Finding Cyber Threats with ATT&CK-Based Analytics

June 2017
Topics: Cybersecurity, Cyber Threat Intelligence, Data Analytics, Computer-Communication-Networks, Information Security, Homeland Security
Blake E. Strom, The MITRE Corporation
Joseph A. Battaglia, The MITRE Corporation
Michael S. Kemmerer, The MITRE Corporation
William Kupersanin, The MITRE Corporation
Douglas P. Miller, The MITRE Corporation
Craig Wampler, The MITRE Corporation
Sean M. Whitley, The MITRE Corporation
Ross D. Wolf, The MITRE Corporation
Download PDF (710.84 KB)

Post-compromise intrusion detection of cyber adversaries is an important capability for network defenders as adversaries continue to evolve methods for compromising systems and evading common defenses. This paper presents a methodology for using the MITRE ATT&CK framework, a behavioral-based threat model, to identify relevant defensive sensors and build, test, and refine behavioral-based analytic detection capabilities using adversary emulation. This methodology can be applied to enhance enterprise network security through defensive gap analysis, endpoint security product evaluations, building and tuning behavioral analytics for a particular environment, and performing validation of defenses against a common threat model using a red team emulating known adversary behavior.


Publication Search