MITRE ATT&CK in Practice: Mapping Real Incidents

MITRE ATT&CK has become the de facto standard for describing attacker behavior. But in practice, many organizations treat it as a decorative poster in the SOC - they know the tactics and techniques, but don't actively map them to their own environments. A practical MITRE ATT&CK guide should start from operational use, not theory. Here is how I use it daily in Presidio.

Mapping detection rules to ATT&CK

Every detection rule in Wazuh is mapped to one or more ATT&CK techniques. This is not an academic exercise - it has immediate practical consequences. When I map all my detection rules on the ATT&CK matrix, I can immediately visualize uncovered areas: techniques for which I have no detection. These uncovered areas become priorities for developing new rules. Currently, Presidio covers approximately 120 of the 200+ ATT&CK techniques - and every week I work to close the remaining gaps.

Incident analysis with ATT&CK

When I analyze an incident, the first step after containment is mapping the entire kill chain to ATT&CK. Did the attacker use phishing (T1566)? Did they do discovery with net user /domain (T1087.002)? Did they use Kerberoasting (T1558.003)? Did they exfiltrate via DNS tunneling (T1048.001)? This mapping has two benefits: first, it helps me verify if I detected all the attacker's steps (if I missed one, where do I have a visibility gap?). Second, it feeds continuous improvement - every observed technique becomes a detection rule to verify or create.

An advanced use: ATT&CK-guided purple teaming. I take the most common techniques used by the threat actor relevant to the client's sector (for a bank, Carbanak; for manufacturing, APT41), execute them in a controlled environment, and verify if detections catch them. This approach is enormously more efficient than random testing - you focus on real threats for your specific context. MITRE ATT&CK is not theory - it is the most practical tool a defender can have.