Mastodawn

@timb_machine One day when we read links like https://br0k3nlab.com/resources/axioms-of-security-and-rule-based-capabilities/ people will have read the #OpenTide white paper and realized how it changes the conversation about #detectioncoverage but this day was not today.

Axioms of Security and Rule-Based Capabilities

Security efficacy has diminishing value, at some point, as rule quantity grows Rule count is not an absolute measure of successful coverage Coverage is not an absolute measure of security Alert count has an inverse relationship with their manageability Threats are not static Security posture is temporal and so only instantaneously representative

Claus Cramon Houmann Dec 10

Despite the promising title of this blog post by John Vester 'Why the MITRE ATT&CK Framework Actually Works', its a load of crock.

You can't and shouldn't use MITRE #ATT&CK to prove any sort of detection coverage or 'strong points'. At best, you can prove total absence in certain subtechniques.

If you want to do any sort of data driven #detectioncoverage you need #OpenTide -> there's no way around it.

https://levelup.gitconnected.com/why-the-mitre-att-ck-framework-actually-works-29ac26d2d20c

ATT&CK is still ♥️ 😍 tho.

#SOC #blueteam #detectionEngineering

Why the MITRE ATT&CK Framework Actually Works

The alert goes off at 2:17 p.m.

Medium