Mapping MITRE ATT&CK to Detection Engineering Sprints

Hypothesis-Driven Alignment

A more effective approach is to use the ATT&CK framework as a living detection hypothesis engine. For each prioritized technique, the team should spawn a detection hypothesis. This hypothesis should include a clear set of success criteria, such as the required signal source, the expected false positive rate, and the target latency for the detection. This hypothesis-driven approach ensures that the detection engineering process is focused, measurable, and aligned with the organization's risk priorities.

Selection Criteria

With hundreds of techniques in the ATT&CK framework, prioritization is key. The selection of which techniques to focus on should be based on a combination of factors. The frequency of the technique in the organization's local threat model is a primary consideration. The impact of the technique on privilege escalation acceleration is another important factor. Finally, the team should consider the existing visibility gap for the technique. By focusing on techniques that are relevant, impactful, and for which there is a clear gap in coverage, the team can ensure that its efforts are having the greatest possible impact on risk reduction. This is a core activity of our Purple Team exercises.

Detection Sprint Structure

To maintain momentum and ensure a steady stream of new detections, the team should adopt a structured sprint process. A two-week iteration is a good starting point. Day one should be focused on hypothesis refinement. Days two through six should be dedicated to telemetry enrichment and the drafting of the analytic. Days seven through nine should be used for validation and false positive tuning. The sprint should conclude on day ten with a retrospective and the promotion of the new detection to production. This structured approach ensures that the team is continuously delivering value and that the detection engineering process is both efficient and effective.

Scoring & Retirement

Not all detections are created equal. To manage the detection portfolio effectively, each detection should be scored based on its fidelity, its maintainability cost, and its contribution to adversary friction. This scoring system provides a basis for prioritizing which detections to improve and which to retire. Low-impact, high-noise analytics should be retired quickly to reduce the burden on the SOC and improve the overall signal-to-noise ratio of the detection system.

Automation & Regression

To guard against the silent drift of detection coverage, it is essential to automate regression testing. This involves replaying atomic or custom simulated events for each technique as part of every CI/CD cycle. This ensures that any changes to the environment or the detection logic itself do not inadvertently break existing detections. This automated approach to regression testing is far more effective than manual testing and is essential for maintaining a high level of detection fidelity over time.

Metrics

To measure the effectiveness of the ATT&CK mapping program, the team should track a set of key metrics. These should include the delta in technique coverage per quarter, the median cycle time for a detection hypothesis, the ratio of new detections to retired detections, and the compression in lateral movement dwell time. These metrics provide a clear, data-driven view of the program's performance and its impact on the organization's ability to detect and respond to threats.

Sources & Further Reading

MITRE ATT&CK (enterprise matrix).

MITRE CTI blog (technique evolution updates).

CISA Known Exploited Vulnerabilities Catalog (technique prioritization input).

Konteks Praktis untuk Organisasi di Indonesia

Topik mitre paling efektif jika diposisikan sebagai program lintas fungsi, bukan hanya proyek tim IT. Tim leadership perlu menetapkan objective yang jelas, misalnya penurunan risk exposure, peningkatan detection quality, dan percepatan decision cycle saat terjadi incident.

Dalam praktik di Indonesia, hambatan umum biasanya ada di konsistensi data, tata kelola akses, dan adopsi proses oleh tim operasional. Karena itu, pendekatan terbaik adalah delivery bertahap dengan milestone yang terukur, sambil menjaga kesinambungan operasi harian.

• Selaraskan scope dengan target bisnis dan compliance sejak awal
• Gunakan baseline metric yang bisa dipantau bulanan (MTTD, MTTR, coverage, quality)
• Pertahankan workflow sederhana agar tim non-teknis tetap bisa mengeksekusi

Roadmap Implementasi 30-60-90 Hari

Model 30-60-90 hari membantu tim menjaga fokus pada outcome, bukan sekadar checklist. Gunakan fase awal untuk baseline dan prioritas risiko, fase tengah untuk implementasi control utama, lalu fase akhir untuk validasi, tuning, dan handover operasional.

• 30 hari: baseline assessment, mapping dependency, dan prioritas quick wins
• 60 hari: implementasi control utama + playbook incident response
• 90 hari: simulation, tuning detection rule, dan KPI review untuk iterasi berikutnya

Kesalahan Umum yang Perlu Dihindari

Banyak program gagal menghasilkan dampak karena terlalu cepat menambah tools tanpa memperkuat governance dan operating model. Fokus utama sebaiknya pada konsistensi eksekusi, kualitas evidence, dan pengambilan keputusan berbasis metric.

• Mengukur sukses dari jumlah tools, bukan penurunan risk yang nyata
• Mengabaikan change management untuk user non-teknis
• Tidak menyiapkan ownership yang jelas untuk sustainment setelah go-live