Vectra's coverage of MITRE ATT&CK and D3FEND

Vectra’s Coverage of MITRE ATT&CK v18

Vectra provides coverage for over 90% of relevant MITRE ATT&CK techniques.

Mitre ATT&CK v18

MITRE ATT&CK is a curated knowledge base of what attackers do during an attack. ATT&CK enables a clear and consistent manner for talking about what attackers do and a framework for discussing what coverage is necessary to keep a business secure.

All Vectra detections across public cloud, SaaS, federated identity, and data center networks are mapped to MITRE ATT&CK to help security teams discuss the attack and present outcomes of investigations and understand how Vectra supports them in securing their business.

Details of Vectra’s coverage can be explored using the native MITRE ATT&CK navigator.

Go to https://mitre-attack.github.io/attack-navigator/ and upload the attached layer file vectra_platform_coverage_for_att&ck_v18.json to interact with the data.

How Vectra Leverages MITRE ATT&CK

Vectra uses ATT&CK as one of several guides for deciding what threat detections to build. Vectra’s security researchers factor in updates to ATT&CK techniques and the usage by active APT groups alongside independent threat research into active threat behaviors and real-world observations investigating real-world attacks across our deployments. This threat research is leveraged heavily in our security-led AI approach, wherein the identification of a threat behavior is used as the starting point for a new Vectra threat detection developed through the collaboration of security researchers and data scientists.

Beyond ATT&CK’s use in guiding threat detection coverage, Vectra priority scores are directly related to the set of ATT&CK techniques that an observed account or host leverages. Vectra’s AI prioritization engine translates each Vectra detection into a set of ATT&CK techniques and considers the likelihood of a compromise given the total observed set of behaviors. As more techniques are observed that align with an attacker's progress, a higher priority score is reported, with those scored in the high and critical quadrants warranting immediate attention.

Vectra’s Supported MITRE D3FEND Countermeasures

Native Vectra functionality and supported integrations enable support for over 30 MITRE D3FEND countermeasures with 11 Vectra patents referenced as the foundations for the specified countermeasures. Vectra has the most patents referenced in the D3FEND framework of any security vendor.

MITRE D3FEND provides a language for expressing detection capabilities that directly map to a level of coverage for MITRE ATT&CK. While the D3FEND framework is new and still developing, it provides insights into the countermeasures used to address the mapped ATT&CK techniques. The D3FEND framework does not currently represent all the countermeasures deployed in the Vectra platform.

The Vectra enabled MITRE D3FEND countermeasures are noted in a modified version of the MITRE D3FEND technique tree in the attached file Vectra_platform_D3FEND_0.10.0-BETA-2.csv.

----------

The attached vectra_platform_coverage_for_att&ck_v18-detection_to_technique.json can be used to programmatically map detection names to the related MITRE techniques within a SIEM or a script.

To learn more about Vectra's use of MITRE, recent threat research reports and platform details checkout our website https://www.vectra.ai/

Attachments