Using MITRE ATT&CK®-based analytics for threat detection: 5 principles

MITRE ATT&CK-based threat detection vs. conventional methods

A number of traditional methods for threat detection exist; however, cyber threat actors have developed methods for evading these, such as:

Tool Testing: Before using or other in an , threat actors will test it against known detection systems.  This ensures that, at least in initial campaigns, that the attack will not be detected. Living off the Land: Threat actors will take advantage of functionality built into the target system to perform their attacks.  This reduces the need to use (potentially detectable) custom malware. Use: Use of encryption for traffic is growing for both legitimate and malicious use cases.  This makes network-based detection of malware based upon signatures and other indicators of compromise (IoCs) difficult or impossible.

MITRE ATT&CK ® takes a different approach to threat detection.  Instead of attempting to detect the specific tools used by cyber threat actors, the MITRE ATT&CK framework describes the behaviors and goals of attackers during a incident.

Benefits of using MITRE ATT&CK for threat detection

A threat detection approach based upon behavioral analytics provides a number of different benefits, such as:

Costlier Avoidance: It is relatively cheap

Read More: