By: Nicole Hoffman
This blog post was originally written as a conference talk. I enjoy writing out my talks as essays before creating my slides. I decided to share this essay as a blog post. I hope you enjoy. I included my slides from my talk at the end.
If you follow me on Twitter or have spoken to me before you probably know I am a huge advocate for the MITRE ATT&CK® knowledge base. I have had quite a few people reach out to me saying they want to implement some form of the ATT&CK framework to enhance their defenses but were not sure where to begin. Many of these people had some ideas regarding a technical approach to implementation whether that be mapping their sources, mapping indicators, focusing on industry specific threats and TTP, or going through technique by technique determining your level of coverage.
The real issue was getting management and executives on board because the implementation is going to inevitably utilize resources and require authorization. But you cannot come in discussing data sources, IOCs, TTP, etc. because you will be quickly faced with glazed over eyes. Fear not, for I have some cheat codes to help you on your journey and bridge the gap between technical and executive jargon.
For anyone that is unfamiliar with MITRE ATT&CK, it is a knowledge base of adversary tactics, techniques and procedures that is organized into matrices. ATT&CK is open and available for anyone to take advantage of, and contributions are encouraged. The ATT&CK framework allows security professionals to step away from an indicator-centric approach and focus on adversarial behaviors.
Well, what does that mean? You get a phishing email with a malicious link. Just block the IP or the email and you are safe from that adversary, right? Wrong! The same adversary can change all of that information. Instead of focusing on that single indicator, start focusing on the behavior itself which is phishing.
ATT&CK is organized into three matrices including Enterprise, Mobile, and ICS. There is also a PRE-ATT&CK matrix that focuses on techniques and tactics leading up to an attack. This is the Enterprise ATT&CK matrix which you can see has techniques organized under tactics. The tactics represent the ‘what’ or what the adversary goal is. What are they trying to accomplish? The techniques represent the how.
The main goal when adopting the ATT&CK framework is to see how well your organization can defend against and detect each of the techniques. There are several different ways the ATT&CK framework can be implemented. However, that is outside the scope of this talk, but it’s possible I may write a follow up talk about the different strategies you can take and how you could prioritize the techniques most relevant to your threat landscape or industry.
Ok let’s say you have selected the appropriate implementation strategy for your organization. How can you get management or executives on board to provide you authorization? You can obviously see the value, or you wouldn’t be here. You need to find a way for them to see the value.
One of the key rules with any form of dissemination is knowing your audience. You need to speak their language and make it actionable for them. Executives speak business and care about the three R’s: Risk, Revenue, and Regulation. So how can you correlate your needs in their language? It is going to take some research.
Executives and upper management will appreciate your hard work and preparation. They need to know that you respect them enough to do the work and that you do not see them as an ATM. You should not just want their authorization.
You should want them on board. Cyber security will continuously be thought of as a cost if we do not educate our executives and incorporate it into the company culture.
The Oxford dictionary defines risk as a situation involving exposure to danger. The Merriam-Webster dictionary has three definitions of the word risk. The one I found particularly interesting was the degree of probability of such loss. I asked a few friends of mine that are either in management, are business owners, or executives if they understood the equation likelihood x impact = risk.
Some had heard of it, out of the few that had heard of it not a single one really knew what it meant. I can’t say that I blame them because I took a Cyber Risk course in college, and I saw this risk matrix seen below and was told to identify the level of risk for certain things such as website defacement. All I could think of could I possibly predict if a hacker is going to choose this website over another website?
It wasn’t until I was writing a lesson on the Diamond Model of Intrusion Analysis that I had an ah ha! moment. There is an important factor missing that is not talked about enough regarding this risk matrix and that is you have to assume you are already being targeted.
Do not try to predict whether or not you will be targeted. You have to assume you are being targeted. If someone has a political vendetta against your organization, what is the likelihood they will be able to deface your website?
Well, if your website is not properly secured it will become an easy target making the likelihood increase. Impact can be calculated in several different ways, but the most popular being cost but there are also things like brand reputation.
For example, if a website were defaced it would most likely need to be taken down during the mitigation. If your website is informational then the impact is most likely low, but if you conduct business through your website the impact would be much higher.
Identifying risks in cyber security can be overwhelming because they are everywhere. There are so many that it can be difficult to organize them into a single taxonomy that could be understood by everyone in the organization regardless of technical ability. This is where the ATT&CK framework comes in. The ATT&CK framework allows you to become very familiar with the ins and outs of your infrastructure and its defenses. I guarantee you will learn something about your environment that you were not aware of before.
If you map your defenses to ATT&CK, you will be able to intelligently calculate the level of risk for each technique. At which point you can identify what you are going to do with the risks you identify. There is risk acceptance, avoidance, transference, and controlling/ mitigating. These are all informed decisions that need to be made with the appropriate parties such as management and executives.
You can utilize the ATT&CK Navigator tool you can create heat maps with color keys to show whether you can detect certain techniques. Once you get familiar with performing assessments you can start to go a step further and try to determine a percentage of coverage. For example, when tested we can detect this technique 25% of the time.
