These missed attacks often stem from either hidden gaps in detection coverage — or due to alerts that
            got buried in a sea of noisy alerts and were never even pursued by the Security Operations Center (SOC)
            team.

            According to IDC, 20-30% of all alerts are simply ignored or not investigated in a timely manner, frequently
            due to classic “alert fatigue” caused by too many noisy alerts.

            Another disadvantage of MTTD and MTTR metrics is that they don’t give management an accurate
            representation  of  risk  to  the  business.  Instead,  we  should  be  looking  at  metrics  that  describe  the
            organization’s readiness to detect Tactics, Techniques, and Procedures (TTPs) that target business-
            critical systems such as cloud applications, or crown jewel assets such as databases with PII and other
            sensitive data. In other words, we need to be able to report on the organization’s detection posture.



            Why prevention is insufficient

            A key tenet of security is that you cannot effectively prevent all attacks. The current thinking is that our
            mindset needs to shift from prevention to rapid detection and response. In fact, according to Dr. Eric
            Cole, a well-known SANS Fellow and security consultant, prevention is ideal, but detection is a must.

            Our constantly-expanding attack surface is part of the challenge. One report found that enterprise cyber
            assets have increased by 133 percent year-on-year, from an average of 165,000 in 2022 to 393,419 in
            2023. With that many assets to defend – including cloud assets like containers that don’t even support
            EDR agents – you are setting yourself up for failure by trying to prevent every attack. But where do you
            begin?



            Following the roadmap

            Enter the MITRE ATT&CK framework. The framework extends the traditional intrusion kill chain model to
            go beyond IOCs (like IP addresses, which attackers can change constantly) in order to catalog all known
            adversary playbooks and behaviors (TTPs).

            As the standard framework for understanding adversary behavior, MITRE ATT&CK now describes more
            than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group,
            FIN7, and LAPSUS$.

            According  to  ESG  research,  89%  of  organizations  currently  use  MITRE  ATT&CK  to  reduce  risk  for
            security operations use cases such as determining priorities for detection engineering, applying threat
            intelligence to alert triage, and gaining a better understanding of adversary TTPs.

            Another advantage of MITRE ATT&CK is that it provides a common language to communicate about
            attack behaviors across internal security teams (threat hunters, red teams, detection engineering, etc.)
            as well as across organizations (like ISACs).








            Cyber Defense eMagazine – September 2023 Edition                                                                                                                                                                                                          197
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.