Adopting latest MITRE ATT&CK framework for XDR and SIEM

First published in Cybersecurity Infowatch

Last fall, the framework’s 14th version was launched, providing the cybersecurity community with expanded tactics, techniques and procedures that can help organizations exponentially shore up their cybersecurity practices.

Patrick Hayes, Chief Strategy Officer

In just the next couple of years, global cybercrime damages will reach $10.5 trillion in 2025 — up from $3 trillion in 2015, according to Cybersecurity Venture. In 2024, the cost of cybercrime damage worldwide will total $302,000 — every second.

Cybercriminals are only getting more sophisticated, emboldened and successful as the amount of data stored in the cloud and online users rapidly expands.

Today’s organizations need every available tool in their toolkit to protect their company’s data, reputation and intellectual property from hackers. And one of those tools is the MITRE ATT&CK framework, a collaborative effort that helps the cybersecurity industry better understand and address the threat landscape.

Last fall, the framework’s 14th version was launched, providing the cybersecurity community with expanded tactics, techniques and procedures that can help organizations exponentially shore up their cybersecurity practices.

The possibilities are especially powerful for Extended Detection and Response (XDR) and Security Information and Event Management (SIEM). These days, integrating the latest version of the MITRE ATT&CK framework with these security platforms should be a no-brainer for professionals looking to protect their organizations from the latest digital threats.

What’s new in v14

Hackers are always deploying new ways to threaten an organization’s data, and the depth and breadth of the ATT&CK knowledge base keeps tabs on their movements in real-time.

The knowledge base is free and open to use, and it features a thriving community of security professionals, researchers and organizations who share their expertise and collaborate to identify constantly evolving cyberthreats. Together, they’ve developed a common language about cybercrime and have developed corresponding techniques to proactively protect organizations against them.

Among many cybersecurity professionals, integration of the framework into cybersecurity practices is considered a best practice. Deploying it can help organizations stay in compliance with regulatory standards such as GDPR and HIPAA.

The framework has long been a go-to for cybersecurity professionals. But v14, released in October 2023, provides even more protections, bolstering ATT&CK’s detection notes and analytics and expanding on the types of threats it tracks, among other updates.

How can it help with SIEM and XDR?

Those improvements address the fast-changing techniques deployed by today’s cybercriminals and are especially useful for SIEM and XDR activities. Here’s how.

1) Threat Detection
Instead of a reactive stance against cyberattacks, the framework enables proactive threat hunting. Integrating v14 ensures organizations have aligned their security practices with the latest knowledge and information that we have about cyber attackers’ current activities.

For example, v14 incorporates what MITRE calls activities that are “adjacent” to traditional cyberattacks. This includes social engineering tactics that don’t necessarily have a direct technical component, according to MITRE, such as financial theft, impersonation and “spear phishing voice,” which involves using artificial intelligence technology to mimic the voice of a friend, relative or colleague.

With this expanded catalog of tactics, cybersecurity professionals who integrate the framework into their threat detection activities will be better prepared for these new and emerging vulnerabilities.

2) Incident Response
ATT&CK not only helps security professionals identify potential threats, but it also provides a playbook for how to respond to them. So, during an incident, with the framework’s help, organizations can ensure that they’re operating with the latest information about cybercrime and can quickly deploy an effective response, including mitigation steps.

Users who integrate ATT&CK into their SIEM also can configure better alerting and notifications. When ATT&CK-related incidents happen, that integration can ensure that alerts to security teams provide a host of actionable information including context, severity and other relevant details.

3) Overall Security
Finally, the robust information coming from the ATT&CK framework helps security professionals ensure their efforts are up-to-date and relevant to digital dangers in the offing and fill gaps in their cybersecurity systems as needed. When the integration is continuously tested and updated through regular simulations and exercises, security professionals can ensure that any alerts, dashboards and incidence responsive processes are current and protect them against what a bad actor might throw their way.

There’s nothing easy about this work, of course. And, for the uninitiated, using the MITRE ATT&CK framework might seem like a challenging endeavor. The first steps include identifying data sources within your environment, mapping that data to MITRE ATT&CK techniques and configuring SIEM to gather data from identified sources.

But, as cybercriminals continue to get creative, such as taking advantage of new and emerging technologies such as AI, they’ll only pose more danger to an organization’s data and future. The latest version of the ATT&CK knowledge base exponentially boosts an organization’s ability to secure themselves against what digital con artists will come up with next.

Our Blog

Stay updated with the latest in the industry

Want to learn more about Third Wave. Keep up with the latest news and trends.