NetWitness Community

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™. This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified. For example, two new tactics and seventeen new techniques were added recently with bunch of sub-techniques to improve overall coverage. This matrix is helpful in validation of defenses already in place and designing new security measures.

For detailed information about MITRE ATT&CK® techniques covered in this blog refer Techniques - Enterprise | MITRE ATT&CK

From initial days of MITRE ATT&CK® framework, RSA Netwitness’ research and threat content development teams have been actively involved in mapping RSA’s Threat Content with appropriate MITRE ATT&CK® Tactics and Techniques. These are some observations and statistics around MITRE ATT&CK® and its coverage for RSA NetWitness’ Threat Content.

The attached spreadsheet, ‘MITRE ATT&CK® Techniques – RSA Netwitness Threat Content Mapping’, documents all MITRE ATT&CK® Tactics and Techniques covered by RSA Netwitness’ Threat Content. We have enriched this information with Application Rules, Event Stream Analysis (ESA), and Packet parsers, currently mapped to these Techniques and Sub-Techniques with some additional information.

All the Threat Content mentioned in this spreadsheet is available to deploy via RSA Live for all RSA Netwitness customers. These MITRE ATT&CK® meta keys can be populated using latest Investigation feed. For detailed configuration refer RSA Threat Content mapping with MITRE ATT&CK™

Moving forward we can map our other detection capabilities with ATT&CK™ matrix. This will help to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

For previous mappings with ATT&CK™ matrix, refer RSA Threat Content mapping with MITRE ATT&CK™

Other useful posts around MITRE ATT&CK® from RSA:

• FireEye Breach
• APT Emulation Using CALDERA
• The Hunt for Web Attacks
• UEBA Essentials Hunting Guide
• Endpoint Content

Thanks to @DarrenMccutchen and @AmitRotem for ‌their valuable contributions.

References:

• MITRE ATT&CK