What do you do when faced with a cereal aisle of threat detection tools? You turn to frameworks like MITRE ATT&CK in order to evaluate possible solutions against a real-world array of adversary tactics, techniques, and procedures (TTPs).
The MITRE ATT&CK knowledge base includes TTPs in use by attackers across a wide range of sophistication, from the high school troll to advanced persistent threat groups operating on a global scale. By checking a potential detection tool against which TTPs it's able to spot, you'll be better able to understand how that tool will perform in the wild.
The MITRE ATT&CK Matrix for Enterprise divides TTPs into eleven categories, from Initial Access all the way up to Command & Control. What you'll quickly note is that many of the scarier attacks out there are subtle and multi-stage, appearing almost solely as unusual traffic patterns within an enterprise network.
Detecting these attacks is like tracing a crocodile in the water—sometimes you might catch a series of ripples, and if you're lucky you can connect those ripples to a glimpse of eyes above the surface, but the most telling signs of the attack about to come are the underwater currents you can't see. That's where network detection and response (NDR) solutions come in.
NDR tools analyze east-west (internal) network traffic in real time, with advanced behavioral analytics that help SOC analysts put together a more complete picture of what's going on within their networks. Enterprise NDR tools like ExtraHop Reveal(x) bring an even richer set of capabilities to the table, such as:
- Instant access to application transaction contents at Layer 7, enabling rapid detection and investigation of threats hidden in legitimate traffic
- Machine learning-driven behavioral analysis that catches unknowns that rules-based detection tools miss
- Real-time decryption capabilities, including for Perfect Forward Secrecy (PFS)
- Out-of-band, passive processing of network traffic at up to 100 Gbs, while most vendors top out at 40 Gbps
Read the white paper, no strings attached, to understand how Reveal(x) detects and investigates MITRE ATT&CK TTPs at enterprise scale: download the PDF.