MITRE ATT&CK Informed Security Analytics

Automated Machine Learning Based Threat Detection and Response for MITRE ATT&CK Framework


The MITRE ATT&CK Framework is a knowledge base of adversary tactics and techniques used in typical attack campaigns, contributed by cyber security analysts, threat hunters, and the latest vendor research. It is organized and arranged by the multiple stages that are employed by threat actors for executing an attack campaign. The framework is built as a referenceable matrix to provide guidance that can be applied by security teams to better defend against advanced attacks.

Gurucul delivers comprehensive coverage across the three MITRE ATT&CK Frameworks: Enterprise, Mobile & ICS and the Insider Threat Framework. Gurucul Research Labs has not only contributed to the framework, but also built specific behavior-based machine learning models for the Gurucul Security Analytics and Operations Platform, that can automatically detect these adversarial tactics and techniques defined by the MITRE ATT&CK™ Framework, while also building workflows and response actions to stop them early in the kill chain. Gurucul’s ability to span users and entities across both hybrid and borderless environments provides the highest coverage for the MITRE ATT&CK framework. Get unprecedented visibility to understand and improve your security posture with Gurucul.


The Gurucul MITRE ATT&CK implementation provides the following benefits for detecting and hunting threats at every step of the cyber kill chain:

Achieve 83% Coverage

Achieve greater coverage against known threat tactics and techniques across on-premises, hybrid and borderless environments. Implementing MITRE tactics and techniques in conjunction with behavior-based security and risk analytics delivers the full spectrum of cyber security protection.

Gain Unmatched Visibility

Gain unmatched visibility into your environment’s security posture and maturity against specific MITRE ATT&CK Framework tactics and techniques. Utilize out-of-the-box machine learning models on big data to detect known and unknown external risks and insider threats in real-time.

Automate MITRE Updates

Support MITRE updates automatically via API-based STIX integration, keeping Gurucul machine learning models and risk mitigation playbooks current on a continuous basis. You’ll never be out of sync with the tactics and techniques hackers and malicious insiders actively use to exfiltrate your data and intellectual property.

Detect Unknown Risks

Leverage behavior analytics to detect unknown threat patterns beyond MITRE tactics and techniques. Apply machine learning models to address risks and threats across the entire threat landscape resulting in actionable risk intelligence.

Guarantee Continuous Improvement

Ensure continuous enhancements with Gurucul’s dedicated Data Science team who train machine learning models on open source and production data. Our proactive work efforts ensure that you’re always at the forefront of attacks planned by cyber criminals and villainous insiders.

Contributions to Framework

Gurucul’s Threat Research Team has contributed two attack techniques to the MITRE ATT&CK framework, T1213 (Data from Information Repositories) and T1098.02 (Account Manipulation: Additional Email Delegate Permissions). Our contributions greatly help security teams get ahead of newer and more advanced threat actor tactics. We continue to leverage our Research Team and data and telemetry from our customers to improve our models as well as contribute to our customers and the overall security community.

Coverage for the MITRE ATT&CK Framework for ICS

MITRE ATT&CK® ICS is a specialized framework for detecting, assessing, and mitigating cyberattacks that specifically target industrial networks and critical infrastructure. Security teams can leverage the behavior-based trained machine learning models in Gurucul Security Analytics and Operations Platform that are focused on identifying various threat actor techniques as described in the framework as well as building the precise workflows to prevent a successful attack:

Coverage for the Insider Threat MITRE ATT&CK Framework

MITRE has created an Insider Threat Framework to help Insider Threat/Risk Programs more accurately target and operationalize their risk assessment and prevention, detection, and mitigation of insider threats. While the framework is still evolving, MITRE has published research where Gurucul has built specific machine learning models for identifying, classifying, and validating insider risks and threats, while also building cross-functional responses that can all be customized to work with mature programs. You can learn more here: