Security Operations Gap Analysis with MITRE ATT&CK

The MITRE ATT&CK framework is rapidly growing in popularity among security leaders for many reasons. Among the numerous applications of ATT&CK, many companies are using ATT&CK to identify gaps in their security and what they have covered with their existing tools.

For those who are unfamiliar with the ATT&CK framework, it is a matrix of hundreds of cyber attack techniques, divided into 12 “tactics”, which represent the steps an adversary is likely to take in the course of an attack. The techniques and tactics are based on thousands of real-world incidents that MITRE has studied.

Attention SOC operators: You can download a copy of the ATT&CK framework in Excel, for your own threat and endpoint investigations.

So you can see how as a comprehensive matrix of cybersecurity threats, ATT&CK can provide a valuable checklist of sorts for gap analysis in the SOC. It also provides a common terminology for threats across the organization and the numerous tools in the security infrastructure.

Unless you have an unlimited security budget, it probably isn’t possible to try and cover every technique. Therefore, you need to prioritize carefully to minimize risk. That’s where D3 comes in.

We embedded the entire ATT&CK matrix directly into our SOAR platform for live and contextual kill chain surveillance. D3 pulls out every IOC from a security event, determines the ATT&CK techniques being used, and uses that information to search across past incidents, security tools logs, and other recorded IOCs to find other traces of the attack. Because D3 uses the ATT&CK framework to understand the likely structure of attacks, it can vastly narrow down the ground that security analysts have to cover, so they’re no longer looking for needles in haystacks for evidence of attacks.


How to Use MITRE ATT&CK for Gap Analysis

Obviously, D3 can make a huge difference to your security operations in a number of ways. You’re probably already thinking about a couple of challenges in your organization that it could help you solve. But let’s look specifically at how D3’s ATT&CK capabilities can help you identify security gaps and effectively prioritize the most pressing threats.

Because D3 aggregates events from across your entire security infrastructure, you can use it to generate comprehensive reports that show exactly what techniques are being used against you, which ones have been successful, and which ones have not been seen in any events. This report can be created ad hoc or scheduled on a predetermined basis. For example, if you run a weekly attack techniques report and there are 20 hits for the technique Privilege Escalation, you know that there is a serious problem in that area.

Especially when viewed as a trend report covering a significant period of time, a technique report will give you a clear picture of what your existing tools are protecting against and where further configuration is needed. You can then use D3’s security orchestration features to automate changes—such as updating SIEM rules or adding signatures to detection tools—or assign tasks to the appropriate personnel.

In addition to operationalizing the MITRE ATT&CK framework, D3 is uniquely suited to the task of evidence-based gap analysis for a few reasons. First is that D3 can generate reports on virtually any data in the system, making it easy to customize reports to reflect exactly what you need to see. Second is that D3 acts as the connective tissue of the SOC, integrating with 200+ security tools. This means that D3 can track every technique that has been detected by any tool, without blind spots or requiring manual data gathering.



The ability to create a snapshot of cybersecurity threats in your environment is just one of the many reasons that our clients are so excited about D3’s MITRE ATT&CK features. You can learn more about how D3 is leading the transition from ‘event-based’ to ‘intent-based’ SOAR in our recent whitepaper. Or if you want to see it for yourself, schedule a demo today.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.