Finding Cyber Threats with ATT&CK-Based AnalyticsJune 2017
Topics: Cybersecurity, Data Analytics, Computer-Communication-Networks, Information Security, Homeland Security
Post-compromise intrusion detection of cyber adversaries is an important capability for network defenders as adversaries continue to evolve methods for compromising systems and evading common defenses. This paper presents a methodology for using the MITRE ATT&CK framework, a behavioral-based threat model, to identify relevant defensive sensors and build, test, and refine behavioral-based analytic detection capabilities using adversary emulation. This methodology can be applied to enhance enterprise network security through defensive gap analysis, endpoint security product evaluations, building and tuning behavioral analytics for a particular environment, and performing validation of defenses against a common threat model using a red team emulating known adversary behavior.