The MITRE ATT&CK framework has become increasingly prevalent as a best practices approach to detection and response over the last few years, and for good reason. Rather than promoting an artificial methodology that advances a specific vendor-driven agenda, it aims to create and document a list of known attacker tactics used during a cyber-attack. That includes categorizing threats into Tactics, Techniques and Sub-techniques, with relevant detail about each individual technique. The framework is arranged in a matrix to make it easy to understand, with the Attack tactics displayed across the top and individual techniques in each column as shown below.

img-blog-mitre-matrix

Source: Mitre.org

Because the classification is uniform and comprehensive, this not only helps create a standard taxonomy for communication between incident response functions, but also standardizes the recommended mitigation strategies.

Why is MITRE ATT&CK so difficult to implement?

Despite the growing awareness of MITRE ATT&CK, many organizations lack the resources to effectively implement the framework into their own detection and response processes. With 14 different Tactic categories currently containing 209 Techniques (including many with multiple sub-techniques) the sheer complexity of mapping detection and processes to the framework makes it out of reach for most organizations.

Key challenges:

Effective detection requires too much deduction content for most teams to implement With hundreds of Techniques and Sub-techniques, each having its own set of IoCs to look for, as well as recommended mitigation actions, the volume of potential content needed to map detection and response to the ATT&CK framework is enormous. Mapping your security operations to MITRE ATT&CK requires dedicated data engineers who can determine whether or not you’re working with the right data set, and then effectively map it to the framework. If this is done incorrectly, the entire process breaks down--and that’s before factoring in the need to integrate with multiple data sources from potentially hundreds of vendors. Few organizations have the resources to build this on their own, and most out-of-the-box content supplied by SOAR vendors is useless without extensive modifications.

Detection content often ends up being too generic to be effective
Another issue with both out-of-the-box and homegrown detection content is that in order to not miss specific threats, it ends up being too generic. That means true threats aren’t easily identified, because the alerts are focused on identifying specific IoCs, but lack the context to verify whether or not they represent a real attack. But collecting event context and verifying individual threats is an incredibly time consuming and manual process that can rapidly consume a security team’s time. Without automation, most organizations are forced to limit their focus to only the most obvious alerts, potentially letting real threats go uninvestigated. But setting up automation is also time consuming, and comprehensively mapping it to a framework like MITRE ATT&CK is out of reach for most security teams.

Typically, fewer than 1% of detection alerts are true positives
One of the biggest and most well known challenges in cybersecurity is how to handle the overwhelming number of false positives. These typically comprise over 99% of alerts and with most organizations receiving thousands or 10s of thousands of alerts every day, security operations struggle with chronic alert fatigue, analyst burnout, and missed threats. And while automation solutions can help, the majority are geared towards automating incident response and aren’t architected to handle high volume alert triage. That means you’re either ignoring lower fidelity alerts and IOCs tied to many of the MITRE ATT&CK techniques, or you’re still wasting valuable resources manually sifting through false positives.

How LogicHub’s MDR uses automation to map to MITRE ATT&CK in under 30 days-with no overhead for you

LogicHub’s Managed Detection and Response adapts the MITRE ATT&CK framework to your environment and processes with minimal effort on your team. And this can start delivering results in hours or days, providing immediate value for your security operations.

Extensive MITRE ATT&CK-specific out-of-the-box content adapted to you
LogicHub’s SOC experts are continuously developing MITRE ATT&CK-specific content, including automated playbooks that detect and respond to 100s of tactics and techniques, KPI-driven dashboards providing complete visibility into what’s happening at all times, and 24x7 hands-on coverage by expert security analysts. More importantly, this content is implemented by experts who integrate every alert and playbook with your tech stack, and build automation-driven detection and response processes that fit the unique operating requirements of your security operations.

Decision automation that eliminates 95% of false positives
Alert triage and threat detection are two sides of the same coin, and one without the other has limited value. If a detection is lost in an avalanche of alerts, or your triage processes fail to identify true threats, your security operations processes can quickly jump the rails.

Whether you’re streamlining your own investigations or are using MDR to augment your team even further, LogicHub’s intelligent Decision Automation cuts through the noise to automatically eliminate 95% or more of false positives. In the case of MDR, our decision automation makes our analysts faster and more efficient,delivering better MTTD and MTTR while lowering overhead, resulting in significant cost savings for you.

Confirmed cases with smart case correlation to identify advanced threats
The final critical component of the process is how detection context is delivered to you. The value of LogicHub’s approach to MITRE ATT&CK isn’t limited to identifying individual tactics and techniques targeting your environment, but extends to our ability to automatically correlate multiple attack vectors. This makes it easy to rapidly detect when multiple techniques are being used as a part of the same attack, giving you comprehensive threat context so that you aren’t playing whack a mole against individual threats while adversaries use others to bypass your defenses. That means we not only deliver confirmed threat cases to you, we do so with the additional context that shows the correlation between related cases to give you the complete picture about how your environment is being targeted.

If you’d like to learn more about how to get started with MITRE ATT&CK, download our eBook here.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More