Security Operations Centers: Use Case Best Practices, Coverage, and Gap Analysis Based on MITRE Adversarial Tactics, Techniques, and Common Knowledge

Abstract

The rising frequency and complexity of cybersecurity threats necessitate robust monitoring and rapid response capabilities to safeguard digital assets effectively. As a result, many organizations are increasingly establishing Security Operations Centers (SOCs) to actively detect and respond to cybersecurity incidents. This paper addresses the intricate process of setting up a SOC, emphasizing the need for careful planning, substantial resources, and a strategic approach. This study outlines the essential steps involved in defining the SOC’s objectives and scope, selecting appropriate technologies, recruiting skilled cybersecurity professionals, and developing processes throughout the SOC lifecycle. This paper aims to provide a comprehensive understanding of the SOC’s threat detection capabilities and use cases. It also highlights the importance of choosing technologies that integrate seamlessly with existing IT infrastructure to ensure broad coverage of SOC activities. Furthermore, this study offers actionable insights for organizations looking to enhance their SOC capabilities, including a technical overview of SOC use case coverage and a gap assessment of detection rules. This assessment is based on an alignment with the MITRE ATT&CK framework and an analysis of events generated by the company’s existing IT devices and products. The findings from this research elucidate the indispensable role that SOCs play in bolstering organizational cybersecurity and resilience.

1. Introduction

Security Operations Centers (SOCs) continue to capture the attention of researchers, with widespread adoption by companies for real-time detection and response to cyber-attacks. A SOC can be defined as the integration of human resources, processes, and technologies aimed at helping businesses maintain cyber situational awareness, address compliance issues, and manage threats effectively [1,2].

SOCs vary in scale and scope, from smaller, internally managed setups to large operations staffed by numerous analysts working around the clock. Most SOCs operate as managed services because establishing and maintaining an in-house SOC can be prohibitively expensive. Organizations that cannot afford their own SOC often rely on third-party service providers or managed security service providers (MSSPs) to deliver SOC services. Businesses adopt SOC services to meet their specific needs and resources to prevent attacks. Various SOC categories are defined and tailored to address the unique security requirements of customers and information systems [3].

Previous studies on SOCs indicate that people, processes, and technology are central to a SOC, and its success depends on these socio-technical systems [4].

A properly implemented SOC will give you the resources to detect actively and proactively and engage in an active investigation. The aim is to have a coordinated SOC human resource with the right toolset to support the analysts and incident responders and clear processes and documentation of the whole SOC scope [5].

If you have great toolsets but people do not have the skills to make proper, effective use of them, then you are in a bad position [6]. But if you expect to just hire smart people and do not give them the tools that they require to make the best use of their skills, then you are going to have something that is equally ineffective.

Our previous study worked on the SOC challenges and capabilities using a survey-based study, and we focused on the human factor as the backbone of SOC [7,8]. We conducted a performance metrics assessment, and we proposed an improvement model to consider all the factors impacting the metrics for accurate assessment [9]. However, assuming the decomposability of the Security Operations Center and then focusing attention solely on one SOC analyst as the weakest link is unrealistic, given the complex and evolving nature of SOC systems.

When we target the technology factor inside the SOC, many documents are inherently commercial as they aim to inform potential customers about the SIEM products and persuade them to make a purchase, and some research papers or reports might be sponsored by commercial entities, which could influence the content to favor certain technologies or services [10].

In our work, we will shed light on the technical aspects of the SOC and focus on the SIEM deployment and the integration with the existing device products to guarantee an acceptable security coverage threshold based on the potential use case coverage.

The integration of data sources into the Security Information and Event Management (SIEM) system and the implementation of use cases are crucial for enhancing cybersecurity operations and response mechanisms. By integrating a wide range of log sources into the SIEM and implementing well-designed use cases, SOCs can significantly enhance their ability to detect and respond to cybersecurity threats in a timely and effective manner.

In the context of Security Operations Centers (SOCs), the MITRE ATT&CK framework serves as a critical tool for enhancing threat intelligence, security monitoring, incident response, and defensive strategies. It enables SOC teams to better understand threat actor behaviors, map out attack patterns, and prioritize their defensive measures based on tactics and techniques [11].

This paper seeks to thoroughly explore how organizations can gain a comprehensive understanding of the threat detection capabilities of their SOC and the SOC use cases, as well as identify and address any potential knowledge gaps. The objective is to provide actionable insights that organizations can leverage to enhance their security use case.

