In the blog post, ‘The Art of Attack vs The Science of Resilience’ Omri wrote “Cyber risk analysis and management is completely dependent on an understanding of how attackers attack in general, and specifically how attack techniques and methods can be used to threaten your organization. That understanding then needs to be translated into an operational resilience roadmap of the most cost-effective actions to lower your cyber risk.”
In the blog posts after, ‘Assessing Risk Using Threat Susceptibility’ we discussed that cyber threat susceptibility is the inability of the organization to avoid cyber threats and that the objective of the assessment is to identify and assess cyber threats and select countermeasures effective at mitigating those threats. We focused mainly on identifying and assessing cyber threats using MITRE ATT&CK, ATT&CK Sightings, and Attack Flows in our example.
In our last blog post on ‘Threat Susceptibility Assessments: Challenges & Opportunities’, we discussed challenges and opportunities related to identifying and assessing cyber threats. We discussed how technology such as intelligent cyber digital twins are ideally suited to this type of cyber risk analysis.
In this post, we’ll focus on selecting countermeasures for remediating the risk posed by the cyber threats identified during threat susceptibility assessments.
Here is where risk response priorities and resiliency requirements related to the organization’s assets come into play. You’ll have risk remediation options to reduce the likelihood of occurrence, the likelihood of impact/harm, and the actual impact/harm of adversary TTPs.
The best option is to avoid the threats you can avoid. Making a configuration change or patching a software vulnerability might make the difference between being susceptible to a specific TTP or not. This will reduce the number of TTPs an adversary can use during the attack and the organization will have to withstand (fight through) that can cause harm. TTPs that can’t be prevented are the priority of detection, response, and recovery efforts to limit the harm (impact) they can do to the organization.
As NIST calls out, cyber resiliency solutions are relevant only if they have some effect on risk, specifically by reducing the likelihood of the occurrence of threat events, the ability of threat events to cause harm, and the extent of that harm.
Armed with our Asset Management knowledge about asset criticality and resiliency requirements and the likelihood of specific adversary TTPs as used in attack path scenarios targeting those assets, we can start looking at countermeasure options.
Embrace and Extend Countermeasure Knowledge
By using a framework like MITRE’s ATT&CK during the assessment, we can embrace all the wonderful, community countermeasure and risk remediation options that the wider community has mapped to ATT&CK TTPs. Once an organization knows the specific TTPs they can’t avoid from the cyber threat susceptibility assessment, organizations can leverage community best practices and countermeasure knowledge mapped to those specific ATT&CK TTPs. This can quickly help organizations identify risk response options that can mitigate the risk from those TTPs.
MITRE ATT&CK contains several mitigations in their knowledge base. The mitigations here represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed. These focus on helping to reduce the likelihood of occurrence of the TTPs so organizations can avoid the threats.
If you can’t prevent or avoid the TTP then you need to detect and be prepared to respond to it. MITRE CAR has an analytic coverage comparison chart of detection rules and analytics across MITRE CAR, SIGMA, Elastic Detection, and Splunk Security Content mapped to ATT&CK. This can help organizations quickly see if detection knowledge is available so organizations don’t waste limited resources.
MITRE Center for Threat Informed Defense (CTID) has mapped ATT&CK to NIST 800-53 Security Controls, AWS Security Controls, and Azure Security Controls to MITRE ATT&CK. The value here is the organization can tailor its security control baseline updates based on its security posture and its unique threat susceptibility assessment results. You can see which security controls give you the most return on your investment based on your specific threat susceptibility assessment results.
NIST 800-53 Controls to ATT&CK Mapping
This project created a comprehensive set of mappings between MITRE ATT&CK® and NIST Special Publication 800-53 with supporting documentation and resources. These mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT&CK knowledge base and provide a foundation for integrating ATT&CK-based threat information into the risk management process.
Security Stack Mappings AWS & Azure
This project empowers organizations with independent data on which native AWS/Azure security controls are most useful in defending against the adversary TTPs that they care about. It achieves this by mapping security capabilities of AWS/Azure to the ATT&CK techniques that they can protect, detect, or respond to. This will allow organizations to make threat-informed decisions when selecting which native security capabilities to use to protect their workloads.
In the next and final post in this blog series, we’ll look at how to use the results of the cyber threat susceptibility assessment and follow-on risk remediation analysis in security operations, active cyber defense, integrated risk management, and assessing cyber resiliency.