix to make it easy to understand, with the Attack tactics displayed across the top and individual techniques in each column as shown below.


Source: Mitre.org

Because the classification is uniform and comprehensive, this not only helps create a standard taxonomy for communication between incident response functions, but also standardizes the recommended mitigation strategies.

Why is MITRE ATT&CK so difficult to implement?

Despite the growing awareness of MITRE ATT&CK, many organizations lack the resources to effectively implement the framework into their own detection and response processes. With 14 different Tactic categories currently containing 209 Techniques (including many with multiple sub-techniques) the sheer complexity of mapping detection and processes to the framework makes it out of reach for most organizations.

Key challenges:

Effective detection requires too much deduction content for most teams to implement
With hundreds of Techniques and Sub-techniques, each having its own set of IoCs to look for, as well as recommended mitigation actions, the volume of potential content needed to map detection and response to the ATT&CK framework is enormous. Mapping your security operations to MITRE ATT&CK requires dedicated data engineers who can determine whether or not you’re working with the right data set, and then effectively map it to the framework. If this is done incorrectly, the entire process breaks down--and that’s before factoring in the need to integrate with multiple data sources from potentially hundreds of vendors. Few organizations have the resources to build this on their own, and most out-of-the-box content supplied by SOAR vendors is useless without extensive modifications.

Detection content often ends up being too generic to be effective
Another issue with both out-of-the-box and homegrown detection content is that in order to not miss specific threats, it ends up being too generic. That means true threats aren’t easily identified, because the alerts are focused on identifying specific IoCs, but lack the context to verify whether or not they represent a real attack. But collecting event context and verifying individual threats is an incredibly time consuming and manual process that can rapidly consume a security team’s time. Without automation, most organizations are forced to limit their focus to only the most obvious alerts, potentially letting real threats go uninvestigated. But setting up automation is also time consuming, and comprehensively mapping it to a framework like MITRE ATT&CK is out of reach for most security teams.

Typically, fewer than 1% of detection alerts are true positives
One of the biggest and most well known challenges in cybersecurity is how to handle the overwhelming number of false positives. These typically comprise over 99% of alerts and with most organizations receiving thousands or 10s of thousands of alerts every day, security operations struggle with chronic alert fatigue, analyst burnout, and missed threats. And while automation solutions can help, the majority are geared towards automating incident response and aren’t architected to handle high volume alert triage. That means you’re either ignoring lower fidelity alerts and IOCs tied to many of the MITRE ATT&CK techniques, or you’re still wasting valuable resources manually sifting through false positives.

How LogicHub’s MDR uses automation to map to MITRE ATT&CK in under 30 days-with no overhead for you

LogicHub’s Managed Detection and Response adapts the MITRE ATT&CK framework to your environment and processes with minimal effort on your team. And this can start delivering results in hours or days, providing immediate value for your security operations.

Extensive MITRE ATT&CK-specific out-of-the-box content adapted to you
LogicHub’s SOC experts are continuously developing MITRE ATT&CK-specific content, including automated playbooks that detect and respond to 100s of tactics and techniques, KPI-driven dashboards providing complete visibility into what’s happening at all times, and 24x7 hands-on coverage by expert security analysts. More importantly, this content is implemented by experts who integrate every alert and playbook with your tech stack, and build automation-driven detection and response processes that fit the unique operating requirements of your security operations.

Decision automation that eliminates 95% of false positives
Alert triage and threat detection are two sides of the same coin, and one without the other has limited value. If a detection is lost in an avalanche of alerts, or your triage processes fail to identify true threats, your security operations processes can quickly jump the rails.

Whether you’re streamlining your own investigations or are using MDR to augment your team even further, LogicHub’s intelligent Decision Automation cuts through the noise to automatically eliminate 95% or more of false positives. In the case of MDR, our decision automation makes our analysts faster and more efficient,delivering better MTTD and MTTR while lowering overhead, resulting in significant cost savings for you.

Confirmed cases with smart case correlation to identify advanced threats
The final critical component of the process is how detection context is delivered to you. The value of LogicHub’s approach to MITRE ATT&CK isn’t limited to identifying individual tactics and techniques targeting your environment, but extends to our ability to automatically correlate multiple attack vectors. This makes it easy to rapidly detect when multiple techniques are being used as a part of the same attack, giving you comprehensive threat context so that you aren’t playing whack a mole against individual threats while adversaries use others to bypass your defenses. That means we not only deliver confirmed threat cases to you, we do so with the additional context that shows the correlation between related cases to give you the complete picture about how your environment is being targeted.

If you’d like to learn more about how to get started with MITRE ATT&CK, download our eBook here.