In the hope of preventing a breach, companies deploy various detectors: from border security (firewall, proxies, …) to endpoint protection (EDR, antivirus, …). And, potentially, centralize all these events in a SIEM to correlate and implement Use Cases.
So many solutions and vendors, but yet some questions remain: how well (or not) is your detection against the most common attack vectors for your business sector? Are you able to detect attackers’ activity once they breached your infrastructure? Do you have overlapping sensors?
This article presents a framework, Mitre Att&ck (Adversarial Tactics Techniques & Common Knowledge), which becomes more and more popular and attempts to address the above questions. We will first, remind the existing methods and detail how Mitre Att&ck contributes to improving the understanding of an attack. We will then describe the various objectives achievable with this, as well as the requirements to get the most of it. Lastly, we will consider the interface developed by Mitre to fulfil the objectives efficiently.