Set MITRE ATT&CK Priorities

Problem: Most security operations organizations use the MITRE ATT&CK Framework to get an understanding of what types of adversary behavior they need to detect for, including the underlying data to support those detections. This is important because failing to do so can leave major visibility gaps, weakening security posture. A key requirement of using the framework effectively is understanding what platforms, adversaries, data platforms, and adversary techniques are actually in scope for your particular industry and geographic footprint, and what techniques you can de-prioritize or ignore.

Anvilogic Solution: Anvilogic provides industry- and geography-specific templates for understanding the threat landscape, including how to prioritize adversary groups and attacker techniques. These are fully customizable and can evolve with your organization as your footprint and the threat landscape change. These priorities will form the basis of using Anvilogic to provide continuous assessment of your data and detection coverage maturity.

One of the main features Anvilogic provides is continuous assessment and an improvement framework around the state of your data feeds and detections as measured against a customized subset of the MITRE ATT&CK Framework. We help you understand and tailor priorities for your organization, industry, and geography. We have already done the initial priorities setup in the test drive account, but you can view, explore, and edit this.

From the main navigation on the left, hover over “Maturity Score” -> click Threat Priorities.

This will open the Threat Priorities view.

You can view or edit the Platform Priorities from the initial screen. You can then click on Threat Groups to bring up the list of priorities MITRE ATT&CK Threat Groups.

Again, you can view (multiple pages), edit priorities, search for specific groups, and check/uncheck the filter to hide unprioritized groups.

From here, you can click on Techniques in the Outputs section and see how the Platforms and Threat Groups selected in the previous steps are automatically reflected in a prioritized list of MITRE ATT&CK techniques. You can hover and click on the arrow on a given technique to view or change the sub-techniques and priority level of each technique and sub-technique.

Lastly you can click on Data Categories to see a paginated view of MITRE ATT&CK data categories required to cover the platforms and techniques defined in the previous steps. The selected categories and their priorities are automatically derived from the platforms and techniques, but you can view and edit their priorities in this screen as well.

At this point, you have reviewed and edited your priorities, setting the bar for required high-quality data sources and detection technique coverage. This will impact your maturity score and give you guidance and recommendations on how to improve detection coverage. If you made any changes, you can use the Save button in the upper right, or simply navigate away without saving them.