A good mapping of the existing IT infrastructure to MITRE ATT&CK will provide better quantitative value to examine how many different detection rules and attack vectors can be detected, and it can also be used to conduct a gap analysis for assessment and improvement. Hence, we ask the following questions in that respect:

• What are the components of the SOC, and how SIEM is deployed in practice?
• What is a SOC use case, and what are the best practices and steps for its implementation?
• What are the challenges faced during the use case engineering phase?
• How is MITRE ATT&CK contributing to the SOC and use case incident detection and response?
• How can we adapt the MITRE ATT&CK to the existing company infrastructure for better coverage and coverage analysis gap from a technical overview?

The first part of this paper introduces the reader to the topic and research problem related to the SOC and SOC use case coverage, and the second part provides more context about the research methods and research goals. The third section introduces the theoretical background and demonstrates why the used artifacts are created, and the fourth section illustrates how the artifacts are designed and implemented and how the gap analysis is conducted using the mapping of the MITRE ATT & ACK platform to the existing device product. Finally, the conclusions and discussion for future research are given.

2. Background

2.1. Security Operations Center

Security Operations Centers (SOCs) play a crucial role in protecting information systems. Their main mission is to continuously monitor security activities, detect potential threats, analyze incidents, and classify them in terms of severity and impact. The SOC team is responsible for taking appropriate measures to respond to confirmed security incidents and minimize their duration and impact on the organization’s daily operations. In addition to monitoring and detecting threats, the SOC also assumes significant operational responsibilities. This can include managing security devices, such as hardening operating systems to enhance their security, managing access rights to resources, as well as managing patches and security updates. In close collaboration with IT services, the SOC aims to reduce the duration and impact of security incidents that exploit, disrupt, prevent, degrade, or destroy systems dedicated to usual and standard operations. This objective is achieved through effective monitoring and end-to-end incident tracking [1]. It is common for individuals to mistakenly equate SOCs with Security Information and Event Management (SIEM), which is primarily concerned with the management and correlation of logs collected from various sources, offering real-time oversight of an organization’s information security systems [12].

The main mission of SOCs is to ensure the security and integrity of data by identifying any suspicious activities, abnormal behaviors, or attempted breaches within the organization’s IT infrastructure. To accomplish this, SOC teams utilize a combination of advanced technologies, well-defined processes, and deep security expertise to analyze events and alerts, assess potential threats, and take appropriate corrective actions. Figure 1 shows an example of a SOC component.

The Security Operations Center (SOC) is underpinned by three fundamental components:

• People:

Cybersecurity experts form a critical element of the SOC structure. Their responsibilities encompass the monitoring, detection, and rigorous analysis of security events, ensuring that potential threats are identified and mitigated promptly [2].

• Processes:

The processes are clearly defined and documented steps that guide the operations of the SOC. They include managing security incidents, detecting and analyzing threats, responding to incidents, remediation, and recovery after an incident. These processes ensure a methodical and consistent approach to managing security events. They are designed to optimize the SOC’s effectiveness and responsiveness to threats. Examples of critical processes within a SOC include the cyber incident management playbook; procedures for incident response; operational guidelines or knowledge articles; processes for managing personnel changes, such as new hires, transfers, and departures; policies for SOC access control; and standard security operational procedures [13].

• Technology:

To effectively monitor and analyze security events, the SOC employs an array of advanced tools and technologies. Central to these is the Security Information and Event Management (SIEM) system, which integrates capabilities to collect, aggregate, and correlate security data from diverse sources, providing a comprehensive and coherent security landscape, as shown in Figure 2. This technological infrastructure is crucial in enabling real-time insights and fostering a proactive security posture within the organization [14].

The SOC service can be an inside entity or outsourced to focus on the main activity and avoid the heavy lifting and shifting and skilled resources to manage and monitor the security. Hence, the supplier organization is far better at running and maintaining a SOC service. In contrast, the client organization becomes responsible for security incident management, escalation, and decision-making as the overarching risk owner. Most client organizations work from 9 a.m. to 5 p.m. Therefore, client organizations prefer to leverage the 24 × 72 SOC service operated by the supplier organizations, a preference many client organizations believe in offering cost-saving and efficient human resources [15]. Security Operations Centers (SOCs) examine various architectures and organizational structures. These structures vary according to the specific needs of the organization, its size, complexity, and objectives in terms of cybersecurity. It is crucial to understand these different approaches to design an effective SOC that is tailored to the needs of the organization.

Table 1. Different SOC architectures and organizational structures.

