hack3rs.ca network-security
/learning/frameworks :: mitre-attack-detection-gap-mapping

student@hack3rs:~/learning/frameworks$ cat mitre-attack-detection-gap-mapping.html

Using MITRE ATT&CK to Map Detections and Coverage Gaps

Threat-Informed Defense

Learn how to use ATT&CK as a defender mapping framework to connect observed behavior, detections, and coverage gaps. This module teaches practical technique mapping without turning ATT&CK into checkbox theater.

Network Security Keywords: mitre attack mapping tutorial, detection gap analysis, threat informed defense training, attack techniques defenders, coverage mapping blue team

why-this-framework-exists

MITRE ATT&CK exists to document adversary tactics and techniques in a shared knowledge base so defenders can reason about behavior, detections, and gaps using a common language.

why-defenders-should-use-it

Use ATT&CK to improve detection engineering, triage quality, threat hunting hypotheses, and post-incident learning. It is especially useful for showing leadership where coverage exists and where blind spots remain.

real-life-example.scenario

After an intrusion, a team maps activity to ATT&CK techniques: phishing for initial access, command execution, credential dumping indicators, remote service use, and exfiltration over web protocols. The map exposes that they had strong email filtering but weak lateral movement detections, which drives the next quarter’s roadmap.

ATT&CK as a Mapping Tool, Not a Checklist

ATT&CK is most useful when it helps answer operational questions: What behavior did we observe? What telemetry supports it? What detections fired or failed? What can we improve next?

It is less useful when teams try to “cover all ATT&CK” without considering their environment, threat model, and available telemetry. Coverage claims should be scoped to your platforms, log quality, and validation evidence.

Expert use of ATT&CK focuses on behavior families and detection logic quality, not just tagging alerts with technique IDs.

How to Map Detections to ATT&CK Properly

Start from actual detections and telemetry. For each alert, identify what behavior it detects, what evidence fields it relies on, and what assumptions it makes. Then map to ATT&CK techniques based on the behavior, not on the product marketing label.

Track confidence and scope: a DNS tunneling heuristic may map to exfiltration-related behavior but only for monitored DNS egress paths. A PowerShell detection may apply only where script block logging or Sysmon is enabled.

Include failure modes in your mapping. A detection that breaks when a field changes or a log source is down is not reliable coverage.

Gap Analysis and Validation (Where ATT&CK Creates Real Value)

Gap analysis should produce decisions: which techniques matter most for your environment, which are currently invisible, and what telemetry or controls would improve coverage fastest. ATT&CK becomes valuable when it drives roadmap and validation planning.

Pair ATT&CK with purple-team or lab testing. Simulate authorized behavior and confirm whether your expected telemetry appears, detections fire, and analysts can triage the result correctly.

Use ATT&CK during post-incident reviews to identify both observed techniques and missed opportunities for detection or containment.

how-to-use-it.step-by-step

  1. Select a recent alert, hunt, or incident and collect the underlying evidence.
  2. Describe the observed behavior plainly before assigning ATT&CK tags.
  3. Map behavior to ATT&CK tactics/techniques with notes on telemetry dependencies.
  4. Record whether coverage is preventive, detective, partial, noisy, or absent.
  5. Prioritize gaps by attack-path relevance and validation feasibility.
  6. Test or simulate key behaviors in an authorized lab and update mappings based on results.

lab-safe-workflows-and-cli-boxes

These examples are for authorized learning labs and defensive operations. The goal is to teach interpretation and workflow discipline, not blind command copying.

Build a simple ATT&CK mapping table for detections

printf "detection,technique,telemetry,status,notes\nSuspicious RDP from admin subnet,T1021.001,Firewall+Windows logs,partial,No east-west Zeek coverage\n" > attack-mapping.csv

example output

$ column -s, -t < attack-mapping.csv
detection                       technique   telemetry               status   notes
Suspicious RDP from admin subnet T1021.001 Firewall+Windows logs   partial  No east-west Zeek coverage

$ why-it-matters: This keeps ATT&CK grounded in actual detections, evidence, and coverage status. That is how you turn ATT&CK into engineering work instead of slideware.

Find partial or missing coverage entries

awk -F, 'NR>1 && ($4=="partial" || $4=="missing") {print $0}' attack-mapping.csv

example output

Suspicious RDP from admin subnet,T1021.001,Firewall+Windows logs,partial,No east-west Zeek coverage

$ why-it-matters: Gap hunting is the practical value. Teams improve faster when they maintain an explicit list of partial and missing coverage tied to real workflows.

common-mistakes-and-failure-modes

  • $Tagging alerts with ATT&CK IDs without checking what behavior is actually detected.
  • $Claiming broad coverage without documenting telemetry dependencies and blind spots.
  • $Using ATT&CK as a reporting exercise rather than a validation and improvement tool.
  • $Ignoring analyst triage quality while focusing only on signature count.

what-you-should-be-able-to-produce

  • $A detection-to-ATT&CK mapping sheet with confidence and dependencies
  • $A prioritized coverage gap backlog tied to real attack paths
  • $A validation plan for technique-focused detection testing

references-and-related-learning

open /learning/frameworks Frameworks hub and sequence map <- previous NIST CSF in Practice -> next page Documentation-Driven Learning