Executive Summary
Although common, attempts to detect malicious activity through signatures of easily-changed attributes such as Internet Protocol (IP) addresses, domains, or hashes of files, are brittle and quickly become outdated. This approach is often referred to as signature-based or Indicator of Compromise (IOC) detection. Red Team results and incident analysis provide ample evidence that this approach provides some value, but is ineffective against adaptable threats. This is because adversaries easily and frequently change those attributes to avoid detection.
Anomaly-based detection on the other hand, employs statistical analysis, machine learning, and other forms of big data analysis to detect atypical events. This approach has traditionally suffered from high false positive rates, can require significant investment in large scale data collection and processing, and does not always provide enough contextual information around why something was flagged as suspicious, which can make analytic refinement challenging.
A growing body of evidence from industry, MITRE, and government experimentation confirms that collecting and filtering data based on knowledge of adversary tactics, techniques, and procedures (TTPs) is an effective method for detecting malicious activity. This approach is effective because the technology on which adversaries operate (e.g., Microsoft Windows) constrains the number and types of techniques they can use to accomplish their goals postcompromise.
There are a relatively small number of these techniques, and they occur on systems owned by the victim organization. All adversaries must either employ these known techniques or expend vast resources to develop novel techniques regardless of their capabilities or strategic mission objectives. This paper expands on existing best practices to detect malicious behaviors expressed as techniques, using a method that is operating system technology agnostic, and describes the step-by-step procedures to implement.