Type of SOC	Description	Benefits	Limits
Centralized SOC	All security operations are managed from a single central location.	Ease of management, direct communication, and uniformity in operations.	Risk of single points of failure, especially in case of attack or compromise.
Decentralized SOC	Security responsibilities are distributed among multiple sites or divisions within the organization.	Adaptability to local needs and less dependence on a single center.	Complex coordination, risk of lack of consistency in security policies.
Virtual or Cloud SOC	Security functions are outsourced to cloud services or managed security service providers (MSSP).	Avoids physical infrastructure management, scalability, and access to external expertise.	Dependence on third parties and concerns about data confidentiality.
Hybrid SOC	Combination of centralized and decentralized elements to balance the benefits of both approaches.	Flexibility and ability to tailor the structure to specific organizational needs.	Requires careful management to ensure effective coordination.
Collaborative SOC	The SOC works in close collaboration with other teams within the organization, such as IT and compliance teams.	Real-time information sharing and deep understanding of business aspects.	Requires constant communication and coordination to prevent information silos.
Distributed SOC	Security operations are managed by multiple entities, each responsible for its security.	Local adaptability reduces risks of single points of failure.	Possibility of lacking a global overview and necessary coordination to ensure a coherent response.
Mobile SOC	A mobile security team that can intervene at different sites based on needs.	Rapid response to local incidents, itinerant expertise.	Requires effective coordination to ensure adequate coverage, which can be costly in terms of travel.

shows different SOC architectures and organizational structures.

2.2. MITRE ATT&CK Matrix for Enterprise

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is an open framework for establishing cybersecurity detection and response programs developed by MITRE Corporation, which has facilitated the codification and standardization of knowledge for defenders. The creation of Atomic Red Team, an open-source test library, has put into practice the theoretical concepts of the MITRE ATT&CK^® framework, allowing organizations to quickly, portably, and reproducibly test their organization’s defenses. [16,17].

MITRE ATT&CK matrices are widely used by IT and security professionals, including red teamers, risk managers, and SOC analysts, for threat hunting and modeling and improving detection capabilities [18].

Our primary concern is directed towards its Enterprise Matrix and its 14 tactics representing an adversary’s tactical objective for acting, as shown in

Table 2. Description of MITRE ATT&CK tactics.

Identifier	Name	Description
TA0043	Reconnaissance	The attacker tries to gather information that can be used to plan future operations.
TA0042	Resource Development	The attacker attempts to establish resources that can be used to support operations.
TA0001	Initial Access	The attacker tries to penetrate your network.
TA0002	Execution	The attacker attempts to execute malicious code.
TA0003	Persistence	The attacker tries to maintain their foothold.
TA0004	Privilege Escalation	The attacker attempts to gain higher-level permissions.
TA0005	Defense Evasion	The attacker tries to avoid detection.
TA0006	Credential Access	The attacker attempts to steal account names and passwords.
TA0007	Discovery	The attacker tries to understand your environment.
TA0008	Lateral Movement	The attacker tries to move within your environment.
TA0009	Collection	The attacker tries to gather data relevant to their objectives.
TA0011	Command and Control	The attacker attempts to communicate with compromised systems to control them.
TA0010	Exfiltration	The attacker attempts to steal data.
TA0040	Impact	The attacker tries to manipulate, interrupt, or destroy your systems and data.

.

3. Related Work

Although the relevance of SOC use case coverage and visibility for security planning and protection is widely recognized, research indicates that many organizations experience significant gaps in detection coverage [6]. According to a recent study by a pioneering firm in the threat coverage arena, these gaps often arise from issues such as log source configuration errors, malfunctioning log collectors, a lack of comprehensive rules, erroneous rules, and excessively noisy rules, which collectively degrade the security posture of the typical organization. Another study underscores the necessity for SOC teams to continually refine their methodologies to keep pace with rapidly evolving adversarial tactics, as highlighted by the continuous updates to the ATT&CK framework [19]. This framework assists SOC teams in prioritizing critical areas of focus and identifying vulnerabilities within security infrastructures. The ATT&CK model, with its detailed breakdown of techniques, tactics, and procedures, serves as a crucial tool for prioritizing threat mitigation and identifying security deficiencies.

The Cybersecurity and Infrastructure Security Agency (CISA) offers guidance that aids analysts in precisely and consistently mapping adversary behaviors to applicable ATT&CK techniques within cyber threat intelligence (CTI) operations [20]. Successful implementation of ATT&CK is expected to yield precise and consistent mappings that contribute to the development of adversary profiles, the analysis of activity trends, and the enhancement of detection, response, and mitigation strategies [21].

