• About
  • Subscribe
  • Contact
Thursday, May 8, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

MITRE ATT&CK – does it do what you need it to?

Pete Shoard by Pete Shoard
January 24, 2022
Image from pixabay

Image from pixabay

As a common topic in Gartner inquiry, I thought it would be worth addressing some of the issues we are seeing crop up with MITRE, especially in Security Operations Tooling and Services. Now for those of you who don’t know MITRE, let’s start with a quick explanation:

What is MITRE?

in essence, it’s a really detailed view of what Lockheed Martin published in 2011 with their kill chain concept. Which sensibly organized the patterns of cyber-attacks into a logical flow. Only emerging a few years later in 2013, the MITRE ATT&CK framework took longer to catch on but is now a mainstay of most security monitoring tool classification.

MITRE provides 14 stages and an ever-growing list of techniques and sub techniques. Providing an excellent way to categorize in a granular way, the attacks that are live and those that may occur.

These categorizations also provide detailed descriptions of techniques so that security professionals have a lexicon of ideas to develop upon. With a wealth of examples, a wiki of remedial advice it would be forgivable to think that this mirrored the secret diary of an attacker and that it was the only way to measure coverage and completeness of security capability.

Examples of MITRE
Source: Gartner 2022

How are we using MITRE? and why is that wrong?

Many providers and technology vendors have begun scoring maturity or displaying completeness of solutions via MITRE. Often, this can provide an opportunity to interpret what is being displayed to end-users in the wrong way. Traffic light-driven systems that colour the framework green to indicate coverage are the worst offenders, telling end-users “this is complete, move on to the next thing”. This technique encourages an over-confidence that is likely to be responsible for missed incidents.

It is important to understand that MITRE provides a layer of interpretation only for what you have. It can offer extra ideas for areas of capability you don’t have, but you must act.

What it doesn’t provide; is a guide of completeness or coverage:

For example; if a user develops a mechanism to see if a process has been injected (MITRE T1543) on their EDR solution, that technique is covered, despite potentially not having EDR agents in the datacenters or on mobile devices. As a result, a ‘green’ in this area doesn’t focus on the question of data coverage. MITRE compliance doesn’t measure completeness.

What should we be doing?

Effective use of a framework like MITRE is simple. Ask business questions first: “What processes do I care about?”, “Are there any actions in MITRE that might impact these processes?”. Subsequently, the driver for the use case is to reduce risk or protect the business process, not to cover the technique.

Another key way to use MITRE is to measure your current capability. “What MITRE stages do we have the most success in identifying issues”, “how could we improve when looking at upstream techniques?”. This, of course, requires a consistent way of recording security issues, perhaps in an ITSM or case management system. It also requires regular assessment and adjustment of processes and detection content.

MITRE is a really good method of categorizing, measuring and enhancing security operations, but it's not magic. Those that are most successful, use MITRE to communicate with others in their businesses, use it to measure processes and success. Don’t fall into the trap of believing because it's green in a MITRE dashboard its not worthy of attention anymore.

We have some good research in this area: How to Use MITRE ATT&CK to Improve Threat Detection Capabilities (GTP subscription required) and there will be more to follow… please stay tuned

First published on Gartner Blog Network

Related:  MNO revenue from digital identity to top US$8 billion by 2025
Tags: cybersecurityGartnerkii chainMITREMITRE ATT&CK Framework
Pete Shoard

Pete Shoard

Pete Shoard is part of the Security Operations team practice at Gartner. Covering analysis of and selection criteria for threat detection and response Managed Security Services (MSS) such as Managed Detection and Response (MDR) and Vulnerability Management (VM) services. Also security detection and response technologies such as Security Information and Event Management (SIEM), User Entity Behavioral Analytics (UEBA) and Deception. Supporting Gartner's ITL research in wider areas such as Security Operation Centre (SOC) best practice and security metrics and measurement.

No Result
View All Result

Recent Posts

  • Agentic AI-powered AppSec platform launched for the AI era
  • IDC forecasts GenAI alone will grow at a 59.2% CAGR
  • Dataiku brings new AI capabilities to create and control AI agents
  • Microsoft reveals the rise of a new kind of organisation in the AI era
  • St Luke’s ElderCare enhances data security and user experience with Juniper

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe