I occasionally find people mapping their SOC capabilities to the ATT&CK framework by checking off specific techniques that they have shown they are able to detect with the intent of measuring coverage within their SOC. In this blog post, I hope to clarify why this strategy may be misleading.

There Are No Bad Actions, Only Bad Behavior

It’s almost impossible to have a high-confidence indictment of a process based on a single behavior. Hypothetically, if there were such a thing as a purely malicious operation, the system would not have been designed with this capability, or it would have been patched out. While there are certainly exceptions (things you would absolutely want to know if they happen in your infrastructure), it’s important to understand ATT&CK techniques as the building blocks of a cyberattack and that they are not malicious in and of themselves.

“In Furtherance Of Their Tactical Objective, The Adversary Performed The Following Techniques”

Because it is a sequence of ATT&CK techniques that enables an objective, detection technologies must live in the abstraction between tactics and techniques to improve the fidelity of the alerts. The challenge of detecting malicious behavior is understanding what sequence of techniques enable or are indicative of an adversary’s tactical pursuit without lighting up on good behavior and generating false positives. Similarly, checking off a box that you’re able to detect a particular ATT&CK technique is no indication of your ability to detect an adversary leveraging that technique, only that you would theoretically have access to that telemetry when performing an investigation.

Beware The Fallacy Of Composition

The ability to detect a particular instance of an ATT&CK technique is no indication of performance against any other variation of that technique. Some techniques such as Process Injection (T1055) have multiple methods of performing them that you would have to exhaustively research and test against just to say that you have coverage on known variants of that particular technique. You would be far better served to say that you have fingerprinted and have the ability to detect the use of a particular tool that is part of the tactics, techniques, and procedures of a particular threat actor known to target your vertical. Notice that I’m not saying the checkboxes are all bad, just the way I see them implemented frequently and the business justification they are being used to provide.

In Conclusion

Referencing my recent report, “The Forrester MITRE ATT&CK Evaluation Guide,” we measured a product’s visibility into ATT&CK techniques as a “coverage” metric and described it as the high-water mark for the detections a product might enable. While this is an essential consideration when evaluating a product or capability, it is only part of the story. Hopefully this blog has provided insight into the difficulty of exhaustively saying that you’re able to detect all forms of a particular technique and an understanding that, even if you did, it would be no guarantee that you’d be able to detect an adversary with that information.

Look forward to more guidance on leveraging the MITRE ATT&CK framework in the future!


(Photo credit: Wikimedia Commons)