In my previous Angles of ATT&CK article, Bingo Night, I discussed a common pitfall many security teams face—trying to “win” MITRE Bingo rather than building a truly effective defense.
In this entry, I’ll dive deeper into two key strategies for managing your ATT&CK approach: Covering the Attacker Lifecycle (breadth) and Doubling Down on High-Variance Techniques (depth) to show that is much more akin to combat in the famous tabletop roleplaying game Dungeons & Dragons than Bingo. Both depth and breadth play a crucial role in maximizing security posture with limited resources, but which should take priority? When does it make sense to prioritize breadth over depth (or vice versa)? Does the distinction even matter? These are seemingly simple questions with nuanced answers. By gamifying the concepts, I will help to clarify how to manage the tradeoffs between them in planning your detection and visibility coverage strategy.
The Battle Map
When thinking about breadth of visibility or breadth of detection coverage, it is important to put in in the context of the lifecycle of an attack. There are several common models for attack patterns, the most popular being Lockheed Martin’s Cyber Kill Chain and Google Mandiant’s Targeted Attack Lifecycle. It can also be as simple as looking at the MITRE ATT&CK Matrix from left to right. The key takeaway from these models is that a single detection or malicious behavior doesn’t exist in a vacuum. Unless you get lucky and detect the very first technique an attacker attempts to use, then the attacker must have successfully executed some previous technique and may have executed a subsequent technique as a part of the attack pattern. In some cases, an attack can be successful with a single successful technique, but it is a rare exception. Most sophisticated attacks will require a sequence of several successful techniques to complete the mission.
Figure 1: APT28 TTPs mapped to the ATT&CK Enterprise matrix
Figure 1 demonstrates this by showing how threat actor group APT 28, attributed to Russian intelligence, looks when their identified techniques are mapped to the ATT&CK Enterprise matrix. Generally speaking, they need to successfully execute an Initial Access technique before they can move on to Execution, and so on across the Tactics from left to right. In the middle part of the matrix, this left-to-right relationship does not hold up, as an attacker will pivot from tactic to tactic out of order as they quietly move throughout a network. But it stands to reason that if you detect a Credential Access technique, it is highly likely they successfully executed an Initial Access or Privilege Escalation technique first and now have the access required for Discovery and Lateral Movement. The goal is to detect and stop the attack as early as possible, but no later than Exfiltration or Impact.
So, the common wisdom “Defenders have to be right all the time and attackers only need to be right once.”, doesn’t hold up in the practical sense. While it’s true attackers only have to be right once to compromise a network, they have to be right several times in a row (and defenders have to be wrong several times in a row) to succeed in a complete attack. In effect, the attack/defend lifecycle plays out a lot like an extended battle where each side has many chances to succeed or fail along the way.
Roll For Initiative!
We can use this to our advantage as defenders. Detection (and conversely a successful attack technique) is a matter of probabilities. Every time an attacker attempts a technique, they will succeed with some probability PA, based on their ability to bypass active controls, and the defender will detect it with some probability PD, based on their visibility of the activity and use cases built to detect it. Both the attacker and defender are effectively rolling dice on each attempted attack technique, and both could succeed or fail. Instead of Bingo, it’s more like combat or a contested skill check in Dungeons & Dragons, only using computers instead of swords and magic. If the attacker succeeds and the defender fails, they progress toward their mission unseen (sneak attack!). If the defender succeeds, they have a chance to counterattack and kick the attacker out of the network.
As discussed above, in most cases a threat actor must execute multiple successful techniques, and the defender must fail on multiple detections (or active controls) for the attacker to succeed. Since success for both the attacker and defender are based on probabilities, they can increase their chance of success by either forcing more dice rolls to happen (breadth) or by increasing the probability of success for each dice roll (depth). Cybersecurity is a multi-player game, so to successfully defend you have to level up your capability faster than your opponents.