Furthermore, other scholarly contributions utilize the MITRE ATT&CK framework for threat modeling and simulating adversary behaviors [22], generating a suite of visualizations based on the Common Attack Pattern Enumeration and Classification (CAPEC) [23] and the Common Vulnerabilities and Exposures (CVE) standards [24]. These visualizations directly link to enterprise mitigation strategies endorsed by the MITRE ATT&CK framework, emphasizing a strategic synthesis of vulnerability management, threat modeling, and the application of compensating controls. This integrative approach, as proposed by MITRE, establishes a critical linkage between identifying vulnerabilities, modeling potential threats, and implementing effective security controls.

The detection coverage gap is large at many organizations due to many actors, as suggested by [25], and explains that there are more things involved in obtaining and, especially, keeping your detection coverage map current and asked some questions about how to systematically approach the detection coverage in the SOC regarding the data collection, processing, and rules configuration alongside the threat assessment.

Other works conducted the mapping of Windows event IDs to MITRE attacks to provide visibility on the coverage based on the event gathered from Windows log sources, such as [26], but it does not cover the full coverage map using the other technologies. On the other hand, in his report [27], Jarkko Kinnunen conducted a detection gap analysis based on MITRE ATT&CK and the security products on the existing IT infrastructure using reports and documentation of the solution capabilities from their official websites. This study exploited only the security solutions on their model and did not cover every log source on the existing IT infrastructure, and they did not use the low-level mapping using patterns and the event IDs generated from the log sources.

Recent studies have explored the integration of SIEM tools with the MITRE ATT&CK framework to enhance SOC operations. Xiong et al. [28] highlighted how aligning SIEM detection rules with MITRE ATT&CK tactics and techniques significantly improves threat detection. By mapping event logs to specific ATT&CK techniques such as Credential Dumping (T1003), SIEM systems like Elastic SIEM and IBM QRadar enhance SOCs’ ability to identify and respond to advanced threats in real time. This integration also aids in automating detection workflows, reducing response times, and increasing overall SOC efficiency.

Similarly, Muniz et al. [29] examined the evolution of SOC models, particularly focusing on cloud-based SOCs that leverage ATT&CK to monitor multi-cloud environments. They emphasize the role of cloud-native SIEMs, such as AWS Security Hub, which integrates with the ATT&CK framework to offer scalable threat detection solutions. The shift toward virtual SOCs (vSOC) has been particularly beneficial for smaller organizations, allowing them to benefit from advanced ATT&CK-based detection capabilities without the cost of an in-house SOC.

4. Research Methodology

In our research, we employ the MITRE ATT&CK framework, which is renowned for its comprehensive demonstration and documentation of threat detection capabilities [30]. This framework is instrumental in assessing the efficacy of security tools, identifying defensive shortcomings, and organizing detection and threat-hunting efforts.

Additionally, we utilize the Design Science Research Methodology for Information Systems Research. This approach focuses on the creation of artifacts designed to address practical problems of broad relevance. It emphasizes generating artifacts that are not only theoretically sound but also practically applicable, thereby contributing to both new and existing knowledge.

The evaluation of these artifacts is a crucial component of our research, which is aimed at determining their effectiveness in addressing the identified research issues and fulfilling the predefined requirements. Furthermore, the evaluation process is designed to uncover additional research opportunities, potentially leading to enhancements in both methodology and application [31]. The structure of this work is built based on Figure 3 below:

To obtain answers to the research question, two new artifacts are developed:

• Design and create detection capabilities artifacts based on the existing IT infrastructure and the event generated from the device product and their scope;
• Matching the device products alongside their generated events to MITRE ATT&CK to provide a gap analysis map and reveal the weaknesses of the detection capabilities.

The current work supports the conducted effort to identify the lack of SOC use case detection capabilities, measure current use case coverage against adversary capabilities, and determine what part of the monitored environment lacks defenses or threat detection visibility. Matching the events and raw data generated by the log sources on the existing IT infrastructure with MITRE ATT&CK matrix provides an accurate mapping and can be reimplemented and reused by all the SOCs to build the same detection scenarios.

To grant the accuracy of the artifacts and results, we are using the following as a source of information:

• Documentation of events from the device vendors and products on the existing IT infrastructure;
• Adversary emulation, red teaming, and penetration testing;
• MITRE ATT&CK matrix and AtomicRedTeam platform.

Our SOC use case gap analysis model will provide more visibility on the SOC coverage from a technical perspective and will enable SOC Analysts, managers as well and the academic community to gain a better understanding of the SOC use cases and their implementation based on the data generated from the log sources. Moreover, it supports the effort conducted to measure the use case coverage and contribute to the improvement of the detection capabilities.

