How to Map MITRE ATT&CK Techniques: Bridging the Gap between Theory and Implementation

MITRE ATT&CK and ThreatQ

The MITRE ATT&CK framework contains a tremendous amount of data that can prove valuable in a range of use cases, including spearphishing, threat hunting, incident response, vulnerability management and alert triage. To make the information contained within the MITRE ATT&CK framework actionable for these use cases, ThreatQuotient integrates components of the framework into the ThreatQ platform to provide the following capabilities:

• Enable investigations that originate with components from the MITRE ATT&CK framework, such as techniques.
• Automatically build relationships between MITRE ATT&CK data and other useful pieces of threat data.
• Automatically map threat data from internal sources (e.g., SIEM, ticketing, email gateway) and external sources (e.g., feeds) with MITRE ATT&CK techniques.
• Store historical threat hunting investigations, data and learnings and automatically associate these with related components of the MITRE ATT&CK framework.

The integration enables security operations teams to take full advantage of the framework, while working within the ThreatQ platform, to proactively and collaboratively accelerate detection and response.

MITRE ATT&CK Mapping

The MITRE ATT&CK framework is a huge step forward in creating a knowledgebase of adversaries and associated tactics, techniques and procedures (TTPs). Many vendors are starting to build ATT&CK data into their detection tools which is driving adoption globally of the ATT&CK framework for threat hunting and incident response processes. This is great progress, but unfortunately many organizations still have a gap when trying to apply process to technologies that do not integrate with ATT&CK data. ThreatQuotient has created an integration between the ThreatQ platform and MITRE ATT&CK that helps to bridge this gap.

The ThreatQ platform offers a threat-centric approach to security operations. Purpose-built to accelerate detection, investigation and response, the platform is integrated with a large number of key security systems and is aware of contextually relevant detections or alerts that are threat related. This information is ingested directly into the ThreatQ Threat Library. The ThreatQ MITRE Mapper integration offers a tool to automatically establish relationships between MITRE ATT&CK techniques and threat data that has been ingested from internal and external tools. The functionality is powered by Threat Library searches, which enable users to seamlessly leverage data from technologies that do not support ATT&CK directly out of the box.

The remainder of this document uses a threat hunting use case triggered by a spearphishing incident to demonstrate how the ThreatQ MITRE Mapper integration may be used.