Which attacks can you actually catch? MITRE ATT&CK is the shared map of adversary techniques — use it to measure detection coverage and find your blind spots.
Why: MITRE ATT&CK is a curated knowledge base of real adversary tactics (the "why") and techniques (the "how") — so it gives defenders a common vocabulary to describe, measure, and communicate about attacks. When: tag every detection with the technique it catches. Where: tactics are the goals (initial access, persistence, exfiltration); techniques are the specific methods within each.
TACTICS (the adversary's goals, left to right):
Initial Access -> Execution -> Persistence -> Priv. Esc -> Defense
Evasion -> Credential Access -> Discovery -> Lateral Movement ->
Collection -> Command & Control -> Exfiltration -> Impact
TECHNIQUES (how): e.g. T1110 Brute Force, T1059 Command/Scripting,
T1078 Valid Accounts, T1071 Application-Layer C2
One shared map for red, blue, and threat intel to talk about attacks.Why: tagging detections with ATT&CK techniques lets you build a coverage map — which techniques you can detect and which you are blind to — turning "are we secure?" into a concrete gap analysis. When: map current detections onto the ATT&CK matrix and target the gaps that matter for your threats. Where: the ATT&CK Navigator visualizes this heatmap of covered vs. uncovered techniques.
Coverage map (technique -> do we detect it?):
T1110 Brute Force [x] covered (auth-failure rule)
T1059 Command/Scripting [x] covered (process + cmdline logging)
T1078 Valid Accounts [~] partial (need impossible-travel logic)
T1071 App-Layer C2 [ ] GAP -> no network/DNS beaconing detection
Prioritize gaps by the techniques YOUR likely adversaries actually use.Why: you cannot detect everything, so you prioritize coverage by the techniques your actual adversaries use — informed by threat intelligence about who targets your sector. When: use threat intel to weight which ATT&CK techniques to cover first. Where: this connects detection engineering to threat intelligence and to the hunting in the next lesson.
Don't try to cover all 200+ techniques at once. Prioritize:
1. techniques used by adversaries known to target your industry
(threat intelligence / ATT&CK "Groups")
2. techniques with high impact + high likelihood in your environment
3. quick wins where you already have the data, just no rule yet
Coverage is a roadmap, not a checkbox. Drive it with real threat intel.