Traditional IT risk assessments are failing to account for real-world adversarial tactics, leaving organizations vulnerable to emerging threats.
Enter the MITRE ATT&CK framework; a taxonomy of tactics, techniques, and procedures used by cyber adversaries throughout the attack lifecycle, offering valuable insights into how attacks unfold.
In this blog, we will explore how organizations can effectively integrate the MITRE ATT&CK framework into their risk assessment processes, allowing them to move from a compliance-focused approach to a more informed, proactive defense strategy that is aligned with real-world threats.
The MITRE ATT&CK framework, developed in 2013 and officially released to the public in 2015, is an index of different adversary tactics and techniques across various stages of the attack lifecycle. Originally created to "document how adversaries attack networks" (MITRE), it has since evolved into a common language that both offensive and defensive cybersecurity professionals use to understand and counter threats. Over the years, MITRE has expanded the framework, continuously updating and refining it to remain relevant in different contexts—from traditional enterprise environments to specialized domains like mobile devices and industrial control systems (ICS).
The three iterations it has since taken on are:
When examining the MITRE ATT&CK matrix, you'll encounter 14 key adversarial tactics, which represent the primary objectives that attackers aim to achieve during an intrusion. Each tactic is supported by a set of techniques and sub-techniques, which describe the specific methods attackers use to accomplish these objectives. By understanding these tactics, organizations can better anticipate and defend against adversarial behaviors throughout the attack lifecycle.
Here is a breakdown of the 14 tactics:
While both MITRE ATT&CK and NIST's Cybersecurity Framework (CSF) are invaluable to information security, they differ in focus and implementation. NIST CSF is broader, outlining best practices for managing cybersecurity risk at a high level across five main functions: Identify, Protect, Detect, Respond, and Recover. It is primarily compliance-driven and is often used as a strategic tool for risk management.
On the other hand, MITRE ATT&CK dives deep into the technical details of cyber adversaries, focusing on the TTPs attackers use. While NIST CSF offers a macro-level approach to cybersecurity, MITRE ATT&CK provides a tactical, operational-level lens, emphasizing the specifics of how attacks are conducted.
Together, the two frameworks complement each other. NIST CSF helps organizations establish strong cybersecurity governance, while MITRE ATT&CK can be leveraged for threat-informed defense strategies, offering real-world insights into attacker behaviors.
Here's how NIST 800-30 risk assessments can be enhanced by integrating the MITRE ATT&CK framework:
NIST 800-30 focuses heavily on identifying threats as the first step in the risk assessment process. Traditionally, organizations identify potential threats based on historical data, threat intelligence feeds, or hypothetical scenarios. By incorporating MITRE ATT&CK, organizations can sharpen their threat identification by grounding it in real-world adversarial tactics, techniques, and procedures (TTPs).
MITRE ATT&CK offers a detailed catalog of known attack methods, allowing assessors to focus on tactics and techniques that are directly relevant to their industry, geography, or infrastructure.
Example: Instead of broadly listing "malware" as a potential threat, an organization can use MITRE ATT&CK to identify specific Execution techniques like PowerShell or malicious scripts, providing greater context and precision to the risk identification process.
In 800-30, vulnerability identification involves pinpointing weaknesses in systems, networks, or operations that adversaries could exploit. MITRE ATT&CK enhances this by linking specific vulnerabilities to the tactics and techniques adversaries use to exploit them.
By using ATT&CK, organizations can map known vulnerabilities (such as unpatched software, misconfigured systems, or insufficient logging) to the techniques adversaries use to exploit those weaknesses - adding granularity to the vulnerability identification process.
Example: If a vulnerability exists in the use of Remote Desktop Protocol (RDP), the organization can use ATT&CK to identify associated techniques like Lateral Movement or Credential Dumping and focus on defending against those specific attack vectors.
800-30 requires organizations to determine the likelihood of a successful exploit or vulnerabilities by identified threats. Traditionally, this has been done using qualitative, semi-quantitative, or quantitative methods based on historical data or expert judgment. By incorporating MITRE ATT&CK, organizations can add a layer of precision to these likelihood determinations by analyzing actual adversary behaviors.
Rather than relying on general threat trends, risk assessors can assess the probability of specific adversarial actions based on observed attack patterns using AtT&CK as a reference.
Example: An organization in the financial sector might leverage the MITRE ATT&CK framework to identify that adversaries commonly use Initial Access techniques, such as spear-phishing or exploiting vulnerabilities through employee access points, as entry methods. This approach allows for a focused response, ensuring that the most probable and impactful threats are prioritized and mitigated accordingly.
The "Impact Determination" step assesses the potential consequences of a successful attack on the organization’s mission, operations, and assets. While this step often includes generalized impact assessments (e.g., financial loss, reputational damage), incorporating MITRE ATT&CK allows organizations to tie specific adversarial techniques to their potential business impact.
By understanding how certain techniques map to organizational assets or processes, security teams can better estimate the real-world and quantified impact of an adversarial action For example, certain Impact techniques such as data destruction or encryption (e.g., ransomware) can be tied directly to business continuity risks or financial losses - leading to a more precise understanding of impact severity.
Example: If an adversary uses the Impact technique of data encryption (ransomware), the impact can be directly tied to business continuity and financial loss due to downtime or potential ransom payments. This provides a more concrete understanding of the potential damage from such attacks.
Risk determination involves combining the likelihood and impact assessments to derive a risk rating. By integrating MITRE ATT&CK, organizations can better prioritize risks by understanding which adversarial techniques are most likely to be used and have the greatest potential impact on the organization.
MITRE ATT&CK provides a method to focus on high-priority techniques that adversaries frequently employ, allowing organizations to focus their efforts on defending against the most critical threats.
Example: Instead of treating all risks equally, an organization can prioritize risks associated with Credential Access or Privilege Escalation techniques if those are the most commonly used methods by adversaries targeting similar systems.
The final step involves developing mitigation strategies to reduce identified risks. By mapping mitigation efforts directly to the tactics and techniques described in ATT&CK, organizations can ensure their security controls are not just broad defenses, but specific countermeasures designed to stop real-world adversary behaviors. This includes implementing technology and processes that directly address techniques like Persistence (e.g., monitoring for unusual registry changes) or Exfiltration (e.g., detecting unauthorized data transfers).
Example: If the risk involves adversaries using Execution techniques such as PowerShell, the organization can focus on restricting PowerShell execution to only authorized users or monitoring for suspicious script activity as part of its mitigation strategy.
All in all, the integration of ATT&CK with NIST 800-30, enhances every stage of the risk assessment, providing a more granular, actionable, and effective approach to managing cybersecurity risks.
With the wealth of information provided by MITRE ATT&CK, managing and integrating it into a dynamic risk assessment process can be a resource-intensive challenge—this is where automation plays a pivotal role!
With the Rivial Platform, we automatically integrate the MITRE ATT&ACK framework into our risk assessment—in just a few minutes. Additionally, our quantitative methodology allows you to assess the financial impact of your information systems, giving you insights and allowing you to prioritize cybersecurity risk. Take a moment to see the platform in action by scheduling a no-pressure demo today!