How to Focus on Your Most Pertinent Cyber Security Threats using MITRE ATT&CK

🗣️ Speaking the Same Language in Cyber Security

The MITRE ATT&CK framework is a globally recognised, open-source knowledge base of adversary tactics and techniques derived from real-world observations. It categorises and maps out how threat actors behave throughout the course of a cyber attack:  how they gain access, how they move across a network, how they escalate privileges and ultimately, how they achieve their goals. Think of it as a map of the bad guy’s playbook. 

Each attack technique has its own name and number, for example: Phishing is T1566.

In some cases, techniques also have ‘sub-techniques’ which provide even more specific details (e.g. phishing using a link and phishing with an attachment are different sub-techniques).

In the chaotic world of cyber security, the MITRE ATT&CK framework acts like the Rosetta Stone across cyber security professionals and means that everyone, from threat intelligence teams to SOC analysts are speaking the same language.

It gives us a common framework to dissect, compare and communicate the behaviour of our adversaries in a highly specific way. But while the matrix is vast, most threat groups only use a tiny fraction of it within their own campaigns.  As you might expect, they hone and develop specific techniques and tactics that work well for them. This is an important consideration when it comes to targeting our security operation activities.

📦 One Size Doesn’t Fit All

Organisations of different sizes operating in different industry sectors or in different geographic regions may be targeted by vastly different threat actors as shown below:

UK University With a Leading Supercomputing Research Faculty	Emerging Global Bank With High Volumes of Sensitive Client Data
Nation State level espionage groups such as APT40 and Charming Kitten	Malware operators targeting customers such as Indrik Spider and TA505.
Ransomware actors such as BianLian and Qilin.	Ransomware actors such as BlackCat/AlphV and LockBit.
Data Breach actors such as Lapsus$ and RansomHouse.	DDoS actors such as NoName(057)16 and Killnet.

As you can see, these differences aren’t always subtle and they can fundamentally shape the way attackers target a given entity. So, why should your operational security strategy treat all threat actors as equal? 😬

The key to success lies in focus. Specifically, focussing your Managed Detection and Response efforts on the techniques most relevant to your organisation and its threat landscape.

Essentially, we want to identify those techniques actually used by attackers who genuinely have your kind of business in their crosshairs. This means we get the greatest level of return on investment for our time, funding and resources allocated to defending against cyber attacks.

We can leverage the MITRE ATT&CK framework to identify those techniques which attackers are more likely to use against us, then shape our defensive posture to prioritise those high-risk areas with appropriate and proportion detective strategies and mitigating controls.

🧮 How to Tailor MITRE ATT&CK to Your SOC Operations

1. Identify Relevant Threat Groups

To begin focusing your detection rules, you first need to understand your organisation and the threat landscape in which it operates. You need to identify relevant threat actors, who might be those targeting:

• Your industry sector
• Your region of operation
• Organisations of a similar size
• Your competitors

You can use a range of different free and paid-for services to identify potentially relevant threat actors, and you should ideally focus on those threat groups that have been active in the last 12-24 months, in order to avoid becoming overwhelmed with information.

Some sources to check might include:

• NCSC Advisories: Great for UK-specific alerts and information about APTs.
• CISA Alerts: Offers US-centric alerts that often apply to UK organisations. The StopRansomware campaign provides in-depth information about ransomware threat groups.
• CiSP: This is the UK government’s threat sharing platform. UK businesses can sign up to share information about.
• Industry-specific ISACs: Sector-focused, global, intelligence sharing communities (e.g. FS-ISAC for financial services).
• Open-source Vendor Reporting: Online white papers and reporting from known and trusted vendors like Mandiant, CrowdStrike, Google, Microsoft and Recorded Future.
• Artificial Intelligence (AI): You can ask AI tools such as ChatGPT and Gemini to help you shortlist actors, but don’t rely on it blindly. You should always cross-check the information it provides with other sources to confirm reliability.

2. Map Techniques to Actors

Once you’ve identified the threat actors that are most relevant to your organisation, you need to determine the Tactics, Techniques and Procedures (TTPs) that they commonly use in their attack campaigns. This helps you to shift your security operations from broad threat modelling, to highly focussed, intelligence-led prioritisation.

The MITRE ATT&CK framework is available online and provides group profiles for a range of different threat actors, which highlights (based on real-world observation) which techniques the group is associated with.

🛠 Don’t stop at MITRE ATT&CK – there are other sources from which you can gain information about attacker TTPs:

• Actor specific bulletins and profiles from security vendors
• Threat intelligence sharing portals such as IBM X-Force Community Edition and Alien Vault Open Threat Exchange.

3. Visualise with MITRE ATT&CK Navigator

MITRE ATT&CK Navigator is a web application, available through the MITRE ATT&CK website. It can be used to visually represent the techniques used by a threat actor and to then combine information about multiple threat actors.

