You're reading from Aligning Security Operations with the MITRE ATT&CK Framework Level up your security operations center for better security

Product type Paperback

Published in May 2023

Publisher Packt

ISBN-13 9781804614266

Length 192 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Rebecca Blair

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1 – The Basics: SOC and ATT&CK, Two Worlds in a Delicate Balance

2. Chapter 1: SOC Basics – Structure, Personnel, Coverage, and Tools FREE CHAPTER

3. Chapter 2: Analyzing Your Environment for Potential Pitfalls

4. Chapter 3: Reviewing Different Threat Models

5. Chapter 4: What Is the ATT&CK Framework?

6. Part 2 – Detection Improvements and Alignment with ATT&CK

7. Chapter 5: A Deep Dive into the ATT&CK Framework

8. Chapter 6: Strategies to Map to ATT&CK

9. Chapter 7: Common Mistakes with Implementation

10. Chapter 8: Return on Investment Detections

11. Part 3 – Continuous Improvement and Innovation

12. Chapter 9: What Happens After an Alert is Triggered?

13. Chapter 10: Validating Any Mappings and Detections

14. Chapter 11: Implementing ATT&CK in All Parts of Your SOC

15. Chapter 12: What’s Next? Areas for Innovation in Your SOC

16. Index

Why subscribe?

17. Other Books You May Enjoy

A deep dive into the techniques in the Windows framework

Windows machines make up over 200 million enterprise users with many high-target organizations being primarily Windows users, such as the US government. Due to the number of Windows users, roughly 80% of all malware attacks target Windows users specifically. That means that you have to be extra vigilant if you work on a security team in a Windows environment and need to ensure that proper logging, detections, risk categorizations, and detections are put in place. The Windows matrix encompasses all controls and is not broken down based on the Operating System (OS) version or if it is a server or endpoint, so there is definitely a level of tweaking that is necessary when reviewing the matrix. The matrix in its entirety looks like the following:

Initial Access

Drive-by Compromise, Exploit Public Facing Application, External Remote Services, Hardware Additions, Phishing, Replication Through Removable Media, Supply...