7 Steps of the MITRE ATT&CK®-based Analytics Development Method

November 11, 2020 by Howard Poston

What is the MITRE ATT&CK®-based analytics development method?

The MITRE ATT&CK-based analytics development method is a process of using red and blue team engagements to develop and improve the analytics used to detect attacks against the network.  This seven-step method walks through the complete process of developing, testing, and evaluating analytics.

Step 1: Identify Behaviors

The MITRE ATT&CK framework details a number of different techniques that an attacker can use to achieve several different goals.  When using the MITRE ATT&CK framework to detect a potential intrusion, it is necessary to narrow the scope to focus on the techniques that are most likely to successfully find the attacker.

To do this, MITRE suggests asking the following questions:

  • What behaviors are most common?
  • What behaviors have the most adverse impact?
  • For what behaviors is data readily available?
  • Which behaviors are most likely to indicate malicious behavior?

By answering these questions, the analyst can identify the techniques that are most likely to help them detect a real attack and threat to the target.

Step 2: Acquire Data

Most organizations collect some level of security data as part of their regular operations.  This data is fed into security information and event management (SIEM) and other data analytics tools to help identify potential threats to the network.

However, collecting data doesn’t mean that the analyst has direct access to the data or that the right data has been collected to identify a particular technique.  At this point, steps should be taken to start collection of any required data that is not currently being collected (if possible).  This may include both network and endpoint data.

Step 3: Develop Analytics

After an analyst has collected the required data, they need a means of processing it to extract usable intelligence.  For this, they need to develop analytics that should be run against the data.

MITRE describes four types of analytics:

  • Behavioral: Behavioral analytics are designed to detect the use of a specific technique as detailed in the MITRE ATT&CK framework.
  • Situational Awareness: These analytics are designed to provide general information regarding the state of the network.  They include tracking login attempts, monitoring system health, etc.
  • Anomaly/Other: Anomaly analytics are intended to identify usual – but not necessarily malicious – events on the network, such as the execution of a program that has never been seen before.
  • Forensic: Forensic analytics are designed to support forensic investigations.  For example, this may include identifying a list of compromised users if an investigator detects credential dumping malware on the network.

Step 4: Develop an Adversary Emulation Scenario

Organizations can undergo security assessments for a variety of different purposes.  In most cases, it is infeasible to test every potential attack vector, type of adversary, etc.

During this stage of the process, the rules of engagement are laid out.  This includes: 

  • Sensor/analytic and defensive capabilities to be tested
  • Common adversary behavior to be used
  • Rough plan with sequences of actions suggested to verify defensive capabilities
  • System, network, or other resources needed for the cyber game/test.

The goal of this scenario is to provide a framework in which the red and blue teams can operate.  It defines the overall goals and plan for the exercise but also leaves room for flexibility and adaptation if needed.

Step 5: Emulate Threat

At this point in the process, the exercise is ready to begin.  Based upon the scenarios and framework laid out in the previous step, the red team begins their assessment of the security of the system under test.

Step 6: Investigate Attack

The overall objective of a cybersecurity assessment is to determine the effectiveness of an organization’s defenses.  After the red team performs the attack, the blue team attempts to determine what they are doing.  MITRE suggests the use of asynchronous operations so that the red team’s attack is not inhibited by the defenders and to better emulate a real-world scenario (where defenders may not know an attack is occurring until after the fact).

This stage of the process uses the analytics developed earlier.  Ideally, the behavioral analytics should be capable of detecting the attacker activity and narrow down the list of potentially compromised machines.  From there, the other analytics should enable the blue team to identify the malicious activity.

Step 7: Evaluate Performance

After the exercise is complete, the red and blue teams should perform a debrief and retrospective.  Based upon both teams’ experience, they can identify what did and did not work and how the network defenses can be improved for the future.

Developing Analytics with MITRE ATT&CK

The MITRE ATT&CK-based analytics development method is designed to support an organization’s efforts to use MITRE ATT&CK for their cyber defense.  By following this model, an organization can develop and test analytics based on MITRE ATT&CK techniques via similar engagements.


Posted: November 11, 2020
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in cryptography and malware analysis. He has a Master’s degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity R&D at Sandia National Labs. He currently provides consulting and technical content writing for cybersecurity, cryptocurrency, and blockchain.