The MITRE ATT&CK™ framework is becoming increasingly adopted as a way to validate detection coverage. If you aren’t yet familiar with it, ATT&CK is an open-source knowledge base of tactics and techniques used by attackers. ATT&CK buckets tactics across the kill chain, from initial access to exfiltration or impact, then lists techniques that facilitate those tactics. This allows for a straightforward “check the box” methodology for defenders, who can evaluate their existing or prospective detection capabilities by testing whether they are detecting attacks across multiple phases (tactics) and specific actions (techniques).
Many of our customers evaluate us using the MITRE ATT&CK framework, so we decided to share our coverage publicly to provide transparency into our detection. Of course, we eagerly welcome anyone to test us out for themselves and verify our claims!
Capsule8 and ATT&CK
Capsule8 is focused on protecting enterprise Linux infrastructure at scale, detecting attacks and other unwanted activity as it happens. With specific expertise in Linux as well as exploit development, we’ve lovingly crafted our detection from day one to monitor the specific points within the Linux subsystem that attackers must hit in each stage of their operations. We aren’t just throwing machine learning at the wall to see what sticks—we know how attackers exploit Linux (because we’ve done it ourselves) and what system data is important to collect (hoovering up everything isn’t a performant strategy).
So, while ATT&CK is primarily focused on techniques attackers use to compromise Windows, Capsule8 still provides detectors that map to ATT&CK techniques—and plenty of detectors beyond ATT&CK’s current scope that still are critical for Linux protection. With that said, the following table shows Capsule8’s current coverage across the ATT&CK matrix.
Capsule8 Coverage of MITRE ATT&CK Framework
+ Current coverage, +^ Current Coverage Unique to C8, * Planned Coverage
As noted above, there are gaps in Techniques for Linux environments—and we’re excited to be actively working with MITRE to help build out this coverage, given how important Linux is for modern enterprise operations. For now, we’re including techniques like “Disabling SMEP/SMAP” under the Defense Evasion Tactic, since disabling these security mechanisms native to the Linux kernel is a common step when attackers seek to escalate privileges or otherwise exploit the kernel. But, we’re already working to keep building out our coverage of existing ATT&CK techniques in the meantime, and will update this post accordingly.
If you want to learn more about how our detection actually works, check out “The Capsule8 Way” section within our post about different approaches to monitoring Linux servers.
Get a Personalized Demo to Learn More
To arrange a demo of Capsule8 Protect and its coverage of the MITRE ATT&CK framework, visit https://info.capsule8.com/request-a-demo.
Refreshed quarterly. Last update on 12/17/2019.