Conducting ATT&CK Assessments Based on APTs and Client Business Sectors.

I’ve been working with MITRE ATT&CK since the beginning of my cybersecurity career, and over the past four years, I’ve faced challenges in defining and prioritizing which threats to detect first across a diverse range of customers and business sectors.
In the mean time, i’ve accomplished some certifications related to ATT&CK.

I brought this knowledge to my company and started to map use cases to ATT&CK in our SIEM and define — What do we detect? & What do we need to improve?

This article is the based on a real SOC experience and how we managed to deliver Intelligence-based detections troughtout the years.

By the end of this article, you’ll be able to make threat-informed decisions on which TTPs to prioritize, helping you determine where to allocate your Detection Engineering team, resources and time.

Creating Industry specific ATT&CK Navigator layers.

First of all, you need to map your customers to specific industries and business sectors. In this example we’ll idealize a company that provides smart devices for the eletric car industry (hardware and software).

To get started, go to ATT&CK Navigator and create a new layer and select the matrix you want (Enterprise in this case).

We use the option “search and multiselect” from the control bar to search for industry specific actors.

To illustrate, it is not necessary since we are dealing with a fictitious company. However, at this stage, I recommend meeting with your clients and aligning all services they provide with business sectors. The analyst’s perspective on their clients’ businesses is important, but the stakeholder’s own insight is indispensable.

Considering my company to be only in the manufacturing sector, we search for Threat Groups related to the manufacturing industry (16).

At times, a particular malware is especially significant for a specific industry, even if it is likely associated with one or more already identified groups. However, I prefer to start with a broader set of matches and refine them later.

For this step, I recommend having a dedicated Threat Intelligence team ready to analyze these groups, ensuring a more precise approach. I will focus on APT18 to have a cleaner and faster result.

Select AP18, paint it with the color you want and assign a score to the selected techniques.

The APT18 selection gave me the following result:

Now repeat the process for another Threat Actor within the same business sector. As I mentioned before, we have 16 options for your CTI to analyze, but we’ll stick to APT18, LAPSUS$ and Fox Kitten.

1. Create a new layer based on the same matrix.
2. Search for a different threat actor and select the TTPs, paint with the color you want.
3. Assign a different score. (1 to 3 in my case).

Creating a new layer from existent layers.

As shown on the right, variables are automatically assigned to each of your layers. The score expression uses Math.js and you can explore it to create different layers. (https://mathjs.org/docs/expressions/syntax.html#operators).

Heatmap Result:

Some techniques are highlighted in green, indicating a higher score because they are used by all 3 Threat Actors we’ve selected, when targeting the manufacturing sector.

1. A higher score for certain TTPs indicates that they are used by multiple threat actors.
2. A lower score suggests they are less frequently utilized.
3. TTPs without a score are likely not used by the threat actors you selected.

This is the default gradient configuration, and it may not suit your needs. You can customize the gradient by clicking the “color palette” icon in the “layer controls” section of the navigation bar. Choose from a preset or create a new color gradient to match your preferences.

I never recommend using red to any technique. When this heatmap is converted into a report, it is often presented to management, who generally dislike seeing red in reports. By default, red is assigned to low scores, and since “low” TTPs tend to appear more frequently, the result would be a report dominated by red tones.

My personal preference for color grading is:

• Light Yellow for lower scores (higher number of TTPs and thus low priority)
• Orange tones for medium scores (medium priorities)
• Green for higher scores (your top detection priorities)

I hope this article has helped you understand how the ATT&CK Navigator can assist in defining a SOC monitoring strategy based on Threat Intelligence.

It’s important to highlight some key points about this approach:

• This is a brief overview of a project that involved months of study. If applied to your organization, it will require dedication, time, and process organization.
• This is an assessment exercise that should be conducted periodically within your organization. In my case, similar approaches have been carried out for years with our clients, which makes it even more valuable, yet intensive.
• Don’t rely solely on MITRE ATT&CK, as the framework only shows what has already occurred and is documented. Search for TTPs in the wild.
• Try to incorporate specific TTPs and align the strategy with your clients’ business needs for greater customization and value delivery.