How to use it:

• Select the threat groups that you have defined as relevant for your organisation (start with 5-8 in your first attempts).
• Create a new layer within the Navigator tool for each of your threat group.
• Identify each of the techniques that the attacker is associated with – this can be done by searching for the threat group within the tool, or through manually assigning techniques.
• Assign each relevant technique with a score from within the Technique Control menu.  In its simplest form, this is simply assigning a score of 1 to all relevant techniques. Although it doesn’t seem significant, this is crucial for the next stage.
• Once each layer is complete, create another new layer, using the “Create Layer from Other Layers” function.  This allows you to combine the technique scores from across a defined set of layers.

In the “Score Expression” field, ask the MITRE ATT&CK Navigator to add your layers together, this is expressed as a simple formula, using the letter designation Navigator has assigned to each layer: e.g. a+b+c+d+e.

🎯 Outcome: A prioritised shortlist of MITRE ATT&CK techniques. These aren’t hypothetical- the techniques with the highest scores are the ones most likely to be used against you.

In the diagram the techniques coloured Red pose the greatest threat to the organisation as they are used by multiple relevant threat actors, while those in green may only be used by one or two actors.

4. Build Detection Rules Accordingly

This gives you a solid, logical base from which to begin to plan your mitigating and detective controls.

✅ Recommended steps:

• Map your current security controls against your threat map, to identify where you have multiple layers of defence and where you have gaps in your security posture.
• Prioritise those areas where you have gaps in control that align with high risk threat techniques.
• Build rules mapped to your top techniques for your security incident and event management platform (SIEM) or Managed Detection and Response (MDR) tools.
• Establish baselines for normal behaviour first to reduce false positives

Consider testing of the rules (e.g. via Atomic Red Team) to verify that detective controls are working as expected.

✅ MITRE ATT&CK and Compliance Alignment

In addition to improving your defensive strategy and focusing your detection efforts, implementing MITRE ATT&CK provides your organisation with a strong foundation for demonstrating compliance with cyber security standards and regulations.

If you’re reporting to auditors or regulators, aligning detection and response controls to MITRE ATT&CK offers a clear and evidence-based methodology for complying with threat intelligence controls.

🎯 Tracking Success

Once you’ve operationalised MITRE ATT&CK within your security operations, then the next challenge may be proving its value, especially to non-technical stakeholders.

This means that you need to be able to clearly and simply demonstrate the effectiveness of this approach over time in an easy-to-understand way.

Detection Performance

• 🧠 Technique coverage: By using visualisations from the Navigator tool, you can illustrate the coverage of your security operations and demonstrate that you are closing security gaps over time.
• 🎯 Focussed detections: Implementation of prioritising and targeted detection controls should yield a reduction in false positive detections, which can be tracked over time.
• 📊 Budgetary efficiency: Prioritising security controls aligned with threats means that budget can be used on security measures that provide coverage across multiple controls, allowing you to optimise budget use.

👎 Common Mistakes to Avoid

Even with a powerful framework like MITRE ATT&CK, mistakes can derail your detection strategy. Here are some pitfalls to avoid:

❌ Trying to boil the ocean: Mapping your SOC against all 500+ techniques is tempting, but ineffective. You will waste time and resources covering a myriad of techniques that don’t pose an immediate threat. Focus on the high risks first.

❌ One-and-done mentality: Threat actor behaviours evolve over time. For this strategy to be effective, you need to implement a process to update your mapping regularly. This means that as threat actors change direction, so do you.

📈 Selling MITRE ATT&CK to Your Boss

Implementing MITRE ATT&CK-aligned security isn’t just an IT issue or a technical upgrade – it can be a really effective business enablement strategy. But to get leadership buy-in, you need to be able to explain it in a way that matters to them.

Framing the Conversation

These are some key benefits likely to pique the interest of your executive board.

• Cost-Efficiency: Prioritised detection by your security team, reduces analyst fatigue, stops time being wasted on investigation of irrelevant alerts and focuses security spend on effective, beneficial strategies.
• Risk Alignment: This strategy allows you to effectively identify specific threats to your organisation, rather than making generic statements about ‘cyber threat’.
• Security Readiness: This enables teams to demonstrate a structured, intelligence-led defensive posture, not just to auditors, but also to potential investors, clients and partners.

Board Reporting: MITRE ATT&CK visualisations offer easy-to-understand risk heatmaps, which means that the board can clearly understand the risk, even if they don’t have a technical background.

🫵 Next Steps: Let’s Talk About You

If this all sounds good but you’re thinking “we don’t have the time,” you’re not alone. CyPro are here to manage an intelligence-led strategy for you, so that you can focus on doing what you do best.

Whether it’s a threat-led assessment, security architecture review, or Managed Detection and Response designed with real-world threat intelligence, we can help.

👉 Contact us today to schedule a discovery call.

Services we offer:

• Intelligence-Led Security Operations Implementation
• MITRE ATT&CK Aligned Cyber Maturity Assessments
• Cyber Security as a Service

Don’t wait for your next ‘near miss’. A little proactivity now can save you a lot of firefighting later. Your attackers know you. Isn’t it time you got to know them better, too?