The MITRE ATT&CK Framework has rapidly become the go-to lens through which security operations teams view their ability to detect attacker tactics, techniques, and procedures (TTPs). The ATT&CK Framework comprises 266 (and counting) TTPs across twelve tactic categories from initial compromise through maintaining persistence, defense evasion, and finally impact, spanning the course of a full cyberattack campaign.
When enterprise SecOps teams start using MITRE ATT&CK, they gain a clearer view of which attack tactics they're able to detect, and which might fly under the radar or evade their defenses and eventually lead to a breach. Understanding these gaps in their defenses makes it easier to understand where to invest security budget, and how to update policies and procedures to fill those gaps. Currently, the MITRE ATT&CK Framework is heavily weighted towards endpoint-centric attack tactics. Detection and investigation of a large percentage of the TTPs cataloged in the framework require visibility into files and processes on individual endpoints. Endpoint detection and response (EDR) is an area of heavy investment for security teams, and it makes sense that they want industry standards and frameworks to both scrutinize and validate the effectiveness of their programs. However, many crucial TTPs, especially in the later stages of an attack campaign, are easier to detect on the network. ...read more!
