Integrating MITRE ATT&CK within Security Risk Assessments

Traditional IT risk assessments are failing to account for real-world adversarial tactics, leaving organizations vulnerable to emerging threats.

Enter the MITRE ATT&CK framework; a taxonomy of tactics, techniques, and procedures used by cyber adversaries throughout the attack lifecycle, offering valuable insights into how attacks unfold. 

In this blog, we will explore how organizations can effectively integrate the MITRE ATT&CK framework into their risk assessment processes, allowing them to move from a compliance-focused approach to a more informed, proactive defense strategy that is aligned with real-world threats.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework, developed in 2013 and officially released to the public in 2015, is an index of different adversary tactics and techniques across various stages of the attack lifecycle. Originally created to "document how adversaries attack networks" (MITRE), it has since evolved into a common language that both offensive and defensive cybersecurity professionals use to understand and counter threats. Over the years, MITRE has expanded the framework, continuously updating and refining it to remain relevant in different contexts—from traditional enterprise environments to specialized domains like mobile devices and industrial control systems (ICS). 

The three iterations it has since taken on are:

• Att&ck for Enterprise: Focuses on adversarial behavior in Windows, Mac, Linux, and Cloud environments.
• Att&ck for Mobile: Focuses on adversarial behavior on iOS and Android operating systems.
• Attack for ICS: Focuses on describing the actions an adversary may take while operating within an ICS network.

When examining the MITRE ATT&CK matrix, you'll encounter 14 key adversarial tactics, which represent the primary objectives that attackers aim to achieve during an intrusion. Each tactic is supported by a set of techniques and sub-techniques, which describe the specific methods attackers use to accomplish these objectives. By understanding these tactics, organizations can better anticipate and defend against adversarial behaviors throughout the attack lifecycle.

Here is a breakdown of the 14 tactics:

• Reconnaissance: The attacker’s initial stage, focused on gathering information about the target system or organization, such as network architecture or employee data, to prepare for an attack.
• Resource Development: In this phase, attackers build or purchase the infrastructure needed to carry out their attack, such as creating malicious domains or obtaining access credentials.
• Initial Access: This refers to the methods attackers use to gain their first foothold in a system, such as phishing, exploiting vulnerabilities, or using stolen credentials.
• Execution: After gaining access, attackers will execute malicious code or commands to begin taking control of the environment, often using scripting, malware, or system tools.
• Persistence: To maintain access over time, attackers employ various techniques to hide in the system, such as creating backdoors, establishing scheduled tasks, or modifying system files.
• Privilege Escalation: Attackers elevate their permissions to gain higher-level access to the system. Techniques include exploiting software vulnerabilities or credential theft.
• Defense Evasion: To avoid detection, attackers use techniques like disabling security tools, deleting logs, or obfuscating their presence in the system.
• Credential Access: In this stage, attackers seek to steal usernames, passwords, and other credentials that allow them to expand their access within the target environment.
• Discovery: Attackers explore the compromised environment, identifying critical systems, data, or security configurations that they can exploit.
• Lateral Movement: Once inside, attackers move through the network to other systems, often by exploiting trust relationships between devices or using stolen credentials.
• Collection: Attackers gather sensitive data from the compromised systems, such as intellectual property, financial records, or personal information, in preparation for exfiltration.
• Command and Control: Attackers establish communication with compromised systems to issue commands remotely and maintain control over their malicious operations.
• Exfiltration: The process where attackers steal and transfer the collected data from the target environment, using methods like encrypted channels, cloud storage, or external drives.
• Impact: Attackers take destructive actions to achieve their final goals, which can include disrupting operations, wiping data, or deploying ransomware to cause harm to the organization.
  
  

MITRE ATT&CK vs. NIST Cybersecurity Framework (CSF): A Comparison

While both MITRE ATT&CK and NIST's Cybersecurity Framework (CSF) are invaluable to information security, they differ in focus and implementation. NIST CSF is broader, outlining best practices for managing cybersecurity risk at a high level across five main functions: Identify, Protect, Detect, Respond, and Recover. It is primarily compliance-driven and is often used as a strategic tool for risk management.

On the other hand, MITRE ATT&CK dives deep into the technical details of cyber adversaries, focusing on the TTPs attackers use. While NIST CSF offers a macro-level approach to cybersecurity, MITRE ATT&CK provides a tactical, operational-level lens, emphasizing the specifics of how attacks are conducted.

Together, the two frameworks complement each other. NIST CSF helps organizations establish strong cybersecurity governance, while MITRE ATT&CK can be leveraged for threat-informed defense strategies, offering real-world insights into attacker behaviors.

Adjusting NIST 800-30 to Incorporate MITRE ATT&CK

Here's how NIST 800-30 risk assessments can be enhanced by integrating the MITRE ATT&CK framework:

1. Threat Identification – Using ATT&CK for Real-World Adversary Insights

NIST 800-30 focuses heavily on identifying threats as the first step in the risk assessment process. Traditionally, organizations identify potential threats based on historical data, threat intelligence feeds, or hypothetical scenarios. By incorporating MITRE ATT&CK, organizations can sharpen their threat identification by grounding it in real-world adversarial tactics, techniques, and procedures (TTPs).

