Using MITRE CAR, Invoke-AtomicRedTeam, and testing analytics
So far, you have learned about the principles you can use to identify threats using data analytics and detection engineering. Sometimes, you will need to create analytics at the time of the incident response, but the idea is to do it proactively by creating a repository in advance to use when necessary.
Now, let's learn how to configure a laboratory to create and test analytics, as well as validate their efficiency.
Here, we will select a specific MITRE ATT&CK technique and from this technique, we will associate it with a MITRE Cyber Analytics Repository (CAR) analytic and create the implementation from the pseudocode.
Subsequently, we will emulate this technique using the Invoke-AtomicRedTeam tool to generate the IoA.
Once that activity has been recorded, we will use the analytics we created previously to detect this behavior through attack indicators, as shown in the preceding screenshot.
