Security Operations Centers (SOC) are responsible for detecting and responding to potential cyber threats in real-time. With the increasing complexity of cyberattacks, it’s important for SOC teams to have comprehensive coverage of MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) tactics, techniques, and procedures (TTPs). Today we’re discussing the importance of having comprehensive coverage of MITRE ATT&CK TTPs in security operations, and how Cisco technology can help to achieve this goal.

Why MITRE ATT&CK TTPs are relevant to security operations?

MITRE ATT&CK is a globally recognized framework that outlines various tactics, techniques, and procedures based on observed behaviors and used by threat actors during a cyberattack. The framework is divided into two main categories: tactics and techniques. Tactics represent the overall goal of an adversary, while techniques represent the specific methods used to achieve that goal. Procedures are the specific steps taken to execute the technique.

Why is comprehensive coverage important?

The cyberthreat landscape is constantly evolving, and new TTPs are being developed every day.

One type of attack that has been gaining popularity is living-off-the-land binary (LOLBin) exploitation. This type of attack has been leveraged by nefarious threat groups such as Volt Typhoon, BlackTech in addition to Jaguar Tooth malware, using legitimate tools and software already present on a victim’s system to carry out malicious activities. These attacks are difficult to detect because they do not involve the use of malware or other malicious software that would be flagged by traditional endpoint security solutions. Instead, attackers use tools such as PowerShell, WMI, and other built-in Windows utilities to achieve their objectives.

One way to protect against living off the land attacks recommended by this is to monitor system processes and network activity looking for suspicious behavior. This defense can be done using the combination of endpoint and network security controls and an extended detection and response solution on top to detect and correlate anomalies found in system activities and network traffic patterns, so security teams are timely alerted on potential attacks.

By having a comprehensive understanding of the various tactics, techniques, and procedures used by attackers, SOC teams can quickly identify and mitigate any potential threats before they cause significant damage.

Cisco Breach Protection

Cisco is announcing the launch of Breach Protection to protect against the constantly evolving techniques used by threat actors. Cisco Breach Protection provides a comprehensive understanding of attacks by mapping observed adversary behaviors to MITRE ATT&CK tactics, techniques, and procedures (TTPs) in real-time.

Cisco Breach Protection is available in three tiers – Essentials, Advantage and Premier. Each tier is designed to cater to specific organization needs and delivers a range of outcomes to ensure complete coverage:

Breach Protection Essentials covers most attacks that an organization will encounter by combining email, endpoint (EDR), and XDR into a turnkey offer.  Most attacks today still leverage a phishing email to deliver malware exploiting an endpoint vulnerability or use an endpoint application (termed living off the land attack) to escalate privileges, establish persistence or traverse laterally.  Cisco Breach Protection provides detection and response to these types of attacks and adversaries like Wizard Spider and Sandworm.

Breach Protection Advantage covers all the attacks an organization is likely to encounter, especially attacks on very complex environments like IT/OT/IIoT or from very sophisticated nation-state threat actors like BlackTech, Volt Typhoon, or Jaguar Tooth.  By combing network telemetry and network-based detections from cloud and traditional on-premises infrastructure, only Cisco can cover the full range of attacks seen in the wild today.

Breach Protection Premier delivers all the above capabilities to an organization that doesn’t have enough human resources to manage their Security Operations or is looking to fully outsource their SOC operation by wrapping the offer with managed services that delivers an Incident Response retainer, penetration testing services, red/blue/purple teaming activities, and managed detection and response.

All the above is available to customers who also already have 3rd party security products. The technical outcomes are the same regardless of whether customers choose à la carte Cisco products, an EA or the Breach Protection suite.  But for customers who choose the suite they can achieve the outcomes listed above at very attractive financial terms and a superior total cost of ownership without having to deal with the challenges of stitching together multiple 3rd party vendors, dealing with multiple 3rd party purchase orders, or managing multiple different consoles.

Cisco Breach Protection

In today’s evolving cyberthreat landscape, having comprehensive coverage of MITRE ATT&CK TTPs is crucial for SOC teams. It ensures that they are equipped to detect and respond to any potential threat quickly. By analyzing the TTPs used in previous attacks like ransomware, SOC teams can develop a better understanding of the tactics used by threat actors and develop more effective strategies to prevent future attacks. So, if you’re looking to enhance your SOC’s capabilities, make sure you have complete coverage of MITRE ATT&CK TTPs leveraging Cisco Breach Protection!

Learn more about Cisco Breach Protection.

Explore more blogs on Cisco Security Suites:

The User Protection Suite

The Cloud Protection Suite

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



AJ Shipley

Vice President

Product Management - Threat, Detection & Response