5. Results and Use Case

5.1. IT Infrastructure Onboarding to the SIEM

The main task of SIEM is to collect, normalize, aggregate, and analyze event logs and data from all the data and log sources within the organization in combination with the threat intelligence sources [32]. The SIEM gathers the logs from all the IT infrastructure, including security systems, operating systems, databases, and network infrastructure, to provide full visibility on the logs and security events in near-real time and combine it with contextual information about users, assets, threats, and vulnerabilities to enable security analysts to detect, investigate, and respond to cybersecurity threats in real time, as well as to comply with regulatory requirements by storing and analyzing log data.

Implementing an SIEM solution involves more than just a straightforward installation process; it must be carefully tailored to the specific context and needs of each organization. The optimal SIEM deployment strategy for one organization may be entirely unsuitable for another, as various factors such as industry, company size, geographical location, and other unique characteristics can significantly influence deployment decisions. Each organization possesses its own distinct information system and architectural framework. For instance, some companies may be geographically dispersed, necessitating highly available services, and they may generate vast amounts of logs in diverse formats. As such, a one-size-fits-all approach is not feasible, and the SIEM solution must be customized to align with the particular requirements and operational environment of the organization. That is why a preparation phase is mandatory to identify the organizational requirements and the specific needs that the SOC is intended to address, as well as the objectives and the available resources to select the target model. In general, after understanding the scope and determining the specific security requirements and compliance standards that the SIEM needs to address as the architecture design and assets prioritization, the step of the log source integration takes place to feed the SIEM engine with the event logs, and it follows this order:

• Data Collection: The SIEM can collect logs from all kinds of devices that can generate logs on the organization’s IT environment using various methods, including agent-based and agentless approaches, and whether the technology is supported or not by adapting its raw logs data. While companies do not have the same architecture, technologies, and device products, the target model is supposed to provide the maximum coverage to fill the technology gap;
• Normalization: The collected data come in various formats, and not all of them are supported by the SIEM by default, as there is a scope of supported technologies for each SIEM solution, and log sources not belonging to the scope need further normalization to extract the relevant information and making it easier to analyze and correlate events across different sources;
• Aggregation and Storage: After normalization, the SIEM aggregates the data and stores it in a centralized database. To facilitate streamlined log analysis, correlation, and historical investigation;
• Alerting and Reporting: When the SIEM identifies a potential security threat, it generates alerts to notify security analysts. These alerts are prioritized based on the severity of the detected event. SIEM solutions also provide reporting capabilities to support compliance and auditing requirements, as well as to offer insights into the security posture of the organization;
• Forensics and Incident Response: In the event of a security incident, SIEM systems provide detailed forensic data that helps analysts understand the attack’s scope and impact. This information is crucial for effective incident response and remediation efforts;
• Integration with Other Security Tools: Many SIEM systems can integrate with other security tools, such as threat intelligence platforms and automated response solutions, to enhance threat detection capabilities and streamline the incident response process.

5.2. SOC Use Case Lifecycle—Implementation and Challenges

Defining and setting up SIEM use cases is one of the main success indicators of the SOC as it is considered the backbone that supports analysts and threat modeling goals and converts business threats into technical detection rules that match and detect the possible threats and send an alert to the SOC. As shown in Figure 4, the three major components of the use case are as follows:

• Rules, which detect and trigger alerts based on targeted events;
• Logic, which defines how events or rules will be considered;
• Action, which determines what action is required if logic or conditions are made.

These rules can be static, based on specific conditions, or dynamic, adapting to changing behaviors and patterns over time. However, implementing and managing a SOC use case comes with several challenges, as explained in the literature and revealed in our survey-based study alongside the SOC expert’s notes. These challenges can be categorized into various aspects, including technology, processes, human factors, and metrics for evaluation.

The use case lifecycle is managed inside the SOC by the use case factory, ensuring the engineering and the follow-up of the use cases from the threat and risk identification to the technical implementation and maintenance. Figure 5 shows a SOC use case implementation.

Use case lifecycle has several stages and can be summarized in the following steps:

• Focus on business threats and risks that have financial, reputational, and data impact on the company and prove that the use case will add value and solve a problem related to the identified threats and attack scenarios;
• Once you know what you want, the next step is the design and the engineering of the use case, which consists of the identification of the data source and the use case logic;
• The defined logic and baseline in the use case need testing. Based on the testing results, tuning and continuous optimization will be required to ensure you reduce noise and make sure it matches the right patterns and attacks.

