Improve your detections with the ATT&CK Framework: Ransomware Edition

Read the first part of my ATT&CK series Read the second part of my ATT&CK series Read the third part of my ATT&CK series Ransomware Today, instead of working based on a supposed activity sector of my company, as I did in my last entry, I’m going to work on the most famous and common threat. Ransomware continues to be the main threat for most companies of all sizes and across all sectors, as multiple reports from CTI companies demonstrate for the last few years. [Read More]
ATT&CK  CTID  soc 

Improve your detections with the ATT&CK Framework Part 3

See part 1 of this series here See part 2 of this series here Prioritizing new detections Today we continue our journey to improve our network detections. The next step is incorporating real-world threat data. Last time, we got an ATT&CK navigator layer where we identified which TTPs we have visibility but no detections. You can see the results with this JSON layer. This is just an example, not based in reality, although I’ve seen similar scenarios in real life :). [Read More]
ATT&CK  CTID  soc 

Using the Top Techniques calculator from CTID

Top ATT&CK Techniques Today I wanted to show a little bit how to use the new tool released by the Center for Threat-Informed Defense the Top ATT&CK Techniques calculator, which can be accessed here. The main purpose of the new project and the calculator is to help determining where to invest our efforts to defend our network. I you followed my series in how to improve detections with the ATT&CK Framework, you are in a perfect position to take advantage of this tool. [Read More]
ATT&CK 

Improve your detections with the ATT&CK Framework Part 2

See part 1 of this series here Visibility Last time we left with our data sources mapped to ATT&CK framework and already can see where we might be missing attacks to our network. Now let’s go a step further and get visibility scored based in our data sources plus our knowledge of the network. For that, we start the docker container for DeTTECT: docker start -i dettect Then we use the data sources file we generated in the first part - you can use my example file from here - to generate the techniques administration file with this command: [Read More]
att&ck  soc 

Improve your detections with the ATT&CK framework

I also want to use the ATT&CK Framework If you want to improve the detections and the effectiveness of your SOC against attacks targeting your organization, the hottest thing right now is the ATT&CK framework and Threat informed defense. However, if you don’t have the resources to hire external consultants to setup this for you, it can be overwhelming for small organizations to get onboard the ATT&CK ship. I’m going to try and ease the process for you, the only prerequisite is that you know your organization, your own network and what you are logging right now. [Read More]
att&ck  soc