Attackers and defenders both have vast toolboxes. In observing thousands upon thousands of breaches, we have seen threat actors use their toolkits extensively to achieve their objectives. Meanwhile, however, defenders tend to become dependent on only one tool or source of telemetry, seldom using everything available to them. Detecting today's threats cannot be done with a single source of evidence. Furthermore, threat actors are increasingly defense-aware, employing evasive countermeasures when necessary.
The security industry has turned to MITRE's ATT&CK Matrix to quantify and catalog threat actors and their TTPs. Used by SOCs and toolsets worldwide, ATT&CK provides a way to share threat data and test defenses. However, when mapping to techniques in ATT&CK, visibility is crucial, and more than one data source is necessary. Becoming effective at detecting and stopping threats requires SOCs to expand their understanding of their environment.
In this webcast, SANS instructor and IR expert Matt Bromiley and Elastic's Principal Product Marketing Manager James Spiteri look at bringing multiple data sets together to build better detections. Using MITRE ATT&CK as your library, learn how to document threat actor techniques and create a taxonomy for implementing effective detections.
Be among the first to receive the associated whitepaper (https://www.sans.org/reading-room/whitepapers/analyst/expanding-security-toolbox-40350) written by Matt Bromiley.