Gap Analysis
Analyze gaps between attack capabilities and detection coverage
Attack Coverage
8%
78%
112/144 MITRE techniques
Detection Coverage
12%
64%
92/144 MITRE techniques
Gap Score
4%
14%
20 techniques with gaps
Critical Gaps
2
7
Require immediate action
MITRE ATT&CK Coverage Heatmap
Full Coverage (Attack + Detection)
Weak Detection
No Detection
Detection Untested
No Capability
Priority Gaps
| Technique | Gap Type | Risk Level | Recommendation |
|---|---|---|---|
|
T1003 Credential Dumping |
No Detection | Critical | Deploy LSASS access monitoring |
|
T1548 Abuse Elevation Control |
No Detection | Critical | Add UAC bypass detection rules |
|
T1055 Process Injection |
Weak Detection | High | Enhance Sysmon config for injection |
|
T1027 Obfuscated Files/Info |
Weak Detection | High | Implement entropy analysis |
|
T1087 Account Discovery |
Untested | Medium | Test AD enumeration detection |
|
T1082 System Info Discovery |
Untested | Medium | Validate systeminfo monitoring |
|
T1021 Remote Services |
Weak Detection | Medium | Improve RDP/WinRM logging |
|
T1518 Software Discovery |
Untested | Low | Schedule purple team test |
Recommendations
Detection Rules to Create
LSASS Memory Access Detection
Monitor suspicious access to LSASS process memory for credential dumping
UAC Bypass Detection
Create rules for common UAC bypass techniques (fodhelper, eventvwr, etc.)
Process Injection Enhancements
Enhance Sysmon configuration to detect CreateRemoteThread and other injection methods
Attack Scenarios to Test
AD Enumeration Detection Validation
Test detection of AD recon tools (BloodHound, PowerView, ADRecon)
System Discovery Tools Test
Validate detection of systeminfo, whoami, and other discovery commands
Improvement Timeline
Week 1
Deploy critical detection rules (LSASS, UAC bypass)
Week 2
Enhance existing detections (Process Injection, Remote Services)
Week 3
Purple team validation of new and existing detections
Week 4
Gap analysis review and next iteration planning