Showing posts from November, 2020

MITRE Attack coverage based on detection rules

Everyone in Information Security knows about the  MITRE ATT&CK® framework. From the website : " [...] is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. " This is a short blog post, a  bookmark  for the related GitHub repository  attack-coverage : but what is the project about? Working as DFIR consultants for different customers we have to manage different level of maturity, technologies and processes all related to safeguarding customers' infrastructures. Think about the CSOCs, some outsourced some not: from a  reactive  point of view, they will be called in action when something  is triggered, most of the time automatically by some tools. Who defines  those triggers? Which scenarios are covered by t