Skip to content

Professional Use of MITRE ATT&CK (SOC & Detection Engineering Guide)

Using the MITRE ATT&CK framework should not be just about memorizing IDs or browsing techniques; rather, it is actually a thinking model for analyzing attacks, building defenses, and correlating telemetry with the attacker’s real behavior.

1. MITRE Anatomy

To understand any technique within MITRE, you must first understand the following hierarchy:

Tactics β€” "Why?"

These represent the attacker's ultimate objectives during an attack, such as:

  • Initial Access
  • Persistence
  • Exfiltration

A tactic = the attacker's goal

Techniques β€” "What do they do?"

These are the general methods used to achieve the objective:

  • Phishing
  • PowerShell execution
  • Credential dumping

A technique = the action used to achieve the goal

Sub-techniques β€” "How exactly?"

These provide a more detailed description of how the technique is carried out:

  • Spearphishing Attachment
  • PowerShell Encoded Command

Always choose the most specific sub-technique whenever possible.

Procedure

This is the real-world implementation of a technique by a specific APT group or threat actor.

This is where the attacker's actual fingerprint appears (the Threat Intelligence Layer).

---

2. The Enterprise Matrix Is the Foundation

When getting started, focus on the: Enterprise ATT&CK Matrix

Because it covers:

  • Windows
  • Linux
  • Cloud
  • Network

> Do not start with ICS or Mobile unless you have a specialized need for them.

3. The Golden Rule: Correlate with Data Sources

The greatest value of MITRE ATT&CK is not the IDs themselves, but how they help you detect attacks.

When studying a technique such as: T1059.001 (PowerShell)

Do not stop at the technique name.

Instead, review:

  • Data Sources
  • Detection

You will find the telemetry and activities that should be monitored, such as:

  • Process monitoring
  • Command execution
  • Script block logging

The real objective:

Transform MITRE ATT&CK into SIEM Detection Requirements.

---

4. Core Use Cases of MITRE ATT&CK

1. Incident Investigation

  • Map logs or observed behaviors to a Technique ID.
  • Understand exactly what the attacker did.

2. Detection Engineering

  • Identify gaps in security coverage.
  • Example:
  • You have coverage for T1053 (Scheduled Task).
  • However, there is no detection rule in Splunk. β†’ This indicates a detection gap that needs to be addressed.

3. Threat Emulation / Red Teaming

  • Simulate real-world attacks.
  • Evaluate the effectiveness of security controls.
  • Execute techniques in a controlled and measurable manner.

---

5. Navigator Mindset

Instead of using MITRE ATT&CK as an encyclopedia:

Use MITRE ATT&CK Navigator.

Think of it as a strategic map:

  • 🟒 Green = Detection coverage exists.
  • πŸ”΄ Red = A security gap exists.
  • 🟑 Yellow = Partial coverage exists.

The objective: Assess and visualize the maturity of your security defenses (Security Posture).

---

6. Important Information

Groups (APT Groups)

  • Known threat actor groups.
  • Help you understand:
  • Who is targeting your industry?
  • What are their preferred tactics and techniques?

Software / Tools

Examples:

  • Mimikatz
  • Cobalt Strike

These link specific tools to the techniques they commonly use in real-world attacks.

Data Components (Very Important)

Instead of simply monitoring "process logs," MITRE specifies more granular data elements such as:

  • process-name
  • command-line
  • parent-process

This is critical for writing precise SIEM queries in platforms such as Splunk and Sentinel.

---

7. Detection Engineering Concepts

When analyzing any technique, focus on:

Data Sources

What log sources are required?

Detection Logic

How can the behavior be detected?

Mitigation

How can the technique be prevented in the first place?

Examples:

  • MFA
  • Patching
  • Hardening

---

8. The Importance of Platforms

Every technique is associated with one or more platforms:

  • Windows
  • Linux
  • Cloud
  • SaaS

The same attack technique can differ significantly depending on the environment.

---

9. Keeping Information Up to Date

MITRE ATT&CK is not static:

  • It is continuously updated.
  • New techniques are added.
  • Existing definitions are refined and improved.

Review the Version History of each technique to understand how it has evolved over time.