Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2020
10:00 AM
Jack Freund
Jack Freund
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Threat-Modeling Basics Using MITRE ATT&CK

When risk managers consider the role ATT&CK plays in the classic risk equation, they have to understand the role of threat modeling in building a complete risk scenario.

The MITRE ATT&CK framework, launched in 2015, has become the de facto method for cataloging attacks and understanding an organization's defensive capabilities. This information is also useful to risk professionals, who are charged with aiding organizations in understanding which attacks are the most damaging and how often they might happen.

Integrating MITRE ATT&CK into your organization's risk management framework can give you the opportunity to scale risk reporting up and down the organization, from security operations to senior leadership. The most important point to remember about this mapping is when we consider the role ATT&CK plays in the classic risk equation (frequency of loss multiplied by impact), we have to understand the role of threat modeling in building a complete risk scenario.

Loss-Scenario Basics
Risk occurs where there is potential for loss. Taken by themselves, the items in ATT&CK are not statements of loss. In the language of enterprise risk management (ERM), they are "risk triggers" – items that initiate the realization of a risk event. For example, take a technique under the exfiltration category, such as encrypted data or scheduled transfers, which are part of regular business operations. Now we have to imagine the ways these techniques could be used nefariously by attackers.

However, the techniques themselves don't give us the critical first part of that risk equation: frequency. The frequency with which we may experience an attack is important to consider in helping executives get their arms around organizational risk. ATT&CK feeds the understanding of frequency of loss but not the impact part of the equation.

Building a Threat Model for Risk Assessment
Much has been said about the difficulty of attributing certain hacks to various threat actors, but for risk assessment purposes, positive attribution is not necessary. Instead, allocating these attack types to various classes of threat actors is helpful in measuring your organization against their relative strength.

For instance, non-IT internal employees might try and brute-force their way to credential access or find credentials hard-coded in files or on paper, thereby enabling their nefarious doings. However, cybercriminals attempting account takeover using man-in-the middle website proxies might employ two-factor authentication interception. Naturally, some overlap in these lists could occur.

Once your mapping between the MITRE ATT&CK framework and your organization's risk management framework is complete – and depending heavily on your company's business model and employee base – you could end up with a list that looks something like this:

Threat Community

ATT&CK Category

Tactics and Techniques

Non-Privileged Insiders

Credential Access

Brute force

Credentials in files

Cybercriminals

Credential Access

Two-factor authentication interception

LLMNR/NBT-NS poisoning and relay

 

Impact

Data encrypted for impact

Using ATT&CK to Determine Frequency of Loss
Ultimately, the threat communities are the doers and their frequency of attacks is what is represented in a risk equation. However, many organizations don't have the data to answer the questions of, "How often are cybercriminals targeting us?" and, "How often do cybercriminals cause loss events in our organization?"

The data they do have is often in the form of attack types. For example, they may know how often they are targeted for ransomware (data encrypted for impact in ATT&CK). That can be traced back to the most likely threat community (cybercriminals) and can help establish a frequency value.

Automated offensive and defensive tools can easily drive frequency rates to 1,000 events of interest a day. It's important to understand that this rate cannot be substituted one-for-one with loss-event frequency. Instead, some layer of expert judgment is often overlaid on these values that gives you the chance to adjust that value so it can accurately represent the loss frequency for the organization. As an example, your automated endpoint detection and response tools may block 800 events a day, but in a given year you estimate loss events to occur between one and three times.

This kind of approach to threat modeling helps cyber-risk managers wed two very important factors. The first is a hyper focus on the minutiae of daily cyber hygiene, security operations, and threat management – all critical functions that very rarely need the attention of senior leadership. The second is a top-down risk approach made without suitable front-line information. Using a threat-modeling approach to risk management like the one outlined above allows organizations to sample from the data available on the front lines to better inform their high-level risk assessments.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Dr. Jack Freund is the Risk Science Director for RiskLens, a cyber-risk quantification platform built on FAIR. Over the course of his 20-year career in technology and risk,  Freund has become a leading voice in cyber-risk measurement and management. He previously worked ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...