MITRE ATT&CK Adviser

The MITRE ATT&CK(™) Adviser application is a tool that enables security teams to understand alerts and log sources in their Devo domain, all in the context of the MITRE ATT&CK(™) framework. For alert coverage, the application reads all of the Security Operations' out-of-the-box alerts, custom alerts, and installed alerts, mapping them to the ATT&CK matrix. It also color codes how well-covered each tactic and technique is. The application detects log sources currently being ingested and maps them to the ATT&CK matrix to evaluate data ingestion coverage.  

The application is available via the Devo Exchange for all Devo customers.  

Using the application

1. Select Application → MITRE ATTACK Adviser in the navigation pane. The application main screen is then shown.

2. From there you can view the MITRE ATT&CK matrix either by Alert coverage or Log source coverage.  

Open

Export to PDF

You can export a PDF of your coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.

Open

Coverage scale percentage

Also located in the top-right corner is the coverage scale percentage. This allows you to understand your alert and log source coverage at a glance with a percentage calculation. This percentage varies according to the different filters that are applied.

Alert coverage

For alert coverage, you are greeted by the MITRE ATT&CK matrix, which maps Devo's out-of-the-box detection library. The tactic tiles are color-coded according to the number of techniques that have some alerts installed for them in the Devo domain. The technique tiles are color-coded according to the number of alerts that are installed for that given technique in the Devo domain out of all the alerts that are available for installation. The coverage scale works as follows:

• N/A

• Low

• Medium-low

• Medium-high

• High

You can see the entire MITRE ATT&CK matrix for all techniques that are possible. Not all are valid for signature-based alerts or SIEM technology. The entire matrix helps you to understand the full breadth of attack techniques that threat actors can use for further investigation. 

You can also filter by threat coverage and threat group, the latter lets you select multiple threat groups that the MITRE organization is tracking. By selecting one or more threat groups the matrix is filtered to only the tactic and techniques the selected threat group uses. From there you can assess their MITRE ATT&CK coverage for the specific set of threat groups.

View additional information about tactics or techniques by hovering over the information icons in the matrix.

Sub-techniques

Understand more about the sub-techniques behind techniques and identify areas where your organization might need additional protection. MITRE ATT&CK Techniques outline a particular way to achieve the goal of a tactic and a MITRE ATT&CK Technique might also include sub-techniques. These are particular ways to carry out the activities outlined in the technique. For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four sub-techniques:

• Password guessing

• Password cracking

• Password spraying

• Credential stuffing

All of these sub-techniques are ways to carry out the main technique but take advantage of different mechanisms to do so.

Click on a tactic or technique and understand the detections that are available for their Devo domain. Click on the tactic and technique card and the table at the bottom of the screen updates to show the alerts that are relevant. You can also filter to specific tactics and techniques within the table, as well as use a text search to find specific tactics, techniques, or alert names. 

Install alert

Take action directly from the application to improve coverage of your organization against MITRE ATT&CK by adding an alert installation action to the table. The installation action is allowed for all domains and uses the same mechanism as the SecOps content manager to improve coverage. The alert can be uninstalled at any point.

The application conducts checks for the action, the first being to ensure that the data source is being ingested into the domains. The second verify that the alert that adds to the coverage is a custom alert. If this is the case, the actions are disabled as there is no management API for the alerts. These alerts need to be managed by the end users. Note that when alerts are installed, they should be tuned and refined to the specific organization.

The application now supports alerts being mapped to multiple tactics and techniques. The application pulls and maps them to the matrix, correctly displaying the coverage. Use the MitreAlertsExtendedDefinition lookup to add the additional entries. It is available to download below:

Open

Furthermore, the table at the bottom of the Alert coverage screen shows multiple tactics and techniques by expanding the field within that column for an alert. Viewing the information in the table improves coverage across the matrix.

Log source coverage

Under the Log source coverage page you can assess your coverage against the MITRE ATT&CK matrix based on the log sources you are currently ingesting. The log sources are mapped based on alert definitions in the system, so that if an alert has a “Persistence”  tactic and an “Account Manipulation” technique, the corresponding log sources / Devo table used by the alert is mapped to that tactic and technique in the Log source coverage section of the application.    

Coverage in the Log source coverage page is done by measuring the total number of log sources currently ingesting data compared with the total number of log sources for the current tactic or technique. The coverage scale works as follows:

• N/A

• Low

• Medium-low

• Medium-high

• High

The bottom of the Log Source Coverage screen displays all the available log sources and whether they are ingesting or not. You can view current or new tactics and techniques that would be covered if they were to add specific log sources.