Using MITRE ATT&CK®-based analytics for threat detection: 5 principles

MITRE ATT&CK-based threat detection vs. conventional methods

A number of traditional methods for threat detection exist; however, cyber threat actors have developed methods for evading these, such as:

Tool Testing: Before using malware or other tools in an attack, threat actors will test it against known detection systems.  This ensures that, at least in initial campaigns, that the attack will not be detected. Living off the Land: Threat actors will take advantage of functionality built into the target system to perform their attacks.  This reduces the need to use (potentially detectable) custom malware. Encryption Use: Use of encryption for network traffic is growing for both legitimate and malicious use cases.  This makes network-based detection of malware based upon signatures and other indicators of compromise (IoCs) difficult or impossible.

MITRE ATT&CK ® takes a different approach to threat detection.  Instead of attempting to detect the specific tools used by cyber threat actors, the MITRE ATT&CK framework describes the behaviors and goals of attackers during a cybersecurity incident.

Benefits of using MITRE ATT&CK for threat detection

A threat detection approach based upon behavioral analytics provides a number of different benefits, such as:

Costlier Avoidance: It is relatively cheap

Read More: