car icon indicating copy to clipboard operation
car copied to clipboard

Published 20 hours ago verified publisher icon mitre-attack

Improve ATT&CK Coverage

Open ikiril01 opened this issue 4 years ago • 0 comments

Right now our ATT&CK Coverage is purely based on how well an analytic covers an entire Tactic/Technique pair. This is useful to get a general sense of how applicable an analytic is, but has its limitations:

  1. For analytics that may have multiple implementations, it doesn't say anything about the level of coverage of each implementation.
  2. Analytics may be brittle, in the sense that it's easy for an adversary to evade them. We should try to take this into account, either as a sub-component of coverage or as a separate section.
  3. With ATT&CK sub-techniques on the horizon, we'll want to think about re-architecting coverage around sub-techniques for better accuracy.

ikiril01 avatar Sep 18 '19 14:09 ikiril01