Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework
Abstract
:1. Introduction
2. Background
2.1. MITRE ATT&CK
- Tactics: denoting the tactical adversary objective for performing an attack. It practically addresses the “why” [31,34]. Tactics serve as contextual categories for individual techniques and cover standard, higher-level notations for actions adversaries perform during an attack, such as data exfiltration, privilege escalation and defense evasion [32].
- Techniques: describing the means by which adversaries achieve tactical goals by performing an action. In other words, they address the “how” and, in some cases, the “what” an adversary gains by performing an action [11,32]. There may be many ways, or techniques, to achieve tactical objectives, so there are multiple techniques in each tactic category [31].
- Mitigations: defining the countermeasures that could prevent adversaries from achieving their tactical objectives via the usage of specific techniques. Mitigations address the “what to do” about the TTPs (Tactics, Techniques and Procedures) question [35].
- ATT&CK for Enterprise: covering behavior against enterprise IT networks and cloud. The first ATT&CK model was created in September 2013, focusing on the Windows enterprise environment. After refinements and adjustments through internal research, it was publicly released in May 2015 with 96 techniques organized under nine tactics [32]. In 2017, it was expanded to also address Mac and Linux operating systems (apart from Windows). For the first time, it was attributed the name “ATT&CK for Enterprise”.
- A complementary model called PRE-ATT&CK was also published in the same year focusing on the preceding preparation phases, allowing organizations to predict and prepare for attacks before they even happen [36]. In 2019, ATT&CK for Cloud was published as part of Enterprise to describe behavior against cloud environments and services [34]. The current model version, released on 27 October 2020, incorporates 14 enterprise tactics analyzed into 177 techniques and 348 sub-techniques provisioning 42 mitigations.
- ATT&CK for Mobile: focusing on behavior against mobile devices (mainly operating Android and iOS platforms). This model was released in 2017, covering techniques involving device access and network-based effects that can be used by adversaries without device access [32,34]. The current version, released on 23 October 2020, consists of 14 tactics analyzed into 86 techniques addressed by 13 mitigations.
- ATT&CK for ICS: characterizing and describing post-compromise adversary behavior while operating within ICS networks [37]. Its development started as a small MITRE research project to apply the ATT&CK structure and methodology to the ICS technology domain due to the increasingly reported cyber-security incidents [38]. In 2017, a review process was initiated, allowing the participation of organizations and individuals from the ICS community to assist in its refinement. It was finally released to the public in January 2020, with its current version (updated on 5 October 2020) numbering 11 tactics, 81 techniques and 50 mitigations.
2.2. Cyber-Security Culture Framework
- Assets
- Continuity
- Access and Trust
- Operations
- Boundary Defense
- Security Governance
- Attitude
- Awareness
- Behavior
- Competency
3. Methodology
4. Use Case Scenarios
4.1. Simple Scenario
4.2. Complex Scenario
5. Considerations and Limitations
6. Conclusions and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Cybersecurity Ventures. 2019 Official Annual Cybercrime Report; Herjavec Group: Toronto, ON, Canada, 2019. [Google Scholar]
- Europol. Internet Organised Crime Threat Assessment 2020; European Union Agency for Law Enforcement Cooperation: Budapest, Hungary, 2020.
- INTERPOL. INTERPOL Report Shows Alarming Rate of Cyberattacks during COVID-19; INTERPOL: Lyon, France, 2020. Available online: https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19 (accessed on 7 January 2021).
- Coronavirus-Related Fraud Reports Increase by 400% in March. 2020. Available online: https://www.actionfraud.police.uk/alert/coronavirus-related-fraud-reports-increase-by-400-in-march (accessed on 16 April 2020).
- Coronavirus Scam Costs Victims over £800k in One Month. 2020. Available online: https://www.actionfraud.police.uk/alert/coronavirus-scam-costs-victims-over-800k-in-one-month (accessed on 16 April 2020).
