Cyber Security

How does the MITRE ATT&CK framework help in building a proactive threat hunting strategy?

PA Asked by Parker Campbell · 18-11-2024
0 upvotes 17,942 views 0 comments
The question

We want to stop being reactive and start "hunting" for APTs in our network. Everyone mentions the MITRE ATT&CK framework as the blueprint for this. How do we actually translate those theoretical techniques into a weekly hunting schedule? Should we focus on one specific tactic per week, like "Privilege Escalation," or is there a better way to prioritize which techniques to hunt for first?

3 answers

0
LO
Answered on 19-11-2024

You should also check out the "Atomic Red Team" project. It lets you run small tests for each MITRE technique to see if your logs actually catch them.

RE 21-11-2024

I agree with Logan. Testing your detections with Atomic Red Team is the best way to prove that your hunting queries actually work

0
RE
Answered on 20-11-2024

Don't try to boil the ocean. Start with a "Gap Analysis" by mapping your existing log sources to the ATT&CK matrix. If you don't have logs for a specific technique, you can't hunt for it. Once mapped, prioritize by "Likelihood vs Impact." For most, focusing on the "Initial Access" and "Persistence" tactics provides the best ROI. A great weekly cadence is to pick one sub-technique—like "Scheduled Tasks" or "Process Injection"—research how it looks in your environment, and then write a query to find all instances that don't match your known-good baseline. This iterative approach builds your detection library over time.

0
SA
Answered on 22-11-2024

Have you used the "ATT&CK Navigator" tool to visualize which groups are known to target your specific industry, such as finance or healthcare?

PA 24-11-2024

Samuel, I hadn't used the Navigator before you mentioned it—it's incredibly helpful for filtering out the noise! Rebecca, your "Gap Analysis" advice is what we were missing. We were trying to hunt for things we weren't even logging. We’ve decided to spend the next two weeks purely on "Persistence" techniques because we realized our logging of Registry changes was nearly zero. Once we fix the telemetry, we’ll start our weekly hunts. It feels much more scientific now than just "looking for weird stuff."

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session