Populating the techniques administration file
sri-telstra opened this issue · 3 comments
Hi, not so much as an issue yet, but I am curious to understand how you went about mapping the detection capability on your EDR against the techniques-administration file such that it can be "automatically" populated and updated when sensors are periodically updated?
The challenge here is that not every EDR vendor will tell you what they are capable of detecting. Moreover, if they are, then you still don't know how good that particular detection is. So, it's tough to automate the scoring (from level 1 to 5) of your EDR detections.
Some ideas on how to approach this (which I think should be done a regular basis)
- If your EDR vendor is part of the MITRE ATT&CK evaluations have a look at those results to score the detections.
- Purple teaming can be of great help to identify what is detected by your EDR and how good the level of detection is.
- Attack emulation tools will also give you some idea on your detections. Be aware though that emulation tools will only go so far in testing a specific technique. Purple teaming allows you to go much deeper into the aspects of the technique.
- Based on alerts from the EDR over the past X months score the applicable detections.
- Did you have any incidents from which you expect it is something that could be detected by your EDR, but was not? Give it a score of 0 and add at a comment on why you gave it that score.
- You could also state that the most important thing to know is: how good are you capable of detecting techniques used by adversaries that may attack you? So, you first get threat intel on attack techniques applicable to your organisation and then figure out how good your detections are concerning the techniques used by certain adversaries.
I hope this will help!
Thanks Marcus, yes we have our vendor who is being evaluated by MITRE however the challenge seems setting up all those controls may be too stringent on the business. Wherein we develop these middle grounds and that's where ambiguity in detection capability creeps in. Appreciate the thoughts.