  ○

  Performance monitoring and continuous optimization.

5.2.1. Use Cases Implementation Challenges

Technology Challenges

• Integration Complexity: The onboarding and integration of log sources, along with the harmonization of diverse technologies with the SIEM, represent significant challenges in the lifecycle of use cases. While some technologies may integrate seamlessly within the SOC environment, others demand thorough preparation. This phase requires a clear definition of specific needs and objectives, as well as the careful allocation of resources to ensure successful integration [33];
• Lack of Visibility: Insufficient visibility and blind spots within the network pose significant challenges for SOC operations and the implementation of SOC use cases. This lack of visibility often stems from one or more of the following root causes:

  ○

  Gaps in the deployment of device products and security solutions in certain areas of the network;

  ○

  Existing device products are not onboarded;

  ○

  The logging standards are poorly defined and inconsistently enforced across log sources, requiring a thorough evaluation and improvement;

  ○

  Events generated by the device product are not being correctly processed by one of the SIEM components.

• Data Overload: SOCs often deal with a massive volume of data, which may generate a lot of alerts if the use case logic is poorly defined or not finely tuned. This data overload can hinder analysts’ ability to prioritize and investigate alerts effectively, increasing the risk of missing critical threats and true positives. It is about acquiring a minimal amount of correct data to achieve your goals rather than acquiring as much random data as you can [34].

Process Challenges

• Lack of Standardization: The absence of standardized processes and playbooks for incident response can lead to inconsistent handling of incidents, reducing the overall effectiveness of the Security Operations Center (SOC). Implementing a standardized use case process ensures that security measures are aligned with a well-defined understanding of potential threats. This approach not only promotes consistency but also allows for continuous refinement to address the evolving nature of cyber risks effectively;
• Adaptation to Evolving Threats: Cyber threats are continually evolving, requiring SOCs to constantly update their processes and tactics to keep pace. The use cases need to be regularly reviewed and updated based on new threats, vulnerabilities, and lessons learned from past incidents. This ensures that the SOC remains adaptive and responsive to the evolving threat landscape;
• Collaboration and Communication: Achieving effective communication and collaboration within the SOC team, as well as with other organizational units, poses a significant challenge. This challenge can impact the implementation and tracking of the efficiency of use cases. Ensuring seamless interaction across teams is crucial for the successful deployment of security measures and the continuous monitoring and improvement of their effectiveness.

Human Factor Challenges

• Skills Shortage: There is a well-documented shortage of skilled cybersecurity professionals, making it difficult to staff SOCs with experienced analysts. This gap in expertise can hinder the SOC’s ability to effectively detect, respond to, and mitigate security threats;
• Training and Knowledge Sharing: Ensuring that SOC analysts remain up to date with the latest cybersecurity threats, tactics, and technologies necessitates ongoing training and active knowledge sharing. While essential for maintaining a high level of expertise, this process can be resource-intensive, requiring considerable commitment in terms of time, effort, and resources to keep the team fully prepared for emerging security challenges

5.3. SOC Coverage Gap Model Based on MITRE

The MITRE ATT&CK framework contributes significantly to the detection capabilities of a Security Operations Center (SOC) in several ways, as it makes it clear for security analysts to understand adversary tactics, techniques, and procedures based on real-world examples and observations. Moreover, it enhances threat intelligence incident response and hunting capabilities by providing information about the attack behavior and the IoC associated with the attack vectors.

MITRE attacks contribute to all the SOC sides by providing educational tools for SOC analysts and other cybersecurity professionals, providing a common language, understanding adversary behaviors, and encouraging the sharing of threat information and strategies for detection and response. This collaboration can lead to the development of more effective detection methodologies and a stronger collective defense against cyber threats.

Overall, the MITRE ATT&CK framework is a valuable resource for SOCs to create or refine detection rules and analytics by simulating the behavior in their existing environment to improve the accuracy of the detection and reduce false positives.

As we are measuring the SOC use case gap coverage based on MITRE ATT&CK framework and the existing organization’s IT infrastructure, we need to provide a mapping of the tactics and techniques from MITRE to the existing device products on the company’s side and answer the following questions:

• What are the threats and risks based on the risk analysis?
• Can we detect the tactics and techniques behavior based on the events coming from the onboarded log sources?
• How can we map the events to the events MITRE ATT&CK and identify gaps in our detection capabilities?

First, we need to have clear insight into the tactics and techniques in the scope based on the understanding of the risks and potential threats against the critical assets.

