You're reading from Aligning Security Operations with the MITRE ATT&CK Framework Level up your security operations center for better security

Product type Paperback

Published in May 2023

Publisher Packt

ISBN-13 9781804614266

Length 192 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Rebecca Blair

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1 – The Basics: SOC and ATT&CK, Two Worlds in a Delicate Balance

2. Chapter 1: SOC Basics – Structure, Personnel, Coverage, and Tools FREE CHAPTER

3. Chapter 2: Analyzing Your Environment for Potential Pitfalls

4. Chapter 3: Reviewing Different Threat Models

5. Chapter 4: What Is the ATT&CK Framework?

6. Part 2 – Detection Improvements and Alignment with ATT&CK

7. Chapter 5: A Deep Dive into the ATT&CK Framework

8. Chapter 6: Strategies to Map to ATT&CK

9. Chapter 7: Common Mistakes with Implementation

10. Chapter 8: Return on Investment Detections

11. Part 3 – Continuous Improvement and Innovation

12. Chapter 9: What Happens After an Alert is Triggered?

13. Chapter 10: Validating Any Mappings and Detections

14. Chapter 11: Implementing ATT&CK in All Parts of Your SOC

15. Chapter 12: What’s Next? Areas for Innovation in Your SOC

16. Index

Why subscribe?

17. Other Books You May Enjoy

Examples of mappings in real environments

Security vulnerabilities and coverage gaps are a fact of life for anyone who works in infosec. Here are a few different outlined security coverage issues that I’ve experienced and their applicable mapping and prioritization on a quad chart, as well as a discussion about what work streams I would implement. All of these issues are extremely common and hopefully can provide insight for you as you look at your environment.

The first issue that I’ve run into multiple times is a lack of logging, or a lack of logging the proper security logs. The reason that this is a problem is that logs are the first place a security responder will look when investigating an alert and attempting to find anything that is suspicious or malicious. If logging is not up to par, there are likely compromised activities occurring that you are not aware of because logs are also typically used to set up detection and alerts. To identify whether this is an...