decrypting myths
Using the MITRE
ATT&CK framework
for threat hunting
success
Threat hunting is a critical
discipline. But how do you
do it methodically and
consistently to drive success?
Tim Bandos, VP of Cyber
Security, Digital Guardian,
introduces threat hunting
frameworks, teaches an
organisation how to get
started with it and how to
implement high-fidelity
techniques for advanced
threat hunting.
C
yberthreat hunting
is a critical
discipline that
more and more
organisations
are using to
proactively
detect attacks before they result in a
major breach. But how do you do it
methodically and consistently to drive
success? MITRE’s ATT&CK (Adversarial
Tactics, Techniques and Common
Knowledge) framework is becoming
increasingly popular among incident
responders and threat hunters and for
good reason.
techniques and procedures that can
be used by threat hunters and incident
responders to assess an organisation’s
cyber-risk. The aim of the framework
is to improve an enterprise’s post-
compromise threat detection capabilities
by highlighting the actions attackers may
have taken.
Threat hunters can also leverage
the framework to identify specific
combinations of techniques that
adversaries may use and how effective
their existing tools would be in
detecting them.
There are three ‘flavours’ of ATT&CK:
It was created to test the efficacy of
systems and improve security before it’s
too late. This article will introduce the
framework and the key benefits it brings
to any cybersecurity operation.
What is the MITRE
ATT&CK framework?
First created in 2013, the MITRE
ATT&CK framework is a comprehensive
matrix of cybersecurity tactics,
www.intelligentciso.com
|
Issue 10
1. Enterprise ATT&CK: A framework of
tactics, techniques and procedures
used to compromise enterprise
networks. This is the most popular
framework and the one this article
will focus on
2. PRE-ATT&CK: Covering tactics and
techniques used pre-compromise
3. Mobile ATT&CK: Covering tactics
and techniques used to gain access
to mobile devices.
67