Our approach produces the mapping of the defensive artifacts using a hands-on methodology that is based on collecting the events generated from the device product on the existing IT infrastructure using adversary emulation tests. Other studies discussed the detection coverage of the security solutions based on MITRE, and those studies gathered information from the documentation and have no execution, which makes it approximate and contribute to the detection and not the SOC use case assessment and improvement.

Table 3. Adapted methodology for developing defensive artifacts.

Name	Methodology	Description
Hands-on	Adversary emulation and gather the logs.	Accurate
Hands-off	Document review and no execution.	Approximate

shows the adapted methodology for developing defensive artifacts.

The hands-on methodology is more appropriate when we are talking about use cases because it provides the exact pattern and artifact to answer the question of the capability to detect a specific behavior. Moreover, it gives the building blocks and the right patterns to implement the use case.

This analysis provides clear visibility on what part is not well monitored and can represent blind spots in organizations’ defensive controls. The identified gaps can be valuable information for the organization to prioritize investments in security solutions.

Then, the logic of the rules takes place, which involves setting specific criteria with the patterns from the logs to trigger an alert for potential security threats. These rules are designed to identify unusual or malicious activity across an organization’s digital environment by analyzing a vast amount of data from various sources, such as network devices, servers, applications, and security systems. A simple example is the scenario of having multiple failed login attempts followed by a successful login, which could indicate a brute-force attack.

MITRE ATT&CK and Event ID Mapping Model for Coverage Analysis

In our work, we aim to provide a comprehensive model to use MITRE ATT&CK and the existing organization’s IT infrastructure to provide visibility on the use case coverage and the potential coverage level that may be granted by the right combination of the existing devices vendors and products with MITRE ATT&CK.

During our interview with security experts from the SOC industry, we revealed that after identifying the risk and the objectives of the SOC, a request was made to have visibility on the whole organization’s existing IT infrastructure, including the network topology, the critical assets, and the whole device’s products and technologies. This information is used in the SOC engineering phase to define SOC architecture and the collection model.

Moreover, the requested documentations are used to identify the log sources to be onboarded by priority and the logging standard to be applied on each log source for the Events Per Second EPS or device limitations imposed by the SIEM solution of choice.

These files include the list of devices with at least the following details:

• Device vendor;
• Device product;
• Version of the hardware and software;
• Location;
• IP address and network information;
• The support group that is supposed to provide information and support.

That information is delivered to the use case factory to ensure that the SOC can effectively implement the use case and confirm the logs source availability and quality (e.g., OS logs, network traffic, antivirus logs) are available to detect the tactics, techniques described in the use case and ensure the data are of high quality, with sufficient detail and reliability for effective analysis.

Mapping the existing device products to MITRE ATT&ACK can provide insight into the use case coverage and gap. As per the literature review, this event mapping is carried out for Windows, and in our work, we make it clearer and attempt to do the same work for all the other device products.

Our model can help the SIEM engineers and SOC experts to target the following gaps by automatically mapping the existing organization’s IT technologies to MITRE ATT&CK:

• Onboarding coverage gap: The log source is not onboarded and not participating in any of the use cases;
• Logging standard configuration issues: Log source configuration errors or the logging standard not well configured on the log source, such as the severity and the priority for syslog;
• Use case definition: insufficient breadth of rules, rule logic errors, noisy rules.

This process can be broken down into several key steps, each of which plays a crucial role in ensuring effective mapping and identification of potential security gaps.

• Phase 1: Analysis of the existing organization’s IT infrastructure.

The initial step involves a thorough analysis of the existing IT infrastructure. This is achieved by utilizing inventory files, which provide detailed listings of all the devices connected to the network, including servers, routers, switches, and endpoints, alongside the details on the network topology diagrams, which provide a visual representation of the network’s structure, showing how devices are interconnected.

That information is the source of inputs for the proposed model as it provides the device technologies, products, and versions, and based on that information, we identify the list of events that could be generated by the log source.

• Phase 2: Mapping device products and their events to MITRE ATT&CK.

Once an understanding of the existing IT infrastructure is achieved, the next step involves mapping the device products and their specific event IDs to the MITRE ATT&CK techniques.

This step involves mapping the events logged by the devices in response to the detection of the specific MITRE ATT&CK technique and tactic.

After gathering the whole range of event IDs generated by every device product in response to every tactic and technique, a full mapping is performed to MITRE ATT&CK.

Table 4. Example mapping of Windows events to MITRE ATT&CK techniques.

