top of page
  • brencronin

Mitre ATT&CK based SOC Assessments

SOC assessments:

  • Set a reference for SOC capabilities.

  • Identify detection engineering data-source gaps

  • Identify detection engineering use cane alerting gaps

  • Identify SOC workflow chokepoints

  • Identify SOC communications issues

  • Inform biggest ROI on cyber tools and processes

Hands-on Assessmnet - Actual Test against the SOC

More precise so limited scope

More invasive

Hands-off Asseemssment - test SOc capabiltiies againsta framework

Reasons not to do an assement:

  • No SOC staffing

  • No visability into key data sources

  • Interested in commiting to imrpovement

Assesments/Audits are always antaognistic

Mitre ATT&CK Cataloogue

  • What do you supposed to have coverage against?

  • Can you detect it? yes or no

  • can it also be mitigated? yes or no

data sources

Mitre engeuity can then map detections and itigations in layers by security tools. This creates a type of solutions heat map

Colelcting from a data source versus using that data source

Anakytics are broader. fidelity of analytic can be: basic; useful but simple; more advanced

ATT&CK maing detection projects:

Tool Coverage

Dteection tools questions:

  • Where doe sthe tool run?

  • how does the tool detect things (static, dyanmic)?

  • What data source is the tool monitoring?

Ask SOC gow they use teh tool

SOC Interviews

Example questions:

  • Describe a recent event?

    • How it was handled end-to-end?

    • What was the SOCs role?

    • What first triggered the response?

    • What were follow-on activities?

  • Describe how new analytics are rolled out?

  • What would you like to see automated?

  • Ask about detections for ATT&CK techniques

Heat Maps

3 key ingredients:

  • Scope

  • Measurement abstraction

  • Color scheme

Watch complexity and too many colors (Red not the best color)

Management wants high level, tech staff want details

Coverage Charts

Tool coverage + analytic coverage + interview - interview = Final results

Technique Prioritization

Focus on techniques that are:

  • Relevant

  • Defensible

  • Gaps based on assessment

Overlay threat actor techniques against detectable techniques

Select the techniques with low confidence of detection as the priority

Ways to improve coverage:

  • Add analytics

  • Add new tools

  • Injest more data sources

  • Implement mitigations

Other process improvements:

  • Communication?

  • Onboarding analytics?

  • Documentation?

  • Onboarding new staff?

  • leadership support?

  • Acquiring tools?

  • Tracking threats?

  • Tracking assets?

  • Deployment consistency?

  • Cyber hygiene?


9 views0 comments

Recent Posts

See All


Post: Blog2_Post
bottom of page