MITRE ATT&CK techniques and tactics

KUMA can:

• Enrich correlation events with information about MITRE ATT&CK techniques and tactics.

  Tactic and Technique fields of the event data model are used for this purpose. When generating a correlation event, these fields can be populated with relevant data for later use. For example, when a new alert is received with MITRE ATT&CK markup, you can open the MITRE ATT&CK website and read about the techniques and tactics to learn when, how, and why attackers might use these techniques, how to detect them, and how to mitigate risks — all of this can help you develop a response plan. You can also build reports and dashboards based on alerts and techniques detected in the infrastructure. If you are using correlation rules from SOC_package and want to customize the enrichment of correlation events with information about MITRE ATT&CK techniques and tactics, add the MITRE enrichment rules from SOC_package to the correlator.

• Assess the coverage of the MITRE ATT&CK matrix by your correlation rules.

  In this case, the general correlation rule parameters are used, which allow associating MITRE techniques with each rule. This parameter is used to describe the rule itself and this data is not passed to the correlation rule or alert in any way. Associating techniques and tactics with correlation rules lets you analyze the MITRE ATT&CK matrix coverage, focusing on the most relevant techniques for your specific infrastructure.

  If you want to assess the coverage of the MITRE ATT&CK matrix by your correlation rules:

  1. Download the list of techniques from the official MITRE ATT&CK repository and import it into KUMA.
  2. Map MITRE ATT&CK techniques to correlation rules.
  3. Export correlation rules to MITRE ATT&CK Navigator.

As a result, you can visually assess the coverage of the MITRE ATT&CK matrix.