Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2020
10:00 AM
Jack Freund
Jack Freund
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat-Modeling Basics Using MITRE ATT&CK

When risk managers consider the role ATT&CK plays in the classic risk equation, they have to understand the role of threat modeling in building a complete risk scenario.

The MITRE ATT&CK framework, launched in 2015, has become the de facto method for cataloging attacks and understanding an organization's defensive capabilities. This information is also useful to risk professionals, who are charged with aiding organizations in understanding which attacks are the most damaging and how often they might happen.

Integrating MITRE ATT&CK into your organization's risk management framework can give you the opportunity to scale risk reporting up and down the organization, from security operations to senior leadership. The most important point to remember about this mapping is when we consider the role ATT&CK plays in the classic risk equation (frequency of loss multiplied by impact), we have to understand the role of threat modeling in building a complete risk scenario.

Loss-Scenario Basics
Risk occurs where there is potential for loss. Taken by themselves, the items in ATT&CK are not statements of loss. In the language of enterprise risk management (ERM), they are "risk triggers" – items that initiate the realization of a risk event. For example, take a technique under the exfiltration category, such as encrypted data or scheduled transfers, which are part of regular business operations. Now we have to imagine the ways these techniques could be used nefariously by attackers.

However, the techniques themselves don't give us the critical first part of that risk equation: frequency. The frequency with which we may experience an attack is important to consider in helping executives get their arms around organizational risk. ATT&CK feeds the understanding of frequency of loss but not the impact part of the equation.

Building a Threat Model for Risk Assessment
Much has been said about the difficulty of attributing certain hacks to various threat actors, but for risk assessment purposes, positive attribution is not necessary. Instead, allocating these attack types to various classes of threat actors is helpful in measuring your organization against their relative strength.

For instance, non-IT internal employees might try and brute-force their way to credential access or find credentials hard-coded in files or on paper, thereby enabling their nefarious doings. However, cybercriminals attempting account takeover using man-in-the middle website proxies might employ two-factor authentication interception. Naturally, some overlap in these lists could occur.

Once your mapping between the MITRE ATT&CK framework and your organization's risk management framework is complete – and depending heavily on your company's business model and employee base – you could end up with a list that looks something like this:

Threat Community

ATT&CK Category

Tactics and Techniques

Non-Privileged Insiders

Credential Access

Brute force

Credentials in files

Cybercriminals

Credential Access

Two-factor authentication interception

LLMNR/NBT-NS poisoning and relay

 

Impact

Data encrypted for impact

Using ATT&CK to Determine Frequency of Loss
Ultimately, the threat communities are the doers and their frequency of attacks is what is represented in a risk equation. However, many organizations don't have the data to answer the questions of, "How often are cybercriminals targeting us?" and, "How often do cybercriminals cause loss events in our organization?"

The data they do have is often in the form of attack types. For example, they may know how often they are targeted for ransomware (data encrypted for impact in ATT&CK). That can be traced back to the most likely threat community (cybercriminals) and can help establish a frequency value.

Automated offensive and defensive tools can easily drive frequency rates to 1,000 events of interest a day. It's important to understand that this rate cannot be substituted one-for-one with loss-event frequency. Instead, some layer of expert judgment is often overlaid on these values that gives you the chance to adjust that value so it can accurately represent the loss frequency for the organization. As an example, your automated endpoint detection and response tools may block 800 events a day, but in a given year you estimate loss events to occur between one and three times.

This kind of approach to threat modeling helps cyber-risk managers wed two very important factors. The first is a hyper focus on the minutiae of daily cyber hygiene, security operations, and threat management – all critical functions that very rarely need the attention of senior leadership. The second is a top-down risk approach made without suitable front-line information. Using a threat-modeling approach to risk management like the one outlined above allows organizations to sample from the data available on the front lines to better inform their high-level risk assessments.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Dr. Jack Freund is the Risk Science Director for RiskLens, a cyber-risk quantification platform built on FAIR. Over the course of his 20-year career in technology and risk,  Freund has become a leading voice in cyber-risk measurement and management. He previously worked ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...