Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2020
10:00 AM
Jack Freund
Jack Freund
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat-Modeling Basics Using MITRE ATT&CK

When risk managers consider the role ATT&CK plays in the classic risk equation, they have to understand the role of threat modeling in building a complete risk scenario.

The MITRE ATT&CK framework, launched in 2015, has become the de facto method for cataloging attacks and understanding an organization's defensive capabilities. This information is also useful to risk professionals, who are charged with aiding organizations in understanding which attacks are the most damaging and how often they might happen.

Integrating MITRE ATT&CK into your organization's risk management framework can give you the opportunity to scale risk reporting up and down the organization, from security operations to senior leadership. The most important point to remember about this mapping is when we consider the role ATT&CK plays in the classic risk equation (frequency of loss multiplied by impact), we have to understand the role of threat modeling in building a complete risk scenario.

Loss-Scenario Basics
Risk occurs where there is potential for loss. Taken by themselves, the items in ATT&CK are not statements of loss. In the language of enterprise risk management (ERM), they are "risk triggers" – items that initiate the realization of a risk event. For example, take a technique under the exfiltration category, such as encrypted data or scheduled transfers, which are part of regular business operations. Now we have to imagine the ways these techniques could be used nefariously by attackers.

However, the techniques themselves don't give us the critical first part of that risk equation: frequency. The frequency with which we may experience an attack is important to consider in helping executives get their arms around organizational risk. ATT&CK feeds the understanding of frequency of loss but not the impact part of the equation.

Building a Threat Model for Risk Assessment
Much has been said about the difficulty of attributing certain hacks to various threat actors, but for risk assessment purposes, positive attribution is not necessary. Instead, allocating these attack types to various classes of threat actors is helpful in measuring your organization against their relative strength.

For instance, non-IT internal employees might try and brute-force their way to credential access or find credentials hard-coded in files or on paper, thereby enabling their nefarious doings. However, cybercriminals attempting account takeover using man-in-the middle website proxies might employ two-factor authentication interception. Naturally, some overlap in these lists could occur.

Once your mapping between the MITRE ATT&CK framework and your organization's risk management framework is complete – and depending heavily on your company's business model and employee base – you could end up with a list that looks something like this:

Threat Community

ATT&CK Category

Tactics and Techniques

Non-Privileged Insiders

Credential Access

Brute force

Credentials in files

Cybercriminals

Credential Access

Two-factor authentication interception

LLMNR/NBT-NS poisoning and relay

 

Impact

Data encrypted for impact

Using ATT&CK to Determine Frequency of Loss
Ultimately, the threat communities are the doers and their frequency of attacks is what is represented in a risk equation. However, many organizations don't have the data to answer the questions of, "How often are cybercriminals targeting us?" and, "How often do cybercriminals cause loss events in our organization?"

The data they do have is often in the form of attack types. For example, they may know how often they are targeted for ransomware (data encrypted for impact in ATT&CK). That can be traced back to the most likely threat community (cybercriminals) and can help establish a frequency value.

Automated offensive and defensive tools can easily drive frequency rates to 1,000 events of interest a day. It's important to understand that this rate cannot be substituted one-for-one with loss-event frequency. Instead, some layer of expert judgment is often overlaid on these values that gives you the chance to adjust that value so it can accurately represent the loss frequency for the organization. As an example, your automated endpoint detection and response tools may block 800 events a day, but in a given year you estimate loss events to occur between one and three times.

This kind of approach to threat modeling helps cyber-risk managers wed two very important factors. The first is a hyper focus on the minutiae of daily cyber hygiene, security operations, and threat management – all critical functions that very rarely need the attention of senior leadership. The second is a top-down risk approach made without suitable front-line information. Using a threat-modeling approach to risk management like the one outlined above allows organizations to sample from the data available on the front lines to better inform their high-level risk assessments.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Dr. Jack Freund is the Risk Science Director for RiskLens, a cyber-risk quantification platform built on FAIR. Over the course of his 20-year career in technology and risk,  Freund has become a leading voice in cyber-risk measurement and management. He previously worked ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.