Missed the live Webinar? Check out the recording below!
Everyone knows the Matrix, but few know how to make it truly operational. For years, Detection Engineers have viewed the framework as a descriptive library, often struggling to translate vague notes into functioning code. With the release of v18, that era is over.
Watch this "Zero to Hero" deep dive into the modern mechanics of MITRE ATT&CK, as Ivan Ninichuck, Security Advisor, deep dives into moving beyond simple color-coded charts to a practical engineering workflow—bridging the gap between abstract theory and concrete telemetry.
We walk through a complete lifecycle, demonstrating how to transform the "text" of the framework into high-fidelity use cases. In this live session, you will learn how to:
- Decode the Data: Identify the exact data sources and logs required before you write a single line of logic.
- Architect the Rule: Leverage the new v18 "Analytics" and "Detection Strategies" to build rules that catch adversary behavior, not just static strings.
- Close the Loop: Design investigation methods that tell a story, turning isolated alerts into actionable intelligence.
Check out Ivan Ninichuck’s blog, From Text to Telemetry: How MITRE ATT&CK v18 Changes the Game for Detection Engineers, as a reference to this webinar! See the attached slide deck and FAQ from the live webinar.
Stop treating the framework as a dictionary. Start using it as a blueprint!
Key Topics & Discussion Points
Introduction to MITRE ATT&CK Framework
- 06:22 – 08:02: Overview of what MITRE ATT&CK is and why it matters.
- The Rosetta Stone: It acts as a common language for threat intelligence, allowing different teams to understand adversary behaviors (TTPs).
- Tactics vs. Techniques: Tactics represent the "what" (adversary goals, e.g., Initial Access), while Techniques represent the "how."
Deep Dive: MITRE ATT&CK Version 18 Updates
- 16:55 – 18:53: Discussion on the "Overhaul" of detection strategies.
- From Text to Action: Version 18 moved away from generic text descriptions toward specific Analytics and Data Components.
- Detection Strategy Components: Includes the blueprint, specific process analytics (Linux/Windows/Mac), and telemetry requirements.
- Mutable Elements: Highlights parts of a detection that are situational (e.g., excluding known RDP hosts in your specific environment).
AI-Powered Rule Generation in Google SecOps
- 24:02 – 33:12: Live demonstration of using the SecOps Rule Translator.
- Natural Language to YARA-L: Ivan demonstrates copy-pasting an analytic from the MITRE website into the SecOps "Labs" feature to generate a detection rule instantly.
- Scaling Engineering: The goal is to spend less time typing syntax and more time on "Engineering" (tuning and testing).
- Caution: Users are warned to verify AI-generated UDM (Unified Data Model) fields to avoid "hallucinations."
Advanced Strategy: Composite Detections
- 40:33 – 45:00: Moving beyond "Atomic" detections.
- TTP Chains: Using Composite Detections to alert only when a specific chain of events occurs (e.g., RDP Hijacking followed by a PowerShell script).
- Reducing Noise: These rules significantly lower false positive rates by requiring multiple behavioral matches.
The Techniques Inference Engine (TIE)
- 41:52 – 49:30: Introduction to a Center for Threat Informed Defense (CTID) tool.
- Predictive Modeling: Similar to a "Netflix recommendation" for hackers; it predicts which techniques are likely to occur next based on current observed behavior.
- Customization: Users can use Jupyter notebooks to tune this engine based on their own organization's past case data.