ATT&CK Tactic	ATT&CK Technique	Description	Device Vendor	Device Product	Event ID	Used in Use-Case Logic
TA0001—Initial Access	T1078.002-Valid accounts-Domain accounts	Login failure from a single source with a disabled account	Microsoft	Windows	33205	Yes
TA0002—Execution	T1053.005-Scheduled Task	Persistent scheduled tasks with SYSTEM privileges creation	Microsoft	Windows	4688	Yes
TA0006—Credential Access	T1558.001-Golden Ticket	Kerberos TGS ticket request related to a potential Golden ticket	Microsoft	Windows	4769	No

shows an example of the mapping of some Windows events to some MITRE ATT&CK techniques.

The mapping is performed for every technique, as shown in

Table 5. Microsoft Windows event ID mapping to initial access on MITRE ATT&CK.

Initial Access Technique	Windows Event IDs
Exploit Public-Facing Application (T1190)	4624, 4625, 4628, 4698, 5156, 4637, 7031, 7036
Drive-by Compromise (T1189)	4688, 4104, 4657, 5156, 1123, 7030, 7045, 1102
Content Injection (T1059)	4688, 4104, 4657, 4636, 5156, 7036, 7045
External Remote Services (T1133)	4624, 4625, 4648, 4776, 4769, 4768, 4673, 5140
Replication Through Removable Media (T1091)	4634, 4656, 4660, 4688, 7036, 7030, 7045, 1102
Supply Chain Compromise (T1195)	4688, 7045, 7030, 4657, 4719, 1102, 4776, 4769, 4673, 4767, 4624, 5140
Valid Accounts (T1078)
Default Accounts	4624, 4672, 4720, 4722
Domain Accounts	4624, 4768, 4769, 4776, 4672
Local Accounts	4624, 4625, 4720, 4732, 4672
Trusted Relationship (T1199)	4624, 4625, 4648, 4769, 4768, 4673, 5140

below, which describes the mapping of Windows events to the Initial access technique on the MITRE ATT&CK matrix.

• Phase 3: Establishing coverage and identifying gaps.

By mapping all the relevant events IDs and logs from all the technologies to MITRE ATT&CK matrix, we can reveal the real coverage we can achieve based on what we are having and compare it with the current implemented use cases in the same context, as shown in Figure 6.

Figure 7 below shows another mapping based on CISCO Firepower logs and network discovery technique.

To have full visibility on the coverage, we need to make the same work with all the existing technologies and devices products on the organization infrastructure with very MITRE attack technique to check whether we can cover it or not and build a coverage dashboard that rates every technique as follows:

• Already covered: if there is a rule in place to detect the attack technique using at least one of the device products on the existing IT infrastructure;
• Gap: this means that the attack technique is not covered and has two subcategories:

  ○

  We have the requirements and the event IDs to build the rule to detect the attack technique;

  ○

  We do not have a specific log source to detect the target behavior.

Following the categorization logic, we can build a use case coverage dashboard and provide clear visibility on the gap and whether we can use the existing technologies to improve the detection capabilities. Identifying these gaps is essential for understanding the limitations of the current security posture and for making informed decisions on how to enhance detection capabilities, whether through configuration changes, additional security solutions, or other management solutions or enhancing log monitoring capabilities to cover the missing techniques.

6. Conclusions and Future Works

This paper consolidates and synthesizes existing knowledge on the SOC use cases and the challenges faced during the implementation and the use case lifecycle and proposes a new approach that combines the use of the information collected during the analysis of the organization’s IT infrastructure in combination with MITRE ATT&CK matrix to perform a coverage analysis of the detection capabilities against the framework’s known attack techniques.

Continuous gap analysis and optimization are needed for the continuous alignment with MITRE ATT&CK-specific attack techniques. Our model methodology proposes continuous gap analysis and log source mapping to MITRE ATT&CK to provide a real-time gap analysis based on the comparison of the existing rules and the rules we can implement based on what we have.

Our work will provide a better understanding and valuable event database for SOC analysts, SIEM engineers, threat hunters, and SOC managers, as well as the academic community, to gain a better understanding of the coverage analysis and how it can be measured and improved. Providing an accurate mapping of the event generated from the existing organization’s IT infrastructure to MITRE ATT&CK enables the organization to have clear visibility of what threats and risks they can detect and respond accordingly. Our approach is assisting the efforts conducted by the SOC professionals and use case factories to provide more information for better coverage and gap analysis.

In our future work, we aim to continue the full mapping of the event generated from the widely used log sources from different vendors and map them to the MITRE ATT&CK matrix to provide a knowledge base for the use case assessment and improvement.