In my last blog post + video, I provided a working definition for Detection Engineering (DE).  In this post, I want to talk about one of the most valuable tools for detection engineering: the MITRE ATT&CK framework.

‍Prioritizing Techniques in MITRE ATT&CK Relevant to You
Let’s suppose you’ve been living outside the cybersecurity world the last 10 years (or under a rock inside it). In that case, the MITRE ATT&CK framework is a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs). It provides a structured approach to identifying and categorizing potential attacks, making it an excellent resource for detection engineering. However, it's important to note that not all the techniques in the MITRE ATT&CK framework will be relevant to every organization. Therefore, it's crucial to prioritize the techniques that are most relevant to your organization.

‍2 Simple Steps to Start Prioritizing Techniques using MITRE ATT&CK

1. Assess your assets and determine where your most valuable data and operational assets are located. The tech platforms that support these assets are now your organization's high-priority platforms. Because every technique in MITRE ATT&CK has an associated tech platform, you can filter the MITRE ATT&CK matrix to focus on the techniques that pertain to your high-priority platforms.
2. Identify the threat groups targeting your organization's industry or the geographies in which it operates. All that information can be used to cross-reference with the high-priority platforms and get a prioritized matrix of techniques to focus on addressing. This approach ensures your organization focuses detection efforts on the techniques most relevant to your threat model.

Check out my video, where I walk through how to filter down the MITRE ATT&CK matrix via the open-source ATT&CK Navigator and explain a bit more. 

The bottom line is that the MITRE ATT&CK framework provides an excellent resource for identifying and categorizing potential attacks. By prioritizing the most relevant techniques to your threat model, you can ensure that you are focusing your detection engineering efforts on the most critical areas.