Finding Cyber Threats with ATT and CK(registered trademark)-Based Analytics
Abstract
Post-compromise intrusion detection of cyber adversaries is an important capability for network defenders as adversaries continue to evolve methods for compromising systems and evading common defenses. This paper presents a methodology for using the MITRE ATT and CK framework, a behavioral-based threat model, to identify relevant defensive sensors and build, test, and refine behavioral-based analytic detection capabilities using adversary emulation. This methodology can be applied to enhance enterprise network security through defensive gap analysis, endpoint security product evaluations, building and tuning behavioral analytics for a particular environment, and performing validation of defenses against a common threat model using a red team emulating known adversary behavior.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2017
- Accession Number
- AD1107945
Entities
People
- Blake E. Strom
- Craig Wampler
- Douglas P. Miller
- Joseph A. Battaglia
- Michael S. Kemmerer
- Ross D. Wolf
- Sean M. Whitley
- William Kupersanin
Organizations
- MITRE Corporation