There is an abundance of hype when it comes to approaches for the detection of Advanced Persistent Threats. It is common to hear about specific attack methods and how these techniques can evade the usual defenses employed by organizations. But, the critical tools required to detect, investigate and respond to targeted attacks requires a holistic view of the attack lifecycle and a real-world understanding of the attacker’s intent.
This is where the MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework really shines. MITRE ATT&CK is a model developed from years of actual observations of how adversary groups operate. Think of a law enforcement investigator carefully documenting the methods of operation of a criminal syndicate – the resulting profile is not only a historical document of past behavior but, a powerful tool to identify and predict how that syndicate will behave in the future. This is exactly what MITRE ATT&CK enables an enterprise to do with adversary groups that have their firm in the crosshairs.
One key aspect of MITRE ATT&CK is that any specific technique detected also needs to be understood in the content of the larger attack pattern and environment in which the detection occurred. For example, observing PowerShell usage might be less meaningful in an organization where PowerShell is used for system administration. Lots of alerts on detections that lack context just drain the resources of the SOC team. But, a PowerShell detection delivered in the context of a script attempting to launch a suspicious process is far more valuable. Analysts need tools that deliver detections with contextual details that help the analyst prioritize their investigations.
