Cyber resilience is difficult to quantify, implement, and measure. What we definitely know is it breaks down into proactive and reactive approaches to security. Reactive resilience is what happens after the incident: how quickly can we identify, contain, eradicate, and recover from the attack? Proactive resilience addresses understanding the attack surface and the ability to identify and thwart attacks before they happen. One such proactive strategy is threat modeling, which involves identifying potential threats against vulnerabilities to an organization's systems and data from a holistic, secure design perspective. This helps organizations develop impactful, cost-efficient countermeasures to prevent or mitigate these threats, especially in an agile CI/CD model of software and application development. Where the MITRE ATT&CK framework fits in is as a valuable tool for organizations to use in conjunction with threat modeling to classify potential attack vectors and tactics used by threat actors.
The MITRE ATT&CK Framework
The MITRE ATT&CK framework is a comprehensive library of tactics, techniques, and procedures (TTPs) used by threat actors to carry out attacks. It covers a wide range of attack methods, from initial access to data exfiltration. The framework itself does not help identify threats or vulnerabilities but by mapping out an organization's potential attack surface against and aligning it to the MITRE ATT&CK framework, organizations can identify potential gaps in their defenses and prioritize the development of countermeasures accordingly.
To effectively use the MITRE ATT&CK framework in conjunction with threat modeling, organizations should follow these steps:
1. Identify potential threats and attack vectors
Once the Data Flow Diagram (DFD) is complete, analyze it with a Threat Modeling methodology, for CMS this is STRIDE. This is the exercise of identifying potential threats to an organization's systems and data, such as phishing attacks, encryption attacks, injection, or access control. Organizations should also identify all potential entry points into their systems, such as unsecured ports or weak authentication protocols.
2. Map potential threats to the MITRE ATT&CK framework
Once potential threats and attack vectors have been identified, organizations should map them to the relevant tactics and techniques in the MITRE ATT&CK framework. For every threat against a process, function, or asset there is an exploitable action; this is the ATT&CK TTP. This can help organizations identify potential gaps in their defenses and prioritize the development of countermeasures accordingly such as via MITEE Shield.
3. Develop countermeasures
Based on the identified threats and mapped tactics and techniques, organizations should develop countermeasures to prevent or mitigate potential attacks. This may include implementing multi-factor authentication, updating software and security patches, updating policies, or developing incident response plans. Knowing these gaps will also guide onboarding new tools, solutions, and future security spend.
4. Continuously monitor and refine defenses
Threats and attack methods are constantly evolving, so organizations should continuously monitor CMS their defenses and refine them as needed. This may involve conducting regular vulnerability assessments, threat modeling exercises, penetration testing, or updating security policies and procedures.
Conclusion
Threat modeling is an essential part of a proactive approach to security, and the MITRE ATT&CK framework is a valuable tool for organizations to use in conjunction with threat modeling to identify potential attack vectors and tactics used by threat actors. By following the steps outlined above, organizations can develop effective countermeasures to prevent or mitigate potential attacks and maintain a strong security posture.
Learn more about Threat Modeling at CMS:
Join the #cms-threat-modeling channel on CMS Slack
The MITRE ATT&CK framework is a valuable tool to use in conjunction with threat modeling -- here's how