Enables enterprises to operationalize MITRE ATT&CK and build a multi-layered, threat-informed defense to eliminate gaps based on organizational risk and priorities
CardinalOps, the detection posture management company, today announced a new approach for measuring detection posture and identifying gaps using the MITRE ATT&CK framework.
As the standard framework for understanding adversary playbooks and behavior, MITRE ATT&CK now describes more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and LAPSUS$.
According to ESG research, 89% of organizations currently use MITRE ATT&CK to reduce risk for security operations use cases such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary tactics, techniques, and procedures (TTPs).
Why a New Coverage Metric is Required
Traditional MITRE ATT&CK coverage metrics and heat maps are too simplistic because they only add up the total number of detections aligned to a given technique – without measuring how much of the attack surface in your infrastructure is actually covered by all your detections.
Developed by CardinalOps, MITRE ATT&CK Security Layers dramatically extends the concept of ATT&CK coverage by measuring the “depth” of detection coverage for the first time. It does this by mapping each detection to a specific security layer – such as endpoint, network, email, cloud, containers, and IAM – and then enumerating the number of distinct layers covered for a given technique.
This enables SecOps teams to ensure they have “detection-in-depth” at multiple layers for the techniques that matter most to them.
Additionally, Security Layers enable organizations to link their coverage to desired business outcomes by immediately identifying blind spots related to crown-jewel assets such as their most sensitive applications and data. It also reveals missing telemetry and data sources that can be incorporated into their detection strategy to increase depth of coverage.
Coverage tracking using Security Layers is built into the CardinalOps automation platform, which continuously audits the rule set of existing SIEM/XDRs and groups them into their respective layers for each ATT&CK technique. The platform integrates natively with major SIEMs including Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle SIEM, CrowdStrike Falcon LogScale, and Sumo Logic.
“Security layers add context and detail to the MITRE ATT&CK framework and associated detection rules,” said Jon Oltsik, distinguished analyst and fellow at the Enterprise Strategy Group. “In this way, CardinalOps can help organizations further focus their attention on detecting the tactics, techniques, and procedures (TTPs) of adversaries most likely to target their organizations. This can help reinforce security defenses in critical areas – especially for understaffed organizations lacking advanced cybersecurity skills and resources.”
CardinalOps has contributed to the MITRE ATT&CK community in the past by providing new sub-techniques that were subsequently incorporated into the standard ATT&CK framework.
How Automation Helps Operationalize MITRE ATT&CK
Until recently, many organizations have struggled with operationalizing MITRE ATT&CK in their day-to-day operations because they had to rely on manual approaches like spreadsheets and open source tools to measure their coverage and identify blind spots.
Using automation and specialized analytics, the CardinalOps platform helps organizations continuously measure and visualize their detection posture using MITRE ATT&CK Security Layers. Coverage can be filtered based on organizational priorities such as Security Layers as well as by other key risk parameters such as APT groups or specific Tactics and Techniques.
The platform further helps eliminate coverage gaps by providing high-fidelity detections and recommendations to address missing, broken, and noisy detections.
“SecOps teams are looking for a more precise and holistic approach to measure their MITRE ATT&CK detection posture and identify gaps based on organizational priorities and desired business outcomes,” said Michael Mumcuoglu, CEO and co-founder of CardinalOps. “We’re proud to be helping the ATT&CK community find new and innovative ways to ensure organizations always have the right detections in place to defend against their most relevant adversaries.”