This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MITRE ATT&CK® Coverage Breakdown for RSA Netwitness Threat Content

RajasSave
Respected Contributor Respected Contributor
Respected Contributor
‎2021-07-19 09:49 AM

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™. This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified. For example, two new tactics and seventeen new techniques were added recently with bunch of sub-techniques to improve overall coverage. This matrix is helpful in validation of defenses already in place and designing new security measures.

For detailed information about MITRE ATT&CK® techniques covered in this blog refer Techniques - Enterprise | MITRE ATT&CK

From initial days of MITRE ATT&CK® framework, RSA Netwitness’ research and threat content development teams have been actively involved in mapping RSA’s Threat Content with appropriate MITRE ATT&CK® Tactics and Techniques. These are some observations and statistics around MITRE ATT&CK® and its coverage for RSA NetWitness’ Threat Content.

The attached spreadsheet, ‘MITRE ATT&CK® Techniques – RSA Netwitness Threat Content Mapping’, documents all MITRE ATT&CK® Tactics and Techniques covered by RSA Netwitness’ Threat Content. We have enriched this information with Application Rules, Event Stream Analysis (ESA), and Packet parsers, currently mapped to these Techniques and Sub-Techniques with some additional information.

All the Threat Content mentioned in this spreadsheet is available to deploy via RSA Live for all RSA Netwitness customers. These MITRE ATT&CK® meta keys can be populated using latest Investigation feed. For detailed configuration refer RSA Threat Content mapping with MITRE ATT&CK™

Moving forward we can map our other detection capabilities with ATT&CK™ matrix. This will help to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

For previous mappings with ATT&CK™ matrix, refer RSA Threat Content mapping with MITRE ATT&CK™

Other useful posts around MITRE ATT&CK® from RSA:

Thanks to @DarrenMccutchen and @Anonymous for ‌their valuable contributions.

 

References:

Preview file
40 KB
© 2022 RSA Security LLC or its affiliates. All rights reserved.