This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • MITRE ATT&CK® Coverage Breakdown for RSA Netwitness Threat Content

MITRE ATT&CK® Coverage Breakdown for RSA Netwitness Threat Content

RajasSave
Respected Contributor RajasSave Respected Contributor
Respected Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2021-07-19 09:49 AM

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™. This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified. For example, two new tactics and seventeen new techniques were added recently with bunch of sub-techniques to improve overall coverage. This matrix is helpful in validation of defenses already in place and designing new security measures.

For detailed information about MITRE ATT&CK® techniques covered in this blog refer Techniques - Enterprise | MITRE ATT&CK

From initial days of MITRE ATT&CK® framework, RSA Netwitness’ research and threat content development teams have been actively involved in mapping RSA’s Threat Content with appropriate MITRE ATT&CK® Tactics and Techniques. These are some observations and statistics around MITRE ATT&CK® and its coverage for RSA NetWitness’ Threat Content.

The attached spreadsheet, ‘MITRE ATT&CK® Techniques – RSA Netwitness Threat Content Mapping’, documents all MITRE ATT&CK® Tactics and Techniques covered by RSA Netwitness’ Threat Content. We have enriched this information with Application Rules, Event Stream Analysis (ESA), and Packet parsers, currently mapped to these Techniques and Sub-Techniques with some additional information.

All the Threat Content mentioned in this spreadsheet is available to deploy via RSA Live for all RSA Netwitness customers. These MITRE ATT&CK® meta keys can be populated using latest Investigation feed. For detailed configuration refer RSA Threat Content mapping with MITRE ATT&CK™

Moving forward we can map our other detection capabilities with ATT&CK™ matrix. This will help to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

For previous mappings with ATT&CK™ matrix, refer RSA Threat Content mapping with MITRE ATT&CK™

Other useful posts around MITRE ATT&CK® from RSA:

  • FireEye Breach
  • APT Emulation Using CALDERA
  • The Hunt for Web Attacks
  • UEBA Essentials Hunting Guide
  • Endpoint Content

Thanks to @DarrenMccutchen and @AmitRotem for ‌their valuable contributions.

 

References:

  • MITRE ATT&CK
Labels:
  • Announcements
  • Features
  • Resources
  • Tutorials
  • Use Cases
  • Content
  • Content Development
  • content updates
  • Endpoint
  • ESA
  • Event Stream Analysis
  • Incident Management
  • mapping
  • mitre
  • MITRE ATT&CK
  • NetWitness
  • packets
  • RSA NetWitness
  • RSA NetWitness Platform
  • Rules
  • threat content
  • Threat Intelligence
Preview file
40 KB
3 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.