DRJ Fall 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 32, Issue 2

Full Contents Now Available!

Thursday, 18 April 2019 14:15

The MITRE ATT&CK Framework Is Not A Bingo Card

I occasionally find people mapping their SOC capabilities to the ATT&CK framework by checking off specific techniques that they have shown they are able to detect with the intent of measuring coverage within their SOC. In this blog post, I hope to clarify why this strategy may be misleading.

There Are No Bad Actions, Only Bad Behavior

It’s almost impossible to have a high-confidence indictment of a process based on a single behavior. Hypothetically, if there were such a thing as a purely malicious operation, the system would not have been designed with this capability, or it would have been patched out. While there are certainly exceptions (things you would absolutely want to know if they happen in your infrastructure), it’s important to understand ATT&CK techniques as the building blocks of a cyberattack and that they are not malicious in and of themselves.

...

https://go.forrester.com/blogs/the-mitre-attck-framework-is-not-a-bingo-card/