Following the recent updates to MITRE ATT&CK, some great new content was released to help defenders enable more inclusive thinking across attacker tactics, techniques and procedures (TTPs). With v18 now available, MITRE has introduced new objects to users to support more connected and system-based thinking specific to Detection Strategies and Analytics.
The foundational practices these new objects enable are important as they enhance the ability to proactively plan defenses by connecting techniques with mitigations, but also the supporting analytics and log sources to make those possible. Think of v18 as a major shift from being a descriptive catalogue and into an actionable blueprint for detection engineering.
Figure 1: MITRE ATT&CK v18
Recent updates also introduced new threat groups, expanded existing ones, and added new STIX Domain Objects. The shift from atomic to more integrated detections is a particularly exciting development, especially with the inclusion of log data to support that evolution.
It’s worth emphasizing that MITRE’s work is inherently dynamic. Are there perfect mappings between detections, analytics, for every technique? No. But the framework continues to move in the right direction. With the latest version of MITRE ATT&CK now released, it’s a timely opportunity to revisit the framework, not just to refine existing detection strategies, but also to inform how we plan and design proactive exercises. ATT&CK v18 makes it easier than ever to adopt and operationalize this information across your security program (including Industrial Controls!).
Before jumping into MITRE, it’s important to acknowledge that an effective defensive strategy must account for the asymmetric nature of cyber threats, particularly the incremental and adaptive tactics employed by modern adversaries. Attackers don’t view targets as isolated systems but as interconnected surfaces, comprised of users, infrastructure, and latent vulnerabilities.
Rather than pursuing singular assets, threat actors exploit systemic interdependencies, identifying pathways to databases, administrative interfaces, and credential stores that unlock broader access. This reflects a strategic inversion of value creation where attackers maximize return on investment by compromising environments in integrated, scalable ways.
Whether driven by financial gain, ideological motives, or geopolitical objectives, sophisticated adversaries exhibit connected thinking, linking vulnerabilities across domains, exploiting both human and technical weaknesses, and rapidly iterating in response to defensive measures. These dynamics underscore the need for defenders to adopt holistic and adaptive detection practices which MITRE is helping to evolve.
MITRE ATT&CK is more than just a framework, it’s now become a way to think critically about how adversaries operate and how defenders can respond with precision. When helping organizations shape their defensive strategies, we often start with a simple but essential question: What are you trying to protect? Broad, indiscriminate security controls may seem thorough, but over time they tend to become expensive, inefficient, and prone to failure especially when they’re needed most.
Once an organization has a clear understanding of the assets most vital to revenue, operations, or strategic value, we can begin applying ATT&CK in a meaningful way. With that clarity, we typically recommend a few key steps:
Pulling that together let’s see how that starts to shape our thinking and where MITRE ATT&CK can start to add value:
Figure 2: MITRE ATT&CK Overlay
Let’s make the following assumptions:
If we look at the mapped TTPs from ATT&CK, APT29 and Scattered Spider each demonstrate a series of tactics across the attack lifecycle, but for ease of purpose let’s narrow into what’s common (i.e. overlapping attacker techniques) and use those to overlay existing threat models.
Figure 3: MITRE ATT&CK Navigator (Scattered Spider and APT29)
If we explore the overlapping capabilities, specifically T1078: Valid Accounts let’s see how that can be documented:
|
Attributes |
Comments |
|
Crown Jewel |
Financial ERP |
|
Documented Attack Path |
Threat Model 1B Documented Attack Paths: 1B-1, 1B-5 |
|
In-Scope Attack Groups |
Scattered Spider, APT29 |
|
Attack Path Detection Coverage |
No |
|
In-scope MITRE ATT&CK Techniques |
T1078 |
With what appears to now be a gap within current detection capabilities based on our initial review of attacker TTPs, MITRE’s new Detection Strategy and Analytics information allow defenders to extend their thinking from Detection through to Logging and can now append existing knowledge with the following:
|
MITRE Detection Strategy |
DET0560 |
|
Analytics |
AN1543 |
|
Logging Considerations |
Logon Session Creation, Windows Event ID: 4624 |
What’s great about this is the traceability, it empowers security leaders to have more informed conversations with internal teams or external partners. It helps clarify which detections are in place, which log sources are being leveraged, and how those align with specific threat actors and their known behaviors. In doing so, it shifts the conversation from generic coverage to targeted, intelligence-driven defense.
If we extend that out even further across select mitigations or control investment areas, the same principles will apply but would allow for mitigation mapping as follows:
Figure 4: MITRE ATT&CK Navigator (Mitigations: Vulnerability Scanning and Password Policies)
With all that considered, this can be even extend into executive reporting where detection and logging coverage can be articulated within the context of revenue generating systems with directive statements such as:
Building on the methodology used for detection strategy development, the MITRE ATT&CK framework can also guide the planning and design of threat actor emulation engagements, threat hunting, and intelligence capabilities. These exercises are critical for validating specific security capabilities and understanding how well your organization can detect, respond to, and recover from targeted attacks.
Figure 5: Emulation Planning with MITRE ATT&CK
The continued evolution of MITRE ATT&CK and broader detection strategies is transforming defensive approaches, enabling more integrated and proactive responses to attacker tactics. With the recent updates to v18 of MITRE ATT&CK it’s an opportune time for organizations already utilizing it to update their existing models and detections, and for those that aren’t utilizing it, an opportunity to consider it for your security operations program.
See how Arctiq can help you with our Security Operations Assessment (SOA) and Tabletop Exercises to enable MITRE ATT&CK within your environment. Contact us to get started.