What is the MITRE ATT&CK®-based analytics development method?
The MITRE ATT&CK-based analytics development method is a process of using red and blue team engagements to develop and improve the analytics used to detect attacks against the network. This seven-step method walks through the complete process of developing, testing, and evaluating analytics.
Step 1: Identify Behaviors
The MITRE ATT&CK framework details a number of different techniques that an attacker can use to achieve several different goals. When using the MITRE ATT&CK framework to detect a potential intrusion, it is necessary to narrow the scope to focus on the techniques that are most likely to successfully find the attacker.
To do this, MITRE suggests asking the following questions:
What behaviors are most common? What behaviors have the most adverse impact? For what behaviors is data readily available? Which behaviors are most likely to indicate malicious behavior?
By answering these questions, the analyst can identify the techniques that are most likely to help them detect a real attack and threat to the target.
Step 2: Acquire Data
Most organizations collect some level of security data as part of their regular operations. This data is fed into security information and event