top of page
Search
  • brencronin

Mitre ATT&CK based SOC Assessments


SOC assessments:


  • Set a reference for SOC capabilities.

  • Identify detection engineering data-source gaps

  • Identify detection engineering use cane alerting gaps

  • Identify SOC workflow chokepoints

  • Identify SOC communications issues

  • Inform biggest ROI on cyber tools and processes


Hands-on Assessmnet - Actual Test against the SOC

More precise so limited scope

More invasive

Hands-off Asseemssment - test SOc capabiltiies againsta framework


Reasons not to do an assement:


  • No SOC staffing

  • No visability into key data sources

  • Interested in commiting to imrpovement


Assesments/Audits are always antaognistic


Mitre ATT&CK Cataloogue


  • What do you supposed to have coverage against?

  • Can you detect it? yes or no

  • can it also be mitigated? yes or no

data sources


Mitre engeuity can then map detections and itigations in layers by security tools. This creates a type of solutions heat map



Colelcting from a data source versus using that data source



Anakytics are broader. fidelity of analytic can be: basic; useful but simple; more advanced




ATT&CK maing detection projects:


https://github.com/olafhartong/ATTACKdatamap


https://www.mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack


https://github.com/MalwareArchaeology/ATTACK


Tool Coverage

Dteection tools questions:


  • Where doe sthe tool run?

  • how does the tool detect things (static, dyanmic)?

  • What data source is the tool monitoring?

Ask SOC gow they use teh tool



SOC Interviews


Example questions:

  • Describe a recent event?

    • How it was handled end-to-end?

    • What was the SOCs role?

    • What first triggered the response?

    • What were follow-on activities?

  • Describe how new analytics are rolled out?

  • What would you like to see automated?

  • Ask about detections for ATT&CK techniques


Heat Maps


3 key ingredients:

  • Scope

  • Measurement abstraction

  • Color scheme

Watch complexity and too many colors (Red not the best color)

Management wants high level, tech staff want details


Coverage Charts


Tool coverage + analytic coverage + interview - interview = Final results


Technique Prioritization


Focus on techniques that are:

  • Relevant

  • Defensible

  • Gaps based on assessment


Overlay threat actor techniques against detectable techniques

Select the techniques with low confidence of detection as the priority


Ways to improve coverage:

  • Add analytics

  • Add new tools

  • Injest more data sources

  • Implement mitigations

Other process improvements:

  • Communication?

  • Onboarding analytics?

  • Documentation?

  • Onboarding new staff?

  • leadership support?

  • Acquiring tools?

  • Tracking threats?

  • Tracking assets?

  • Deployment consistency?

  • Cyber hygiene?



b





9 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page