Technical SOP: ATT&CK-Centric Enterprise Cybersecurity Operations

 

Technical SOP: ATT&CK-Centric Enterprise Cybersecurity Operations

---

1. SOP Overview / Purpose

This Standard Operating Procedure (SOP) defines how SOC, Cybersecurity, and Incident Response teams operate under an ATT&CK-centric model. The SOP ensures a structured, auditable, and repeatable approach to threat detection, incident response, threat hunting, and governance oversight, while providing executive visibility for CISO, CIO, and Management teams.

Purpose:

• Standardize security operations aligned with MITRE ATT&CK® techniques.

• Enable measurable coverage across enterprise IT, cloud, and identity systems.

• Reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

• Ensure clear governance, auditability, and reporting for management.

---

2. Scope & Audience

In Scope:

• Enterprise endpoints (Windows, Linux, macOS)

• Cloud and SaaS environments

• Identity and access management (IAM) systems

• SOC monitoring, detection, incident response, threat hunting operations

Primary Audience:

• SOC Analysts, Threat Hunters, Incident Response Team

• Security Engineers & Architects

• CISO, CIO, and Management Teams for reporting and oversight

Out of Scope (Phase 1):

• OT / ICS environments, IoT devices, legacy niche systems

---

3. Roles & Responsibilities

Role	Responsibilities
Executive Sponsor (CISO / CIO)	Approve SOP, define KPIs, ensure resources, oversee governance
SOC Manager / Lead	Manage day-to-day SOC operations, implement SOP, track metrics
SOC Analysts	Monitor alerts, investigate incidents, escalate per SOP
Threat Hunting Team	Conduct proactive hunts aligned to ATT&CK techniques
Incident Response Team	Execute playbooks, contain & remediate incidents, report outcomes
Security Engineering	Map controls to ATT&CK, tune detection rules, manage telemetry
Red / Purple-Team	Simulate adversary TTPs, validate detection and response controls
Training & Knowledge Coordinator	Conduct training, maintain knowledge base, maintain ATT&CK awareness
Governance / Compliance Team	Ensure SOP aligns with regulatory, audit, and internal policy requirements

---

4. Processes & Workflows

4.1 Detection & Monitoring

1. Log & Telemetry Ingestion

• Collect telemetry from endpoints, network, cloud, IAM systems

• Standardize formats and timestamps for correlation

2. Mapping to ATT&CK Techniques

• Every detection rule includes ATT&CK ID (e.g., T1059)

• Update coverage matrix quarterly

3. Alert Handling & Prioritization

• Assign severity based on tactic (e.g., Credential Access, Lateral Movement)

• Document false positives and tune thresholds

4. SOAR / ITSM Integration

• Automated alerts trigger predefined playbooks

• Track incident tickets from detection to resolution

---

4.2 Incident Response (IR)

1. IR Playbook Execution

• Contain, investigate, eradicate, and remediate incidents

• Collect forensic evidence maintaining chain-of-custody

2. Escalation Protocols

• Tiered response: SOC Analyst → SOC Lead → IR Team → CISO

• Executive notification for high-impact incidents

3. Post-Incident Review

• Document lessons learned

• Feed findings into detection tuning and knowledge base

---

4.3 Threat Hunting

• Scheduled hunts based on prioritized ATT&CK techniques

• Behavioral and anomaly-based detection (UEBA)

• Document hypotheses, findings, remediation actions

• Update coverage matrix and playbooks

---

4.4 Red / Purple-Team Exercises

• Conduct adversary emulation campaigns based on realistic TTPs

• Evaluate gaps in detection, response, and coverage

• Generate “lessons learned” reports and implement remediation

• Maintain semi-annual schedule or post-major system changes

---

5. Alert Management & Escalation Table

Severity	SOC Action	Escalation
Low	Monitor, document	SOC Lead review monthly
Medium	Investigate, apply mitigation	Escalate to SOC Lead immediately
High	Immediate containment, notify IR	IR Team & CISO / CIO notified
Critical	Full containment & forensic capture	Executive briefing within 1 hour

---

6. Reporting & Governance

• Quarterly Governance Review: Coverage, MTTD/MTTR, threat-hunting metrics, red/purple-team outcomes

• Dashboards: Executive summary for CISO/CIO; operational metrics for SOC

• Change Management: Update SOP whenever new systems, cloud services, or SaaS applications are onboarded

• Audit & Compliance: Maintain evidence of detection, alerts, IR actions, and governance reviews

---

7. Training & Knowledge Management

• Mandatory ATT&CK awareness training for SOC/IR staff

• Hands-on exercises and table-top simulations quarterly

• Maintain internal Knowledge Base: playbooks, detection tuning notes, hunting cases

• Cross-team knowledge sharing: SOC ↔ IR ↔ Security Engineering ↔ Management

---

8. External References (Recommended)

• MITRE ATT&CK Framework – adversary-centric techniques

• NIST Cybersecurity Framework (CSF) – mapping controls to industry standards

• CIS Controls – benchmark security best practices

External references can be optionally cited in SOP to improve credibility and executive confidence.

---

9. Change Management & SOP Review

• SOP reviewed quarterly or after major changes in infrastructure, cloud adoption, or regulatory requirements

• Versioning maintained for auditability

• New updates communicated to SOC, IR, and executive teams

---

Author & Document Reference Placeholder

✍️ Author: Raju Ambhore
Senior IT Project Manager | Cloud & Security Transformation Leader

Document Link: 

Technical SOP: Google Doc Link

---

References & Links:

• Article File: Google Doc

• Blog Link: Raju Ambhore Blog

• Project Plan: Google Doc Link

• Technical SOP: Google Doc Link

✍️ Author: Raju Ambhore
Senior IT Project Manager | Cloud & Security Transformation Leader

---