Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2020
10:00 AM
Jack Freund
Jack Freund
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat-Modeling Basics Using MITRE ATT&CK

When risk managers consider the role ATT&CK plays in the classic risk equation, they have to understand the role of threat modeling in building a complete risk scenario.

The MITRE ATT&CK framework, launched in 2015, has become the de facto method for cataloging attacks and understanding an organization's defensive capabilities. This information is also useful to risk professionals, who are charged with aiding organizations in understanding which attacks are the most damaging and how often they might happen.

Integrating MITRE ATT&CK into your organization's risk management framework can give you the opportunity to scale risk reporting up and down the organization, from security operations to senior leadership. The most important point to remember about this mapping is when we consider the role ATT&CK plays in the classic risk equation (frequency of loss multiplied by impact), we have to understand the role of threat modeling in building a complete risk scenario.

Loss-Scenario Basics
Risk occurs where there is potential for loss. Taken by themselves, the items in ATT&CK are not statements of loss. In the language of enterprise risk management (ERM), they are "risk triggers" – items that initiate the realization of a risk event. For example, take a technique under the exfiltration category, such as encrypted data or scheduled transfers, which are part of regular business operations. Now we have to imagine the ways these techniques could be used nefariously by attackers.

However, the techniques themselves don't give us the critical first part of that risk equation: frequency. The frequency with which we may experience an attack is important to consider in helping executives get their arms around organizational risk. ATT&CK feeds the understanding of frequency of loss but not the impact part of the equation.

Building a Threat Model for Risk Assessment
Much has been said about the difficulty of attributing certain hacks to various threat actors, but for risk assessment purposes, positive attribution is not necessary. Instead, allocating these attack types to various classes of threat actors is helpful in measuring your organization against their relative strength.

For instance, non-IT internal employees might try and brute-force their way to credential access or find credentials hard-coded in files or on paper, thereby enabling their nefarious doings. However, cybercriminals attempting account takeover using man-in-the middle website proxies might employ two-factor authentication interception. Naturally, some overlap in these lists could occur.

Once your mapping between the MITRE ATT&CK framework and your organization's risk management framework is complete – and depending heavily on your company's business model and employee base – you could end up with a list that looks something like this:

Threat Community

ATT&CK Category

Tactics and Techniques

Non-Privileged Insiders

Credential Access

Brute force

Credentials in files

Cybercriminals

Credential Access

Two-factor authentication interception

LLMNR/NBT-NS poisoning and relay

 

Impact

Data encrypted for impact

Using ATT&CK to Determine Frequency of Loss
Ultimately, the threat communities are the doers and their frequency of attacks is what is represented in a risk equation. However, many organizations don't have the data to answer the questions of, "How often are cybercriminals targeting us?" and, "How often do cybercriminals cause loss events in our organization?"

The data they do have is often in the form of attack types. For example, they may know how often they are targeted for ransomware (data encrypted for impact in ATT&CK). That can be traced back to the most likely threat community (cybercriminals) and can help establish a frequency value.

Automated offensive and defensive tools can easily drive frequency rates to 1,000 events of interest a day. It's important to understand that this rate cannot be substituted one-for-one with loss-event frequency. Instead, some layer of expert judgment is often overlaid on these values that gives you the chance to adjust that value so it can accurately represent the loss frequency for the organization. As an example, your automated endpoint detection and response tools may block 800 events a day, but in a given year you estimate loss events to occur between one and three times.

This kind of approach to threat modeling helps cyber-risk managers wed two very important factors. The first is a hyper focus on the minutiae of daily cyber hygiene, security operations, and threat management – all critical functions that very rarely need the attention of senior leadership. The second is a top-down risk approach made without suitable front-line information. Using a threat-modeling approach to risk management like the one outlined above allows organizations to sample from the data available on the front lines to better inform their high-level risk assessments.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Dr. Jack Freund is the Risk Science Director for RiskLens, a cyber-risk quantification platform built on FAIR. Over the course of his 20-year career in technology and risk,  Freund has become a leading voice in cyber-risk measurement and management. He previously worked ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34812
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34808
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
CVE-2021-34809
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34810
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34811
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.