Breadth is a Skill Issue
When you level up a Dungeons & Dragons character, you have lots of options. My favorite is adding skills, special abilities, and magic spells to add variety to the game. When planning your detection strategy using ATT&CK, this is similar to adding coverage to tactics (columns) across the entire matrix. When you have detections in place for each tactic, you’re effectively giving yourself more chances to roll the dice and succeed. For example, if you only have coverage for Initial Access, Execution, Command & Control, and Exfiltration, you only get four dice rolls. Adding additional coverage to the middle of the matrix will give you more dice rolls. Your chances of success multiply with each dice roll and can potentially grow exponentially.
I’ll demonstrate with a (highly) simplified example. Let’s say you have coverage of three tactics with probabilities PD1 through PD3, each with a 50% chance of success. The theoretical chance of successful detection is now 87.5% (1 – 0.53). This is calculated by first computing the chances to fail on all three dice rolls (0.53) and then get the inverse of the probability by subtracting it from 1. This gives you the probability of succeeding in at least one dice roll. Now, if you add coverage of two more tactics, the chance of success goes up to 96.8% (1 – 0.55) and if you increase your breadth of coverage to seven tactics the chance of success goes up to 99.2% (1 – 0.57). In this case, success grows exponentially with respect to breadth!
Unfortunately, it would be exceptionally difficult to determine the actual probabilities for successful execution or detection of an ATT&CK technique but understanding that those hidden probabilities increase exponentially as you increase breadth of coverage is an important strategic concept.
Depth is a Stat Issue
Having lots of skills and abilities in Dungeons & Dragons is only useful if they are likely to succeed. Increasing the chance for a skill to succeed is accomplished by leveling up your base stats: Strength, Dexterity, Constitution, Wisdom, Charisma, and Intelligence. These add bonuses to your skills to make them more likely to succeed. In the world of managing your detection strategy with ATT&CK, this means adding depth of coverage to the techniques and sub-techniques threat actors are likely to use against you.
Depth can mean multiple things in the context of MITRE ATT&CK. There is coverage of techniques at the Tactic level, coverage of sub-techniques and the technique level, and as discussed in a previous post, hidden variance within individual techniques or sub-techniques. Recognizing where variance exists in ATT&CK and increasing depth of coverage on the highest prevalence tactics and techniques will increase your depth of coverage. Let’s talk about why this is important.
Going back to our previous (and highly simplified) example and starting with our original three Tactics with probabilities PD1 through PD3, what happens if we increase the probability of all three of them to 60% instead of adding breadth of coverage? The chances of success go up from 87.5% to 93.6% (1 – 0.43). If you increase the probabilities to 80%, the overall chance of success goes up to 99.2% (1 – 0.23). Because of the exponential nature of how breadth scales, we can increase the speed of that exponential growth by leveling up our stats to make our dice rolls more likely to succeed.
Skills vs. Stats
So getting back to our original questions about whether breadth or depth is more important? I must confess we don’t have enough information to say one way or the other, as we’re missing a key component: level of effort (LOE). Is it harder to increase breadth or depth? When, if ever, do the respective LOE curves reach diminishing returns or invert? These will likely be topics for a future article (spoiler alert: depth has a higher LOE). However, I will leave you with the high-level strategy we use at Cyderes when building our Au Detection Library and advising clients: using prevalence as your guide, favor breadth early in your strategy and depth later.
Adding breadth of coverage gives you more opportunities to detect and stop an attack at some point before Exfiltration or Impact. You miss 100% of the chances you don’t take. Giving yourself more opportunities to succeed early on keeps you in the game. And fortunately, many security products give you some baseline breadth of coverage out of the box. Then, once you are giving yourself enough chances to roll the dice, you can focus on beefing up your stats to improve your odds on each roll. Critical Success!
Much like in Dungeons & Dragons, cybersecurity is a game of strategy, resource management, and calculated risk. The key to success isn’t about winning a single battle—it’s about stacking the odds in your favor. Breadth gives you more chances to detect an attacker at different points in their lifecycle, while depth increases your ability to succeed in the overall encounter. The game never ends, and attackers are always adapting. But by understanding and applying the right mix of breadth and depth, you can level up your defenses and keep the adversary from winning the battle.
Ready to strengthen your organization's security posture?
For more cybersecurity insights, follow Cyderes on LinkedIn and X.
