What do you use for Categories?

Martin Dewit · ‎11-15-2023

My team and I are looking to revamp our categories from the current OOB ones and looking for recommendations or what others are using. I know there are already several OOB Categories with subcategories. We have discussed the possibility of using the MITRE Tactics as the categories, but a security incident could have several Tactics. In the future we do plan on mapping flow or process playbook triggers to these categories as well.

Tim Boswell · ‎11-15-2023

Hello, I would recommend against using MITRE TTPs; as you said one incident can have multiple tactics, but also MITRE does update those, adds new ones, etc. I would consider looking at various standards and agencies like NIST, CISA/US-CERT, GCHQ, AUSCERT, FIRST.org, SANS, etc. Especially if you are required to report declared incidents to CISA or other agencies, you might want to consider matching their categories.

Tim Boswell · ‎11-15-2023

Also, take a look at MITRE's "11 Strategies of a World-Class Cybersecurity Operations Center", specifically page 129.

https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-opera...