Skip to content

Upcoming Changes to MITRE ATT&CK Framework's Detection Strategies

Original URL

Introduction

This article summarizes an announcement regarding upcoming breaking changes to the MITRE ATT&CK framework's defensive updates, specifically concerning how detection strategies are handled. These changes, effective October 28th, impact the relationship between data components and techniques, potentially affecting existing security infrastructure and workflows. Security teams need to understand and prepare for these changes to maintain effective threat detection capabilities.

Main Points

Key Changes in the ATT&CK Framework

  • New Log Sources Field: A new field (x_mitre_log_sources) is being introduced on Data Components. This will likely provide more granular and specific information about the data sources relevant to each component.

  • Technique to Detection Strategy Mapping: The relationship between Data Components and Techniques is evolving. Techniques will now map directly to Detection Strategies, streamlining the detection process.

  • Deprecation of Old Fields: Existing integrations that rely on older fields like x_mitre_detection and x_mitre_data_sources will be deprecated. This means systems using these fields will need to be updated to align with the new framework.

To adapt to these changes, security teams should take the following actions:

  • Review Existing Security Infrastructure: Examine dashboards, pipelines, and SIEM/analytics rules that currently reference ATT&CK detection objects. Identify areas that need modification to comply with the updated framework.

  • Download Updated Resources: Obtain the updated schema, STIX objects, and examples directly from MITRE. These resources will provide the necessary technical details to implement the changes effectively.

  • Consult Available Documentation: Review the provided slides and video presentation to gain a comprehensive understanding of how to adapt to the changes.

Conclusion

The upcoming updates to the MITRE ATT&CK framework represent a significant shift in how detection strategies are defined and implemented. By taking proactive steps to review and update their security infrastructure, security teams can ensure they are well-prepared for these changes and maintain their ability to effectively detect and respond to cyber threats. The key is to understand the new mappings, deprecations, and available resources for a smooth transition.