I learned about the PRE platform while pivoting through MITRE ATT&CK® data looking for patterns. It’s the result of a change made in ATT&CK v8 where the PRE-ATT&CK framework was merged into the Enterprise matrix. PRE-ATT&CK was focused on pre-compromise attack preparations, and MITRE admitted in a blog post explaining the change that “most adversary Reconnaissance and Resource Development isn’t observable to the majority of defenders.”
The PRE platform makes it obvious that some techniques should only be detected opportunistically. These activities occur entirely in attacker-controlled space or on third-party infrastructure. Defenders will never have total coverage of techniques like “Gather Victim Identity Information” (which includes scraping, say, LinkedIn), but it’s still valuable to opportunistically detect in this space if the right telemetry is available.
There are two notable exceptions to the yield recommendation above. Defenders can and should seek to monitor brand-targeting domains or certificates acquired by attackers - this includes:
- Acquire Infrastructure: Domains, Sub-technique T1583.001 - Enterprise | MITRE ATT&CK®
- Obtain Capabilities: Digital Certificates, Sub-technique T1588.004 - Enterprise | MITRE ATT&CK®
The parent techniques and remaining sub-techniques should be yielded and only detected opportunistically.