Start thinking about threat hunting by using terms from MITRE’s ATT&CK Matrix to frame the context. By first using high-level terms like privilege escalation, lateral movement, and exfiltration in your vocabulary, you identify threat actor intent before drilling into specifics.
This resource is not yet available. It will be published soon so stay tuned!
December 13, 2019
In this paper, we’re going to introduce a different—and perhaps new—technique for threat hunting, one that uses MITRE’s ATT&CK Matrix1 as an ongoing vocabulary. By associating your threat hunts with known threat actor objectives, techniques and tactics, you’ll begin to think of threat hunting not as a singular activity but rather in the context of how an attacker may achieve that objective within your environment. Furthermore, we believe that if you “speak ATT&CK” when hunting, your team will find a common vocabulary to describe the desired result of a hunt.