- Campbell, K.; Lawrence, G.A.; Martin, L.P.; Lei, Z. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. J. Comput. Secur. 2003, 11, 431–448. [Google Scholar] [CrossRef] [Green Version]
- Garg, A.; Curtis, J.; Halper, H. Quantifying the financial impact of IT security breaches. Inf. Manag. Comput. Secur. 2003, 11, 74–83. [Google Scholar] [CrossRef]
- Lawrence, G.A.; Loeb, M.P.; Lei, Z. The impact of information security breaches: Has there been a downward shift in costs? J. Comput. Secur. 2011, 19, 33–56. [Google Scholar]
- UNIT 42. 2020 Unit 42 IoT Threat Report; Palo Alto Networks: Santa Clara, CA, USA, 2020. [Google Scholar]
- Kwon, R.; Ashley, T.; Castleberry, J.; Mckenzie, P.; Gourisetti, S.N.G. Cyber Threat Dictionary Using MITRE ATT&CK Matrix and NIST Cybersecurity Framework Mapping. In Proceedings of the 2020 Resilience Week (RWS), Salt Lake City, UT, USA, 19–23 October 2020. [Google Scholar]
- Al-Shaer, R.; Spring, J.M.; Christou, E. Learning the Associations of MITRE ATT&CK Adversarial Techniques. In Proceedings of the 2020 IEEE Conference on Communications and Network Security (CNS), Avignon, France, 29 June–1 July 2020. [Google Scholar]
- Modeling Attack, Defense and Threat Trees and the Cyber Kill Chain, ATT&CK and STRIDE Frameworks as Blackboard Architecture Networks. In Proceedings of the 2020 IEEE International Conference on Smart Cloud (SmartCloud), Washington, DC, USA, 6–8 November 2020.
- Khan, M.S.; Siddiqui, S.; Ferens, K. A Cognitive and Concurrent Cyber Kill Chain Model. In Computer and Network Security Essentials; Springer: Cham, Switzerland, 13 August 2018; pp. 585–602. [Google Scholar]
- Basra, J.; Kaushik, T. MITRE ATT&CK® as a Framework for Cloud Threat Investigation; Center for Long-Term Cybersecurity (CLTC): Berkeley, Italy, 2020. [Google Scholar]
- AIT News Desk. MITRE ATT&CK Improves Cloud Security, Yet Many Enterprises Struggle to Implement It; AiThority: Pune, India, 2020; Available online: https://aithority.com/it-and-devops/cloud/study-mitre-attck-improves-cloud-security-yet-many-enterprises-struggle-to-implement-it/ (accessed on 7 January 2021).
- Cho, S.; Han, I.; Jeong, H.; Kim, J.; Koo, S.; Oh, H.; Park, M. Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture. In Proceedings of the 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), Glasgow, UK, 11–12 June 2018. [Google Scholar]
- Mavroeidis, V.; Bromander, S. Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence. In Proceedings of the 2017 European Intelligence and Security Informatics Conference (EISIC), Athens, Greece, 11–13 September 2017. [Google Scholar]
- Stech, F.J.; Heckman, K.E.; Strom, B.E. Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense. In Cyber Deception; Jajodia, S., Subrahmanian, V., Swarup, V., Wang, C., Eds.; Springer: Cham, Switzerland, 2016; pp. 1–22. [Google Scholar]
- Maymí, F.; Bixler, R.; Jones, R.; Lathrop, S. Towards a definition of cyberspace tactics, techniques and procedures. In Proceedings of the 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, USA, 11–14 December 2017. [Google Scholar]
- Farooq, H.M.; Otaibi, N.M. Optimal Machine Learning Algorithms for Cyber Threat Detection. In Proceedings of the 2018 UKSim-AMSS 20th International Conference on Computer Modelling and Simulation (UKSim), Cambridge, UK, 27–29 March 2018. [Google Scholar]