MITRE ATT&CK offers a detailed catalog of known attack methods, allowing assessors to focus on tactics and techniques that are directly relevant to their industry, geography, or infrastructure.

Example: Instead of broadly listing "malware" as a potential threat, an organization can use MITRE ATT&CK to identify specific Execution techniques like PowerShell or malicious scripts, providing greater context and precision to the risk identification process.

2. Vulnerability Identification – Mapping Vulnerabilities to ATT&CK Techniques

In 800-30, vulnerability identification involves pinpointing weaknesses in systems, networks, or operations that adversaries could exploit. MITRE ATT&CK enhances this by linking specific vulnerabilities to the tactics and techniques adversaries use to exploit them.

By using ATT&CK, organizations can map known vulnerabilities (such as unpatched software, misconfigured systems, or insufficient logging) to the techniques adversaries use to exploit those weaknesses - adding granularity to the vulnerability identification process.

Example: If a vulnerability exists in the use of Remote Desktop Protocol (RDP), the organization can use ATT&CK to identify associated techniques like Lateral Movement or Credential Dumping and focus on defending against those specific attack vectors.

3. Likelihood Determination – Improving Likelihood Assessments with Adversary Context

800-30 requires organizations to determine the likelihood of a successful exploit or vulnerabilities by identified threats. Traditionally, this has been done using qualitative,  semi-quantitative, or quantitative methods based on historical data or expert judgment. By incorporating MITRE ATT&CK, organizations can add a layer of precision to these likelihood determinations by analyzing actual adversary behaviors.

Rather than relying on general threat trends, risk assessors can assess the probability of specific adversarial actions based on observed attack patterns using AtT&CK as a reference.

Example: An organization in the financial sector might leverage the MITRE ATT&CK framework to identify that adversaries commonly use Initial Access techniques, such as spear-phishing or exploiting vulnerabilities through employee access points, as entry methods. This approach allows for a focused response, ensuring that the most probable and impactful threats are prioritized and mitigated accordingly.

4. Impact Determination – Linking Techniques to Business Impact

The "Impact Determination" step assesses the potential consequences of a successful attack on the organization’s mission, operations, and assets. While this step often includes generalized impact assessments (e.g., financial loss, reputational damage), incorporating MITRE ATT&CK allows organizations to tie specific adversarial techniques to their potential business impact.

By understanding how certain techniques map to organizational assets or processes, security teams can better estimate the real-world and quantified impact of an adversarial action  For example, certain Impact techniques such as data destruction or encryption (e.g., ransomware) can be tied directly to business continuity risks or financial losses - leading to a more precise understanding of impact severity.

Example: If an adversary uses the Impact technique of data encryption (ransomware), the impact can be directly tied to business continuity and financial loss due to downtime or potential ransom payments. This provides a more concrete understanding of the potential damage from such attacks.

5. Risk Determination – Using ATT&CK to Prioritize Risks

Risk determination involves combining the likelihood and impact assessments to derive a risk rating. By integrating MITRE ATT&CK, organizations can better prioritize risks by understanding which adversarial techniques are most likely to be used and have the greatest potential impact on the organization.

MITRE ATT&CK provides a method to focus on high-priority techniques that adversaries frequently employ, allowing organizations to focus their efforts on defending against the most critical threats. 

Example: Instead of treating all risks equally, an organization can prioritize risks associated with Credential Access or Privilege Escalation techniques if those are the most commonly used methods by adversaries targeting similar systems.

6. Risk Response – Tailoring Controls to Specific ATT&CK Techniques

The final step involves developing mitigation strategies to reduce identified risks. By mapping mitigation efforts directly to the tactics and techniques described in ATT&CK, organizations can ensure their security controls are not just broad defenses, but specific countermeasures designed to stop real-world adversary behaviors. This includes implementing technology and processes that directly address techniques like Persistence (e.g., monitoring for unusual registry changes) or Exfiltration (e.g., detecting unauthorized data transfers).

Example: If the risk involves adversaries using Execution techniques such as PowerShell, the organization can focus on restricting PowerShell execution to only authorized users or monitoring for suspicious script activity as part of its mitigation strategy.

All in all, the integration of ATT&CK with NIST 800-30, enhances every stage of the risk assessment, providing a more granular, actionable, and effective approach to managing cybersecurity risks.

How Automation is Key to Integrating MITRE ATT&CK

With the wealth of information provided by MITRE ATT&CK, managing and integrating it into a dynamic risk assessment process can be a resource-intensive challenge—this is where automation plays a pivotal role! 

With the Rivial Platform, we automatically integrate the MITRE ATT&ACK framework into our risk assessment—in just a few minutes. Additionally, our quantitative methodology allows you to assess the financial impact of your information systems, giving you insights and allowing you to prioritize cybersecurity risk. Take a moment to see the platform in action by scheduling a no-pressure demo today!