MITRE Attack coverage based on detection rules

Everyone in Information Security knows about the MITRE ATT&CK® framework. From the website: "[...] is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community."

This is a short blog post, a bookmark for the related GitHub repository attack-coverage: but what is the project about? Working as DFIR consultants for different customers we have to manage different level of maturity, technologies and processes all related to safeguarding customers' infrastructures. Think about the CSOCs, some outsourced some not: from a reactive point of view, they will be called in action when something is triggered, most of the time automatically by some tools. Who defines those triggers? Which scenarios are covered by them?

The point is to be aware of which "sides of the castle" are defended and which are not. I'm not speaking about the quality of the defenses but if we have something in place: I assume we'll always try to achieve the best quality all the time, but "best" does not mean that much. So, is that specific "side" defended?

Many SIEM solutions have their own way to map detection rules to a human-friendly taxonomy, included the MITRE Attack one, which is a priceless common reference to improve network and system defenses against intrusions. How to get a simple and portable way (separate from any SIEM specific technology) to get the awareness about which attackers' tactics/techniques a customer is able to detect and, more important, what is missing? Besides that, when asked from a customer, how would you measure the detection capability the outsourced SOC is putting in place? Btw, it's not about trust but knowledge.

This is the ground that make me think about a solution: and here is it the project. Why an Excel spreadsheet? Because it was the most flexible and independent solution in our cases. Easy to share even with non technical people, easy to customize and to provide more metrics.

The implemented approach will measure the coverage of MITRE ATT&CK® tactics and techniques, in terms of detection rules. Simply as it is. If you think it could be useful in your scenario(s), grab the repository at https://github.com/RealityNet/attack-coverage: the repository highlights how the spreadsheet is organized and how you could start using it. 


Comments

Popular posts from this blog

A tale on RegRipper Plugins unnoticed

Huawei backup decryptor

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"