Document toolboxDocument toolbox

MITRE ATT&CK Adviser

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
4 min read

The MITRE ATT&CK(™) Adviser application is a tool that enables security teams to understand alerts and log sources in their Devo domain, all in the context of the MITRE ATT&CK(™) framework. For alert coverage, the application reads all of the Security Operations' out-of-the-box alerts, custom alerts, and installed alerts, mapping them to the ATT&CK matrix. It also color codes how well-covered each tactic and technique is. The application detects log sources currently being ingested and maps them to the ATT&CK matrix to evaluate data ingestion coverage.  

The application is available via the Devo Exchange for all Devo customers.  

Using the application

  1. Select Application → MITRE ATTACK Adviser in the navigation pane. The application main screen is then shown.

  2. From there you can view the MITRE ATT&CK matrix either by alert coverage or log source coverage.  

Alert coverage

For alert coverage, you are greeted by the MITRE ATT&CK matrix, which maps Devo's out-of-the-box detection library. The tactic tiles are color coded according to the number of techniques that have some alerts installed for them in the Devo domain. The technique tiles are color coded according to the number of alerts that are installed for that given technique in the Devo domain out of the all the alerts that are available for installation. The coverage scale has four labels:

  • N/A - for techniques that do not have any alerts in the system today.

  • Low - for tactics and techniques that have none of the available alerts installed.

  • Medium - for tactics and techniques that have some of the available alerts installed.

  • High - for tactic and techniques that have all of the available alerts installed.

You can see the entire MITRE ATT&CK matrix for all techniques that are possible. Not all are valid for signature based alerts or a SIEM technology. The entire matrix helps you to understand the full breadth of attack techniques that threat actors can use for further investigation. 

You can also toggle on Threat Group Filters, which lets you select multiple threat groups that the MITRE organization is tracking.  By selecting one or more threat groups the matrix is filtered to only the tactic and techniques the selected threat group uses. From there you can assess their MITRE ATT&CK coverage for the specific set of threat groups.

You can view additional information about tactics or techniques by hovering over the information icons in the matrix.  

You can click on a tactic or technique and understand the detections that are available for their Devo domain. Click on the tactic and technique card and the table at the bottom of the screen updates to show the alerts that are relevant. You can also filter to specific tactics and techniques within the table, as well as using a text search to find specific tactics, technique, or alert names. 

The application also supports the mapping of custom alerts through the SecOpsAlertDescription lookup. Simply add your detections to the system via Data Search or Alert Configuration and then add the necessary fields to the lookup for that alert.

Log source

Under the Log Source Summary page you can assess your coverage against the MITRE ATT&CK matrix based on the log sources you are currently ingesting. The log sources are mapped based on alert definitions in the system, so that if an alert has a “Persistence”  tactic and an “Account Manipulation” technique, the corresponding log sources / Devo table used by the alert is mapped to that tactic and technique in the Log Source Coverage section of the application.    

Coverage in the Log Source Coverage page is done by measuring the total number of log sources currently ingesting data compared with the total number of log sources for the current tactic or technique. The coverage scale works as follows:

  • N/A - no log sources map to the tactic or technique.

  • Low - None of the log sources are currently ingesting data for that tactic or technique.

  • Medium - Some of the log sources are currently ingesting data for that tactic or technique.

  • High - All of the log sources are currently ingesting data for that tactic or technique.

The bottom of the Log Source Coverage screen displays all the available log sources and whether they are ingesting or not. You can view current or new tactics and techniques that would be covered if they were to add specific log sources.