Hitting Miscreants with a New Stick: MITRE Inference Engine 2.0
- Patrick Duggan
- Nov 27, 2025
- 3 min read
Published: November 27, 2025 Tags: MITRE ATT&CK, Threat Intelligence, Behavioral Analysis, OTX
The Problem: Four Techniques for 765 Bad Actors
We had 765 blocked IPs in our threat intelligence pipeline. Our MITRE inference engine was classifying them... but only into 4 unique techniques. That's like having a library with 765 books and only 4 shelf labels.
The classification rate was 69.9% - meaning 230 IPs were just marked "Unknown." We were leaving intelligence on the table.
The Solution: 15 Priority Rules, 25+ Techniques
We expanded the inference engine from 12 rules to 15+ priority-ordered rules with sub-technique granularity:
Priority 1: Known Scanner ISPs → T1595.002 (Vulnerability Scanning)
Priority 2: VPN/Proxy Services → T1090.002 (External Proxy)
Priority 3: Residential + High Abuse → T1090 (Proxy)
Priority 4: VT Detections + Data Center → T1105 (Ingress Tool Transfer)
Priority 5: Bulletproof Hosting + VT → T1102 (Web Service C2)
Priority 6: Brute Force Keywords → T1110.004 (Credential Stuffing)
Priority 7: Scanning Keywords → T1595.001 (IP Block Scanning)
Priority 8: DoS Keywords → T1498 (Network Denial of Service)
...
Priority 15: DNS/Tunnel Keywords → T1071.004 (DNS C2)
The key insight: sub-techniques matter. T1110 (Brute Force) is too generic. But T1110.004 (Credential Stuffing) vs T1110.003 (Password Spraying) tells defenders exactly what they're dealing with.
The Results
| Metric | Before | After | Change | |--------|--------|-------|--------| | Unique Techniques | 4 | 8 | +100% | | Classification Rate | 69.9% | 96.5% | +38% | | Unclassified IPs | 230 | 27 | -88% | | HIGH Coverage | 17 | 20 | +18% |
Technique Distribution (765 Miscreants)
T1071 - Application Layer Protocol (C2) 365 IPs
T1046 - Network Service Discovery 216 IPs
T1105 - Ingress Tool Transfer (C2) 150 IPs
T1595 - Active Scanning 2 IPs
T1583.003 - VPS Infrastructure 2 IPs
T1071.001 - Web Protocols (C2) 1 IP
T1090.002 - External Proxy 1 IP
T1082 - System Info Discovery 1 IP
Now we're classifying across 5 different tactics: Command & Control, Discovery, Reconnaissance, Resource Development, and Defense Evasion.
The Pipeline: STIX → OTX (Hourly)
The inference data doesn't just sit in a dashboard. It flows through our automated pipeline:
:15 threat-intel-hourly → Cloudflare + AbuseIPDB enrichment
:30 auto-block-malicious → Block high-score IPs
:45 security-kpi-calculator → FPR, TPR, Precision metrics
:50 otx-stix-sync → STIX feed → OTX Master Pulse
Every hour, our STIX feed syncs to the OTX Master Pulse. The MITRE technique gets embedded in each indicator's description:
"ISP: Contabo GmbH | MITRE: T1071 - Application Layer Protocol | Category: C2 Infrastructure | Score: 87.3"
7,887 community researchers subscribed to OTX pulses now get our MITRE-enriched IOCs automatically.
The Philosophy: Behavioral Honesty
The old inference engine had a dirty secret: when it didn't know, it defaulted to "Command & Control." That's how we ended up with 72% C2 classifications - statistically impossible for real-world traffic.
The new engine follows a simple rule: if we don't know, we say "Unknown."
// DEFAULT: Unknown - WE DON'T LIE
if (!tactic) {
indicators.push('Insufficient behavioral indicators for classification');
confidence = 0;
}
27 IPs out of 765 are now "Unknown" instead of getting a bullshit default. That's intellectual honesty. Defenders can trust that when we say "T1105 - Ingress Tool Transfer," we actually observed behavioral indicators that support it.
What's Next
The inference engine is now producing 8 techniques. Our detection rules cover 51. Threat hunt queries cover 57. OTX community pulses provide 174.
Combined MITRE coverage: 193 unique techniques at 37.6% coverage score.
The miscreants got hit with a new stick. And every hour, that stick gets syndicated to 7,887 subscribers.
Master Pulse: OTX DugganUSA Threat Feed STIX Feed: analytics.dugganusa.com/api/v1/stix-feed Dashboard: analytics.dugganusa.com
Comments