MITRE ATT&CK – Simplified, #Risk-#Quantified , #Measured & Continually Improved

The #MITRE #ATT&CK (#ATTACK) Framework looks very overwhelming at first sight – But in the famous words of Forer Pak PM, Imran Khan, “Aapko Ghabrana Nahi Hai!” –

LET’S SIMPLIFY THIS -> QUANTIFY IT IN TERMS OF RISK -> MEASURE OUR MATURITY ->ACT (EXECUTE RISK REDUCTION EXERCISES)

The Comprehensive and latest framework is available here …

• There are a total of 13 Primary TACTICS – A.K.A. ATTACK Vectors
• #Tactics represent “why” or the reason an adversary is performing an action
• #Techniques represent “how” adversaries achieve tactical goals by performing an action
• #Sub-techniques, a more specific or lower-level description of adversarial behaviour
• #Procedures, specific implementation, or in-the-wild use that the adversary uses for techniques or sub-techniques

STEP – I (KICK-OFF)

• Understand the framework –
• How it applies to you
• Which tactics are you vulnerable to?
• Which sub-techniques have missing controls?
• CREATE A RISK ASSESSMENT AGAINST EACH TACTIC
• LOOK FOR DEFICIENCY IN CONTROLS / SUBSTITUTE-COMPENSATING CONTROLS

STEP – II (ASSESSMENT, RISK EXPOSURE & CONTROL ANALYSIS)

• Deep-Dive in to the tactics and sub-techniques
• VERIFY THE ATTACK EFFICACY OF THE CONTROL BY RE-VERIFICATION
• RED TEAM IS THE BEST WAY TO MEASURE CONTROL EFFECTIVENESS
• Map the scores against the 13 MITRE ATT&CK techniques (Explained below)

STEP – III (#MEASUREMENT – PUTTING #METRICS AGAINST AGAINST THE ATTACK VECTORS

• Score 0 – Control completely missing
• Score 1 – Control exists, but NOT hardened or configured as per guidelines / best practices – an insufficiently trained team
• Score 2 – Control in place, configured as per guidelines and the team is trained to administer the control. The control can IDENTIFY Tactics & Sub-Techniques
• Score 4 – Control exists, team is trained for incident response, and the control is monitored continuously (audit & logging is compliant). The control is able is PREVENT / DIVERT techniques & sub-techniques
• Score 5 – There is a continuous improvement plan in place, and the control is complemented by secondary control (in case the primary fails). The control has matured enough to PREDICT and RESPOND to techniques & sub-techniques; and LEARN from the incident.

FEW WORDS OF WISDOM & CAUTION

• 100% MITRE ATT&CK coverage is NOT possible – DO NOT even aim for it
• In the quest for 100% coverage, you will either drive your organisation broke, or your analysts turn suicidal
• DO NOT rush to check tick a check box when you have passed a test against a particular tactic or sub-technique. Cyber Attacks have several variations, and this should be re-verified (preferably by a RED TEAM exercise)
• The THREAT LANDSCAPE is ever-evolving – Maintain a continuous monitoring and improvement plan

NON STANDRD SYSTEMS

ATT&CK is organised in a series of technology domains, the ecosystem an adversary operates within. Currently, there are three technology domains:

• Enterprise, representing traditional enterprise networks and cloud technologies
• Mobile for mobile communication devices
• ICS for industrial control systems

Within each domain are platforms, which may be an operating system or application (e.g. Microsoft Windows). Techniques and sub-techniques can be applied to multiple platforms.

SO ensure your COVERAGE MATRIX is all-encompassing — As adversaries can easily traverse from network to network..

I specialise in advising organisations on developing and implementing comprehensive data protection strategies, conducting privacy impact assessments, and ensuring full compliance with Indian data protection regulations. My expertise also encompasses cross-border data transfers, data localisation requirements, and integrating privacy-by-design principles into business processes.

If you’re looking for insights on compliance, privacy-enhancing technologies, privacy impact assessments, or other related topics, I’d be happy to offer guidance. #DhananjayRokde