Threat Detection Analysis Using MITRE ATT&CK Framework
Peltola, Samuli (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025052013643
https://urn.fi/URN:NBN:fi:amk-2025052013643
Tiivistelmä
Modern threat landscape has been requiring more and more defensive controls from organizations which want to secure their environments. Tools like endpoint detection and response products have made monitoring of endpoints and servers easier. MITRE ATT&CK Enterprise framework is a common tool and knowledgebase about adversary behavior that defenders have used in multiple ways to help them in securing their systems.
Threat detection analysis is a way to define the detection capabilities of used security products. MITRE ATT&CK Enterprise framework can be utilized in threat detection analysis to provide more high-level insight on which techniques the tested tools can detect and identify.
When comparing security products detection capabilities, the testing environment and the tests ran need to be exactly same way configured so that the results are comparable. Testing should be done in an environment that resembles the possible production environment enough to provide accurate results.
According to testing threat detection capability of Microsoft Defender for Endpoint without any customizations is adequate and Cortex XDR’s is mediocre. Defender for Endpoint alerted on 61% of the tested techniques and Cortex XDR alerted on 41% of the tested techniques. The research results should be considered separately for each environment as the all have their own characteristics.
The test results show that any organization utilizing Microsoft Defender for Endpoint or Cortex XDR should investigate the possibility of developing custom detection capabilities for their needs to be able to build robust cyber defense.
Threat detection analysis is a way to define the detection capabilities of used security products. MITRE ATT&CK Enterprise framework can be utilized in threat detection analysis to provide more high-level insight on which techniques the tested tools can detect and identify.
When comparing security products detection capabilities, the testing environment and the tests ran need to be exactly same way configured so that the results are comparable. Testing should be done in an environment that resembles the possible production environment enough to provide accurate results.
According to testing threat detection capability of Microsoft Defender for Endpoint without any customizations is adequate and Cortex XDR’s is mediocre. Defender for Endpoint alerted on 61% of the tested techniques and Cortex XDR alerted on 41% of the tested techniques. The research results should be considered separately for each environment as the all have their own characteristics.
The test results show that any organization utilizing Microsoft Defender for Endpoint or Cortex XDR should investigate the possibility of developing custom detection capabilities for their needs to be able to build robust cyber defense.