MITRE Att&ck Data Sources

Overview of MITRE ATT&CK Data Sources

The MITRE ATT&CK framework not only categorizes adversary tactics and techniques but also provides valuable insights into the data sources that can be used to detect these activities. These data sources are essential for security professionals to monitor and analyze in order to identify and respond to threats effectively. Below is an overview of the key data sources referenced in the MITRE ATT&CK framework:

Data Source List

Application Logs:
- Logs generated by applications which can provide insights into application-specific activities and potential misuse or exploitation.
Authentication Logs:
- Logs that record authentication events, such as successful and failed login attempts, helping to detect unauthorized access attempts.
Command Execution:
- Data capturing the execution of commands on systems, which can reveal malicious script execution or command-line activity.
File Monitoring:
- Data related to the creation, modification, and deletion of files, aiding in the detection of suspicious file activities.
Network Traffic:
- Monitoring network communications to identify abnormal traffic patterns, potential data exfiltration, and command and control communications.
Process Monitoring:
- Data capturing the creation and termination of processes, useful for identifying unauthorized or unusual processes running on a system.
Registry:
- Monitoring registry modifications and access, particularly in Windows environments, to detect persistence mechanisms and configuration changes.
Sensor Health and Status:
- Information about the status and health of security sensors, ensuring they are functioning correctly and have not been tampered with.
User Account:
- Data on user account creation, deletion, and modification, which can indicate potential account misuse or compromise.
BIOS:
- Information from the Basic Input/Output System (BIOS), useful for detecting low-level tampering and persistence mechanisms.
Email Gateway:
- Data from email gateways can help in identifying phishing attempts and malicious email attachments or links.
Firewall:
- Logs and alerts from firewalls provide visibility into blocked and allowed traffic, aiding in the detection of unauthorized access attempts.
Host Network Interface:
- Data from network interfaces on hosts, which can provide insights into local network traffic and potential lateral movement.
Packet Capture:
- Detailed data from packet captures, enabling deep analysis of network traffic for signs of malicious activity.
Cloud Service:
- Monitoring and logging data from cloud services, essential for detecting and responding to threats in cloud environments.
DNS:
- DNS logs can reveal attempts to resolve malicious domains, indicating potential command and control activities.
Web Proxy:
- Data from web proxies helps in monitoring and controlling web traffic, useful for identifying access to malicious websites.

Summary

These data sources form the backbone of a comprehensive monitoring and detection strategy. By leveraging these sources, security professionals can gain a holistic view of their environment, enabling the detection and mitigation of adversarial tactics and techniques as outlined in the MITRE ATT&CK framework.

Data Source Documentation:

PreviousMITRE Att&ck Concepts NextMITRE ATT&CK Mitigations

Last updated 9 months ago

Overview of MITRE ATT&CK Data Sources

Data Source List

Application Logs:

Logs generated by applications which can provide insights into application-specific activities and potential misuse or exploitation.

Authentication Logs:

Logs that record authentication events, such as successful and failed login attempts, helping to detect unauthorized access attempts.

Command Execution:

Data capturing the execution of commands on systems, which can reveal malicious script execution or command-line activity.

File Monitoring:

Data related to the creation, modification, and deletion of files, aiding in the detection of suspicious file activities.

Network Traffic:

Monitoring network communications to identify abnormal traffic patterns, potential data exfiltration, and command and control communications.

Process Monitoring:

Data capturing the creation and termination of processes, useful for identifying unauthorized or unusual processes running on a system.

Registry:

Monitoring registry modifications and access, particularly in Windows environments, to detect persistence mechanisms and configuration changes.

Sensor Health and Status:

Information about the status and health of security sensors, ensuring they are functioning correctly and have not been tampered with.

User Account:

Data on user account creation, deletion, and modification, which can indicate potential account misuse or compromise.

BIOS:

Information from the Basic Input/Output System (BIOS), useful for detecting low-level tampering and persistence mechanisms.

Email Gateway:

Data from email gateways can help in identifying phishing attempts and malicious email attachments or links.

Firewall:

Logs and alerts from firewalls provide visibility into blocked and allowed traffic, aiding in the detection of unauthorized access attempts.

Host Network Interface:

Data from network interfaces on hosts, which can provide insights into local network traffic and potential lateral movement.

Packet Capture:

Detailed data from packet captures, enabling deep analysis of network traffic for signs of malicious activity.

Cloud Service:

Monitoring and logging data from cloud services, essential for detecting and responding to threats in cloud environments.

DNS:

DNS logs can reveal attempts to resolve malicious domains, indicating potential command and control activities.

Web Proxy:

Data from web proxies helps in monitoring and controlling web traffic, useful for identifying access to malicious websites.

Summary