How to Use MITRE ATT&CK® to Map Defenses and Understand Gaps

Developing detection and prevention controls for techniques in the enterprise matrix

The MITRE ATT&CK® framework is a useful way to standardize cybersecurity terminology and provides a framework for organizations to plan and evaluate their cybersecurity defenses.  This is demonstrated by the fact that many cybersecurity tool developers now provide explicit mappings of their tools’ capabilities to the MITRE ATT&CK framework.

Using the techniques and procedures outlined in the MITRE ATT&CK framework, organizations can develop controls specifically to detect and prevent certain attack behaviors.  However, it is important to do so carefully and acknowledge the risks of such an approach.

The risks of mapping defenses to ATT&CK techniques

While the MITRE ATT&CK framework is a very valuable and useful tool, it isn’t perfect.  When mapping defenses to MITRE ATT&CK techniques, two major risks exist:

Missing Techniques: The MITRE ATT&CK framework attempts to provide a comprehensive overview of the methods (Techniques) by which an attacker can achieve various operational objectives (Tactics).  However, it is possible that some techniques may not be included in the MITRE ATT&CK matrices. Overlooked Procedures: Most MITRE ATT&CK techniques can be performed in a number of different ways (called Procedures).  The ability to detect one procedure

Read More: