When managing a Security Operation Center (SOC), you will likely be asked how many MITRE ATT&CK tactics and techniques you have covered. At first glance, this might seem straightforward, but the answer is more complex. The MITRE ATT&CK framework is an extensive knowledge base of adversary tactics, techniques, and cyberattack procedures. It provides an incredibly valuable threat detection, response, and mitigation resource.

Linux Matrix (C) 2024 MITRE.ORG
Linux Matrix (C) 2024 mitre.org

However, when you go to the MITRE ATT&CK website, you are confronted with a comprehensive dashboard showcasing all tactics and techniques. More than a dozen tactics and hundreds of techniques are spread across various platforms, and their sheer number can be overwhelming. Not all tactics and techniques in the ATT&CK framework will apply to your specific environment. Several factors determine which subset of the framework is relevant to you, including:

  • Operating Systems: The platform you protect (Windows, Linux, macOS, etc.) can significantly narrow down the techniques. Some techniques are unique to specific operating systems, so filtering based on the operating systems present in your environment will help you focus on what’s truly relevant.
  • Network Infrastructure: The architecture of your organization’s network also plays a key role in defining the applicable tactics and techniques. For instance, certain tactics designed for cloud environments may not be relevant to an on-premise network.
  • Industry and Compliance Requirements: Depending on the industry your organization operates in (e.g., finance, healthcare), some techniques and compliance standards may take precedence over others. Regulatory frameworks often shape which techniques you must focus on.
  • Threat Landscape: The techniques most applicable to your SOC will also depend on the current threat landscape and the specific threats your organization is facing. For instance, if ransomware attacks are a frequent concern, you would likely prioritize detecting techniques related to data encryption and privilege escalation.
Enterprise Matrix (C) 2024 mitre.org
Enterprise Matrix (C) 2024 mitre.org

In an on-premises environment consisting exclusively of Linux systems and network devices, you may encounter challenges when leveraging existing MITRE ATT&CK Enterprise framework dashboards for security monitoring. The problem is that most pre-built dashboards are designed to cover a broad range of operating systems, platforms, and devices. These often include techniques irrelevant to your specific environment, leading to “noise” and unnecessary complexity. In this scenario, you have two common choices:

  1. Separate Dashboards for Linux and Network Devices: Alternatively, you might use two different dashboards, one focused on Linux and another for network devices. However, this means managing and switching between multiple interfaces, which can fragment visibility and increase operational overhead.
  2. Enterprise Dashboard: This option covers a wide array of systems, including Windows, macOS, cloud services, and other platforms that don’t exist in your environment. While comprehensive, it contains numerous tactics and techniques that do not apply to Linux or network devices, creating clutter and making it harder to focus on the most critical issues.

But is this a bad thing?

I utilize two distinct versions of security dashboards tailored for different types of conversations and stakeholders. Each version is optimized for its audience to ensure clarity, relevance, and efficiency during discussions about our security posture.

Limited Version for ISO Conversations:

For discussions with the Information Security Officer (ISO), I rely on a more limited, focused version of the security dashboard. This version is specifically designed to address the particular area or domain of security the ISO is responsible for—such as a specific system (like Linux), network devices, or even a specific business unit’s infrastructure. The objective is to minimize distractions by only showing relevant techniques and tactics that apply to the ISO’s scope. By focusing on this limited version:

  • Precision: The conversation becomes more precise, and we can dive deeper into specific tactics and techniques relevant to their area. We can also discuss fine-tuned detection, response capabilities, and mitigations without being overwhelmed by unnecessary information.
  • Actionable Insights: This version highlights only those techniques that the ISO is actively managing or concerned with, allowing us to have targeted discussions on vulnerabilities, risk mitigations, or operational improvements. It cuts out the noise of techniques that don’t apply to their specific role or the infrastructure they manage.
  • Efficient Conversations: This dashboard’s limited scope helps us focus on actionable insights. It facilitates quicker decision-making and more meaningful collaboration because the information is always immediately relevant to their concerns.

For example, if the ISO is focused on network security, I would only display techniques related to network device vulnerabilities, active scanning, lateral movement through network protocols, and other network-specific concerns. Similarly, if the ISO’s domain is Linux servers, we would focus solely on Linux-related tactics and techniques like privilege escalation or shell execution.

Customized Generic Version for CISO Conversations:

In contrast, I use a more generic dashboard version during discussions with the Chief Information Security Officer (CISO). However, this version isn’t just the out-of-the-box “enterprise” dashboard; it’s a customized version tailored to provide a high-level overview while still being actionable.

To make it manageable, I’ve greyed out techniques that do not apply to our specific environment. This allows the CISO to focus on the big picture—overall security posture, risk exposure, and threat landscape—without getting bogged down by irrelevant details. Here’s how the generic yet customized version enhances CISO conversations:

  • Strategic Focus: The CISO is typically more concerned with strategic oversight and the broader security landscape. By presenting a dashboard where non-applicable techniques are greyed out, we ensure that they only see what’s relevant to our systems and infrastructure, allowing them to assess the organization’s risk profile better.
  • Visual Simplicity: Greying out irrelevant techniques adds a layer of visual clarity. The CISO can immediately differentiate between critical areas for our environment and those that can be deprioritized, making managing enterprise-wide risk more effective.
  • Tailored to Our Environment: Even though this dashboard takes a broader perspective, the customization ensures that it still reflects the realities of our infrastructure. For instance, while a generic enterprise dashboard might include techniques related to Windows or cloud environments, those techniques are visually minimized in this version if they don’t apply to us, ensuring that the focus remains on relevant risks and mitigation strategies.
  • Balanced Depth and Breadth: While this version may cover a broader spectrum of security techniques and tactics, the customization helps balance high-level visibility and relevant operational details. This allows us to maintain a conversation that touches everything from risk trends to more specific operational concerns—without drowning in irrelevant details.

Why Customize Dashboards Based on Stakeholders?

The practice of using two different dashboard versions tailored for different roles (ISO and CISO) enhances communication in several ways:

  1. Audience Relevance: Each stakeholder (ISO or CISO) has a different responsibility and a unique focus area within the organization’s security framework. The dashboard should reflect their needs, allowing them to engage with the information pertinent to their role immediately.
  2. Improved Clarity: By greying out or removing irrelevant information, the dashboards become easier to interpret. When irrelevant details are minimized, both technical and strategic discussions flow more smoothly.
  3. Efficiency in Decision-Making: When the dashboards are tailored to their audience, conversations can move from information gathering to decision-making more quickly. ISOs can act on operational tasks, and the CISO can better allocate resources or adjust strategies based on a clear, concise picture of the organization’s security posture.
  4. Tailored Risk Discussions: The ISO focuses on operational risks in its domain, such as system misconfigurations or patching gaps. The CISO discusses broader organizational risks, such as compliance, overall threat vectors, and strategic risk management. Custom dashboards provide just the right data to drive these nuanced conversations.
  5. Actionable Reporting: At the end of these discussions, ISOs will likely walk away with clear operational tasks. At the same time, the CISO may need to align on high-level security investments or prioritize risk mitigation strategies across the enterprise. Having dashboards that align with these outcomes leads to more productive meetings.

Most SOCs adopt a homebrew version of the MITRE ATT&CK framework because it offers greater flexibility and is easier to integrate into various reporting and monitoring workflows. While the MITRE ATT&CK framework is comprehensive, a customized version tailored to an organization’s specific environment and threat landscape provides more relevant insights. This approach allows SOCs to align the framework with their specific detection capabilities, infrastructure, and security requirements.

Most SIEM platforms today offer powerful features that enable the seamless mapping of SIEM detection rules to MITRE ATT&CK tactics and techniques. These platforms typically allow users to:

  • Select all active SIEM detection rules and map them to corresponding MITRE tactics and techniques.
  • Extract the mapped data to Microsoft Excel, providing a clear overview of the security rules and their coverage in an easy format to manipulate and analyze.

Once the data is extracted into Excel, it can be integrated with the homebrew version of the MITRE ATT&CK framework. This process provides immediate visibility into the following:

  • Which MITRE tactics and techniques are covered by one or more SIEM detection rules.
  • Which tactics and techniques are actively used by adversaries in the environment based on real-time detections and alerts.

This integration enables SOCs to track their detection coverage, identify potential gaps, and ensure their SIEM solution effectively monitors for threats that align with their attack surface.


The Role of Cyber Threat Intelligence in Enhancing MITRE ATT&CK

A well-functioning SOC should also have a Cyber Threat Intelligence (CTI) team working parallel with detection and response efforts. CTI teams provide critical insights into the latest threats, trends, and adversary behaviors, which can be integrated into the homebrew MITRE ATT&CK framework dashboard. When the CTI team’s intelligence is connected to this framework, the SOC can achieve several key objectives:

  1. Track Adversary Tactics and Techniques: By integrating the CTI team’s output into the MITRE ATT&CK dashboard, you gain real-time insights into adversaries’ tactics and techniques against your environment. This allows you to match your defenses directly against current, relevant threats.
  2. Validate Detection Coverage: Ideally, there is a direct overlap between the MITRE tactics and techniques that your SIEM solution and security controls cover and the tactics and techniques that adversaries are actively using. However, threat actors are constantly evolving, and it is common to find that adversaries may employ tactics or techniques that your current security measures are not fully addressing. When this happens, the SOC must:
  • Implement additional security controls or modify existing ones.
  • Develop new SIEM use cases to detect techniques relevant to the evolving threat landscape that are not currently covered.

This alignment between CTI and MITRE ATT&CK enables a more agile and responsive security posture, where defensive strategies evolve alongside adversary behavior. Even if the SOC achieves 100% coverage of all MITRE techniques currently used by adversaries, this does not guarantee complete security. Attackers continually evolve their methods, often finding new ways to evade detection or exploit vulnerabilities faster than organizations can adapt their defenses. Therefore, it is critical to:

  1. Periodically review the effectiveness of the security controls and SIEM use cases mapped to specific MITRE techniques. The key is to ensure that these controls continue providing the expected detection and protection level.
  2. Validate the effectiveness of SIEM detection rules and other security controls through continuous testing. For example, red teaming, penetration testing, or automated breach and attack simulation can help simulate real-world adversary behavior to ensure your defenses can detect and respond to the latest tactics.
  3. Monitor evolving threats: Regularly update the homebrew MITRE ATT&CK framework with the latest intelligence from internal incident response data and external threat reports. Staying ahead of adversaries requires frequent updates to SIEM use cases, detection logic, and security controls as new techniques emerge.

Even with comprehensive coverage of MITRE tactics and techniques, being ahead of adversaries requires continuous improvement. Cybercriminals evolve rapidly, often leveraging new vulnerabilities or adapting their techniques to evade detection.