Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2020
10:00 AM
Jack Freund
Jack Freund
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat-Modeling Basics Using MITRE ATT&CK

When risk managers consider the role ATT&CK plays in the classic risk equation, they have to understand the role of threat modeling in building a complete risk scenario.

The MITRE ATT&CK framework, launched in 2015, has become the de facto method for cataloging attacks and understanding an organization's defensive capabilities. This information is also useful to risk professionals, who are charged with aiding organizations in understanding which attacks are the most damaging and how often they might happen.

Integrating MITRE ATT&CK into your organization's risk management framework can give you the opportunity to scale risk reporting up and down the organization, from security operations to senior leadership. The most important point to remember about this mapping is when we consider the role ATT&CK plays in the classic risk equation (frequency of loss multiplied by impact), we have to understand the role of threat modeling in building a complete risk scenario.

Loss-Scenario Basics
Risk occurs where there is potential for loss. Taken by themselves, the items in ATT&CK are not statements of loss. In the language of enterprise risk management (ERM), they are "risk triggers" – items that initiate the realization of a risk event. For example, take a technique under the exfiltration category, such as encrypted data or scheduled transfers, which are part of regular business operations. Now we have to imagine the ways these techniques could be used nefariously by attackers.

However, the techniques themselves don't give us the critical first part of that risk equation: frequency. The frequency with which we may experience an attack is important to consider in helping executives get their arms around organizational risk. ATT&CK feeds the understanding of frequency of loss but not the impact part of the equation.

Building a Threat Model for Risk Assessment
Much has been said about the difficulty of attributing certain hacks to various threat actors, but for risk assessment purposes, positive attribution is not necessary. Instead, allocating these attack types to various classes of threat actors is helpful in measuring your organization against their relative strength.

For instance, non-IT internal employees might try and brute-force their way to credential access or find credentials hard-coded in files or on paper, thereby enabling their nefarious doings. However, cybercriminals attempting account takeover using man-in-the middle website proxies might employ two-factor authentication interception. Naturally, some overlap in these lists could occur.

Once your mapping between the MITRE ATT&CK framework and your organization's risk management framework is complete – and depending heavily on your company's business model and employee base – you could end up with a list that looks something like this:

Threat Community

ATT&CK Category

Tactics and Techniques

Non-Privileged Insiders

Credential Access

Brute force

Credentials in files

Cybercriminals

Credential Access

Two-factor authentication interception

LLMNR/NBT-NS poisoning and relay

 

Impact

Data encrypted for impact

Using ATT&CK to Determine Frequency of Loss
Ultimately, the threat communities are the doers and their frequency of attacks is what is represented in a risk equation. However, many organizations don't have the data to answer the questions of, "How often are cybercriminals targeting us?" and, "How often do cybercriminals cause loss events in our organization?"

The data they do have is often in the form of attack types. For example, they may know how often they are targeted for ransomware (data encrypted for impact in ATT&CK). That can be traced back to the most likely threat community (cybercriminals) and can help establish a frequency value.

Automated offensive and defensive tools can easily drive frequency rates to 1,000 events of interest a day. It's important to understand that this rate cannot be substituted one-for-one with loss-event frequency. Instead, some layer of expert judgment is often overlaid on these values that gives you the chance to adjust that value so it can accurately represent the loss frequency for the organization. As an example, your automated endpoint detection and response tools may block 800 events a day, but in a given year you estimate loss events to occur between one and three times.

This kind of approach to threat modeling helps cyber-risk managers wed two very important factors. The first is a hyper focus on the minutiae of daily cyber hygiene, security operations, and threat management – all critical functions that very rarely need the attention of senior leadership. The second is a top-down risk approach made without suitable front-line information. Using a threat-modeling approach to risk management like the one outlined above allows organizations to sample from the data available on the front lines to better inform their high-level risk assessments.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Dr. Jack Freund is the Risk Science Director for RiskLens, a cyber-risk quantification platform built on FAIR. Over the course of his 20-year career in technology and risk,  Freund has become a leading voice in cyber-risk measurement and management. He previously worked ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.