Skip to main content
HashnodeIn Cyber Fortress Security Operations

Command Palette

Search for a command to run...

Aligning OSI Layer Attacks with MITRE ATT&CK & SOC Use Cases πŸ”—

Turning theory into actionable detection and response. OSI layers β†’ MITRE ATT&CK techniques β†’ SOC use cases

Published
β€’4 min read
Aligning OSI Layer Attacks with MITRE ATT&CK & SOC Use Cases πŸ”—
A
Amit Ambekar

Understanding attacks is useful.

Detecting, investigating and responding is what SOCs are paid for.

By mapping OSI layers β†’ MITRE ATT&CK techniques β†’ SOC use cases, we bridge the gap between architecture knowledge and real-world SOC operations.

🧱 Physical Layer β†’ MITRE ATT&CK (Initial Access / Impact)🧱

MITRE Techniques

  • T1190 – Exploit Public-Facing Application (via physical access)

  • T1565 – Data Manipulation

  • T1499 – Endpoint Denial of Service

SOC Use Cases

  • Alerts from CCTV / access badge systems

  • Power failure correlation with device outages

  • Unexpected device reboots or link-down events

  • Tamper alerts from servers, routers or firewalls

πŸ” SOC Action

  • Validate physical access logs

  • Correlate power/network outages with access events

  • Escalate to facilities + security immediately

MITRE Techniques

  • T1557 – Adversary-in-the-Middle

  • T1040 – Network Sniffing

  • T1021 – Remote Services

SOC Use Cases

  • Multiple MAC addresses on a single switch port

  • Sudden ARP table changes

  • VLAN hopping indicators

  • Duplicate IP–MAC bindings

πŸ” SOC Action

  • Trigger ARP spoofing alerts

  • Validate switch port security violations

  • Isolate affected VLAN

  • Coordinate with network team

🌐 Network Layer β†’ MITRE ATT&CK (Discovery / Impact) 🌐

MITRE Techniques

  • T1018 – Remote System Discovery

  • T1046 – Network Service Scanning

  • T1498 – Network Denial of Service

SOC Use Cases

  • ICMP flood or scan detection

  • IP spoofing indicators

  • Abnormal routing behavior

  • DoS traffic patterns

πŸ” SOC Action

  • Enable IDS/IPS correlation

  • Block malicious IPs at firewall

  • Validate traffic direction and volume

  • Inform customer during DoS events

🚚 Transport Layer β†’ MITRE ATT&CK (Command & Control / Impact) 🚚

MITRE Techniques

  • T1071 – Application Layer Protocol

  • T1095 – Non-Application Layer Protocol

  • T1499 – Endpoint / Network DoS

SOC Use Cases

  • SYN flood alerts

  • TCP reset anomalies

  • Repeated half-open connections

  • UDP flood traffic spikes

πŸ” SOC Action

  • Validate firewall and load balancer logs

  • Enable SYN cookies / rate limiting

  • Identify source ASN/IP reputation

  • Escalate as availability incident (P1/P2)

πŸ”„ Session Layer β†’ MITRE ATT&CK (Credential Access) πŸ”„

MITRE Techniques

  • T1539 – Steal Web Session Cookie

  • T1550 – Use Alternate Authentication Material

  • T1078 – Valid Accounts

SOC Use Cases

  • Multiple logins using same session ID

  • Concurrent sessions from different geolocations

  • Token reuse or replay

  • Abnormal logout/login cycles

πŸ” SOC Action

  • Force session invalidation

  • Reset affected user credentials

  • Validate MFA enforcement

  • Notify IAM / Identity teams

🎨 Presentation Layer β†’ MITRE ATT&CK (Defense Evasion / Execution) 🎨

MITRE Techniques

  • T1059 – Command and Scripting Interpreter

  • T1140 – Deobfuscate/Decode Files

  • T1027 – Obfuscated Files or Information

SOC Use Cases

  • Serialized payload anomalies

  • Unexpected encoding/decoding operations

  • Data format abuse in API logs

  • Suspicious application parsing errors

πŸ” SOC Action

  • Inspect payloads via WAF / proxy logs

  • Validate encoding standards

  • Escalate to AppSec for code review

  • Block malformed requests

🧠 Application Layer β†’ MITRE ATT&CK (Execution / Persistence) 🧠

MITRE Techniques

  • T1190 – Exploit Public-Facing Application

  • T1059 – Command Execution

  • T1505 – Server-Side Component Injection

  • T1046 – Network Service Discovery (via app)

SOC Use Cases

  • SQL injection attempts

  • XSS payload detection

  • RCE exploit indicators

  • Web shell activity

  • Unexpected outbound connections from servers

πŸ” SOC Action

  • Validate WAF alerts

  • Correlate with EDR telemetry

  • Isolate compromised host

  • Patch vulnerable application

  • Initiate IR playbook

πŸ” How SOC Teams Should Use This Mapping

βœ… L1 Analysts

  • Alert validation using OSI context

  • Noise vs real threat identification

βœ… L2 Analysts

  • MITRE technique mapping

  • Root cause analysis

  • Incident severity classification

βœ… L3 / Team Leads

  • Threat hunting hypotheses

  • Detection engineering improvements

  • Playbook optimization

πŸ›‘οΈ Why This Matters in Modern SOCs (Especially AI-SIEM) πŸ›‘οΈ

  • Improves alert explainability

  • Enables MITRE-based reporting

  • Strengthens customer communication

  • Supports audit & compliance narratives

A mature SOC doesn’t just detect alerts, it understands where, how and why an attack occurred.

The OSI model tells you where attacks happen*. MITRE ATT&CK explains **how attackers operate*.
SOC use cases define *what actions to take**.*

When all three align, security becomes proactive not reactive*.*

#cybersecurity#mitre-attack#soc

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

I

In Cyber Fortress Security Operations

2 posts