MITRE ATT&CK Framework
The MITRE ATT&CK threat model is a real-time knowledge base of adversary behaviors observed in the wild, which can be useful when investigating security incidents. TruSTAR users can automatically extract MITRE ATT&CK techniques and tactics from Premium Intelligence sources.
As part of the TruSTAR platform, you can use the Mitre ATT&CK Framework to
- Accelerate Prioritization & Resolution: Automatically correlate alerts, cases and Indicators that share ATT&CK TTPs. This helps you quickly uncover linkages in adversarial behavior, actors, malware, and Indicators, and then prioritize response actions.
- Move Up the Pyramid of Pain: By linking Indicators with ATT&CK TTP’s, you can take holistic action rather than just blocking and tackling individual data points. You can also map ATT&CK TTPs with resolved cases and create a library of cases organized by ATT&CK.
- Assess Operational Controls: By using data available from TTP trends computed from Premium Intelligences sources and submissions to TruSTAR, your decisions can be more data-driven in assessing gaps in operational controls and increase coverage of your organization's attack surface.
Using the Mitre ATT&CK Framework
To enrich and categorize your reports and indicators MITRE ATT&CK, you can:
- Create MITRE ATT&CK tags in Intel Reports or Indicators
- Filter Intel Reports or Indicators by MITRE ATT&CK
Creating MITRE ATT&CK Tags
You can tag Intel Reports or Indicators with MITRE ATT&CK tactics or techniques.
- Click the plus sign to the right of MITRE ATT&CK in the Tags section on Filter and Refine panel while viewing an individual Intel Report or Indicator. The graphic below shows MITRE ATT&CK for an Intel Report.
- Select the tactics or techniques to associate to the item. You can select multiple tactics or techniques to associate to each item. If you select a technique, the associated tactic will be added as a separate tag.
- Click Save Changes to save the tags to the item.
MITRE ATT&CK tags show in the tags section after you save changes. All MITRE tags are preceded by "mitre/" to differentiate them from other report tags.