Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

Achieving threat-hunting consistency with the MITRE ATT&CK Matrix

By:
Ethan Durand
December 13, 2019

What does it mean to use a common language when threat hunting?

Threat hunting sometimes feels like an ineffective, endless activity where the common practice is to search for threats based on hunches and previous knowledge – leaving an open opportunity for elusive attackers.

A recent white paper by Matt Bromiley, a SANS digital forensics and incident response instructor, presents a new way of thinking about threat hunting, one that uses the MITRE ATT&CK Matrix as a vocabulary, not as a marketing tool.

Identifying threat actor objectives, techniques, and tactics enables you to hunt for threats in the context of how attackers achieve their objective rather than as a single activity. When you “speak ATT&CK,” your team will find a common vocabulary to describe the desired result of a hunt and approach your environment in a new way.

One common mistake seen in organizations during threat hunts is keeping the organization separate at the artifact level. Threat actors don’t attack environments in a gradual fashion, so good threat hunting should include all parts of the organization that could be impacted by activity.

Threat hunters should move beyond thinking about how something is being abused. Instead, think about the what, where and how by utilizing a common vocabulary to help define and shed light on a particular hunting activity.

Use threat hunting to accumulate visibility and insight into your environment. Think of threat hunting in terms of the new vocabulary to launch hunts that look for attack behaviors like lateral movement and exfiltration. A common threat-hunting vocabulary will help you identify visibility gaps and drive security-posture decisions.

The MITRE ATT&CK Matrix can be used to effectively address categories and techniques and how they are being used by attackers thus allowing your team to speak more succinctly about threat hunting.

Categories such as Credential Access and Defense Evasion can serve as high-level “starter” words for how you want to begin thinking about threats and approach threat hunting as you go from a high-level and work through the various steps.

A useful takeaway from the MITRE ATT&CK Matrix is the ability to combine various techniques to represent the activities of a specific group. This can help determine where you could and couldn’t detect a threat actor.

It can also be used in your hunts to detect the presence of a threat group. You can then bridge these techniques across multiple threat groups while achieving coverage and insight across the entire spectrum simultaneously.

Start thinking about threat hunting by using terms from the MITRE ATT&CK Matrix to frame the context and guide what you can and cannot see within your environment.

To learn more about the MITRE ATT&CK Matrix, check out the white paper as well as the webcast featuring Matt Bromiley and Chris Morales, head of security analytics at Vectra.

About the author

Ethan Durand

Ethan Durand is a content marketing intern at Vectra. He is currently pursuing a Business Marketing degree from San Jose State University and has been with Vectra since 2018.

Author profile and blog posts

Most recent blog posts from the same author

Security operations

Vectra SaaS detections – Office 365

February 11, 2020
Read blog post
Cybersecurity

Achieving threat-hunting consistency with the MITRE ATT&CK Matrix

December 13, 2019
Read blog post
Cybersecurity

Vectra integrates AI-driven network threat detection and response with AWS VPC Ingress Routing

December 3, 2019
Read blog post