“Tip: Don’t worry about pinpoint accuracy when trying to assess your coverage — your goal with assessments is to understand if you have the engineering capabilities to generally detect techniques. For more accuracy, we recommend running adversary emulation exercises.” -Andy Applebaum
Once you are able to identify these gaps in coverage you can prioritize the mitigations to improve coverage. What that means from a risk standpoint is to lower the likelihood thus lowering the risk level. Now, I would not recommend doing a full assessment of the ATT&CK matrix before you get the O.K. to implement it. Start small with a single technique or two to show the proof of concept.
After doing one or two you might also learn a few things and alter the way you do a larger assessment. Understanding risk mitigations also allows you to identify business drivers. For example, we need this web application firewall to protect our website from being defaced.
We cannot have our website defaced because it could negatively affect our brand reputation and consumer trust which could lead to a decrease in revenue. There needs to be a logical, well thought out business reason for every cyber security decision.
Remember if we want cyber security to become a part of company culture, we have to help it get there. Somebody needs to bridge the gap in communication. It needs to be us because it only makes our jobs easier.
When I say revenue, I really mean money. Money coming in and money going out. Remember, executives and management are not ATMs and should not be treated as such. Show that you respect the company’s funds by not only mitigating risks, but also ensuring your funds are being spent wisely on tools. If you are going to map your coverage of ATT&CK, you may find out that some tools are not doing the job you think they are.
Once you decide on a technique or two to focus on, find an analytic to test the coverage. In other words, you try to emulate or recreate the attack in a safe, non-malicious way to determine if your tools detected the event. MITRE has a great repository of analytics to test your controls known as the Cyber Analytics Repository (CAR).
If all of your tools are doing what they are supposed to be doing you know that you are getting a Return on Investment (ROI). I know a lot of business savvy folks are familiar with the term ROI or return on investment, but I know a lot of tech savvy people that are not. Familiarize yourself with the term so you know if the company’s money is well spent.
There is a lot more that goes into ROI than just money, such as loss of reputation or intellectual property, which can make it challenging to calculate. However, a simple way to measure this is to identify the single loss expectancy (SLE) and determine how often it occurs over a period of time in such a year. For example, if it costs the company $10k every time the system is down, and the system is down approximately 10 times a year, then you can estimate the annual loss expectancy (ALO) to be $100,000.
If you find a tool that can reduce the number of times this occurs or prevents it entirely and said tool is $30,000 then you could justify you are saving the company approximately $60,000 a year because of this tool. That is a pretty good return on investment if you ask me.
On the other end if you are paying a vendor $30,000 a year to mitigate the risk of your network going down and it is not doing anything then you are now costing the company $30,000 and not getting a return on that investment. This is the kind of thing that are universal in the business world we just need to put into security terms. The executives do not know if that tool is doing its job, but you should.
The ATT&CK framework provides you with a place to start, a methodology that makes sense, and several different mapping strategies based on sophistication and resources available. Remember, ATT&CK is free to use. The biggest cost is time. I would be lying if I said it was not a time intensive task. However, the great thing about it is you don’t have to do it all at once.
Depending on your resources available, you can focus on a single technique at a time. Even if it’s little by little, it is still benefiting the organization and eventually you be able to educate and empower your executives will a better sense of security then they probably have now. Right now, it may be a false sense of security especially when it comes to tools.
If you are not regularly testing your tools and calculating ROI, you will never know when money can be saved or spent wiser. Could you imagine paying for a tool that claims to protect you from ransomware to then experience a ransomware attack? I guarantee the one thing you and your manager will have in common that day. You will both be saying what the heck am I paying for? ATT&CK can help you help your manager make informed business decisions.
“While hardening benchmarks and compliance frameworks are excellent at providing some mitigating factors, none provide the level of guidance around detection strategies that ATT&CK does. Many of the techniques explicitly state what should be monitored in your environment. The knowledge provided here can increase the maturity of a security organization overnight” -Travis Smith
I don’t know how many times I have heard people say well I passed the audit, so I have to be secure. In actuality compliance does not equal security. Compliance refers to meeting regulatory requirements from a single point in time.
Security, on the other hand, is an ongoing system put into place that is regularly improved upon. A well thought out security program will pave the road to compliance. Compliance will not, I repeat, will not pave the road to security.
ATT&CK allows you to go beyond compliance check lists and implement a threat informed security program. Coming full circle, if you are planning to implement the ATT&CK framework to enhance your defense operations do you research before presenting the idea to your executive team. Remember the first rule of dissemination is to remember your audience.
Executives speak business and typically care about risk, regulation, and revenue. They may be well versed in risk management, but you may need to educate them about cyber risk. Inform them how implementing the ATT&CK framework can help identify and mitigate vulnerabilities thus minimizing risk.
Change their minds about cyber security being a money hole. Most importantly, do not treat executives or management like ATMs. Identify your organization’s business drivers and determine how the ATT&CK implementation will benefit those drivers.
Put all of this information in an implementation plan. Choose an implementation strategy and show a proof of concept with 1-2 techniques. Also, don’t forget the implementation of ATT&CK will ultimately identify the ROI for your current toolset to ensure the funds flowing into cyber security are being well spent.
And finally, define the difference between compliance and security. Provide your audience with actionable information and tangible results. Do not instill fear and intimidation. Cyber security should never be driven by fear. Let it be driven by education. The ATT&CK framework can help empower your executives with the knowledge of the organization’s security posture.