Q: Where and how is ATT&CK useful for metrics / measurement?ATT&CK is commonly used to measure detection capabilities, particularly coverage. It is arguably even more useful as a means of measuring visibility.

Keith

@kwm

Here goes an attempt to answer a few questions related to @MITREattack:

1. Where does ATT&CK fit in the context of your program?

2. Where and how is ATT&CK useful for metrics / measurement?

3. What first step should you take with respect to ATT&CK?

4/14/2020, 6:56:42 PM

Favs: 44

Retweets: 15

link

Keith

@kwm

Q: Where does ATT&CK fit in the context of your program?

Using the NIST Five Functions, ATT&CK is most applicable to Detect.

It can be useful across functions. But for most organizations, thinking of it in the context of Detect will minimize hand-wringing and emotional trauma.

4/14/2020, 6:58:11 PM

Favs: 0

Retweets: 1

link

Keith

@kwm

Q: Where and how is ATT&CK useful for metrics / measurement?

ATT&CK is commonly used to measure detection capabilities, particularly coverage.

It is arguably even more useful as a means of measuring visibility.

4/14/2020, 6:59:00 PM

Favs: 0

Retweets: 0

link

Keith

@kwm

Q: Where and how is ATT&CK useful for metrics / measurement?

One approach: Start with the subset of techniques visible to you, given the data sources at your disposal.

Using visibility as your basis, determine how many visible techniques you can detect through tools/analytics.

4/14/2020, 7:00:32 PM

Favs: 0

Retweets: 0

link

Keith

@kwm

Q: Which ATT&CK data sources should I consider first?

The simplest approach is often best: Start with the data sources that provide visibility into the greatest number of techniques. These usually abstract to:

- Process
- File
- Network

(Not always in the above order)

4/14/2020, 7:01:51 PM

Favs: 6

Retweets: 0

link