As published by Ooda Loop, if you think of three big companies such as, for example, Amazon, Google or Tesla, the first two words that would come to your mind are innovation and disruption. They broke into their respective industries by predicting the future correctly. Similarly, there has always been the question of whether the type of security incidents you can expect to find in your company could be predicted. If the answer is yes, you could save a lot of time and resources in building a threat detection framework. But, as is known, in real-world monitoring, detecting a real incident is like finding a needle in a haystack.
Usually, hackers perform reconnaissance work on a company to detect the strengths and weaknesses of this infrastructure. Based on the outcome of this activity, they design their payload to have a higher probability of success. In this scenario, if defenders can predict a hacker’s technique and create a detection model, then the chances of detecting and responding to such incidents quickly would be much greater.
To build this prediction framework, two essential data sets are needed to begin with. The first is the list of techniques that hackers use to jeopardise a company. Fortunately, the framework Mitre Att&ck already provides these techniques. The second is to map the use cases of the Security Information and Event Management (SIEM) with Mitre Att&ck techniques. This will help defenders understand the blind spot in their detections against the different methods used by hackers. For example, one of the techniques could be configuring a task as a defender: you would have to look for relevant use cases and appropriate logs available in your SIEM. In this scenario, the Windows event logs should be available in the SIEM platform, and the detection use case should look for the Windows event ID 4698.
After the previous activity, it will be possible to learn about techniques where there is no coverage from the point of view of use. These techniques can be mapped using the Mitre mapping matrix to determine which antagonists will have a higher success rate against any given company. Once this activity is carried out, defenders can take a focused approach to building multiple threat search models to detect these antagonists. This approach also helps to improve an organisation’s log coverage across all its devices.