- Hasan, K.; Shetty, S.; Ullah, S. Artificial Intelligence Empowered Cyber Threat Detection and Protection for Power Utilities. In Proceedings of the 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC), Los Angeles, CA, USA, 12–14 December 2019. [Google Scholar]
- Parmar, M.; Domingo, A. On the Use of Cyber Threat Intelligence (CTI) in Support of Developing the Commander’s Understanding of the Adversary. In Proceedings of the MILCOM 2019 IEEE Military Communications Conference (MILCOM), Norfolk, VA, USA, 12–14 November 2019. [Google Scholar]
- Husari, G.; Al-Shaer, E.; Chu, B.; Rahman, R.F. Learning APT chains from cyber threat intelligence. In HotSoS ’19: Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security; Association for Computing Machinery: Nashville, TN, USA, 2019. [Google Scholar]
- Warikoo, A. The Triangle Model for Cyber Threat Attribution. J. Cyber Secur. Technol. 2021, 2021, 1–18. [Google Scholar]
- Noor, U.; Anwar, Z.; Amjad, T.; Choo, K.-K.R. A machine learning-based FinTech cyber threat attribution framework using high-level indicators of compromise. Future Gener. Comput. Syst. 2019, 96, 227–242. [Google Scholar] [CrossRef]
- Kim, D.; Kim, Y.; Ahn, M.-K.; Lee, H. Automated Cyber Threat Emulation Based on ATT&CK for Cyber Security Training. J. Korea Soc. Comput. Inf. 2020, 25, 71–80. [Google Scholar]
- Hong, S.; Kim, K.; Kim, T. The Design and Implementation of Simulated Threat Generator based on MITRE ATT&CK for Cyber Warfare Training. J. Korea Inst. Mil. Sci. Technol. 2019, 22, 797–805. [Google Scholar]
- Ahn, M.K.; Lee, J.-R. Research on System Architecture and Methodology based on MITRE ATT&CK for Experiment Analysis on Cyber Warfare Simulation. J. Korea Soc. Comput. Inf. 2020, 25, 31–37. [Google Scholar]
- Xiong, W.; Hacks, S. Threat Modeling and Attack Simulations for Enterprise and ICS. In Proceedings of the CS3STHLM, Stockholm, Sweden, 19–22 October 2020. [Google Scholar]
- Georgiadou, A.; Mouzakitis, S.; Askounis, D. Detecting Insider Threat via a Cyber-Security Culture Framework. J. Comput. Inf. Syst. 2021. [Google Scholar] [CrossRef]
- Strom, B. “ATT&CK 101”, Medium. 2018. Available online: https://medium.com/mitre-attack/att-ck-101-17074d3bc62 (accessed on 3 January 2021).
- Strom, B.E.; Applebaum, A.; Miller, D.P.; Nickels, K.C.; Pennington, A.G.; Thomas, C.B. MITRE ATT&CK®: Design and Philosophy; The MITRE Corporation: Bedford, MA, USA, 2018. [Google Scholar]
- Strom, B.E.; Battaglia, J.A.; Kemmerer, M.S.; Kupersanin, W.; Miller, D.P.; Wampler, C.; Whitley, S.M.; Wolf, R.D. Finding Cyber Threats with ATT&CK™-Based Analytics; The MITRE Corporation: Bedford, MA, USA, 2017. [Google Scholar]
- The MITRE Corporation. “MITRE ATT&CK®”, The MITRE Corporation. 2016. Available online: https://attack.mitre.org/ (accessed on 3 January 2021).
- Caimi, S. MITRE ATT&CK: The Magic of Mitigations; Cisco: San Jose, CA, USA, 2020; Available online: https://cscoblogs-prod-17bj.appspot.com/security/mitre-attck-the-magic-of-mitigations (accessed on 3 January 2021).
- Esbeck, K.; Strom, B. Integrating PRE-ATT&CK Techniques into ATT&CK; The MITRE Corporation: Bedford, MA, USA, 2013; Available online: https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/integrating-pre-attck-techniques-into-attck (accessed on 3 January 2021).
- The MITRE Corporation. ATT&CK® for Industrial Control Systems. 2020. Available online: https://collaborate.mitre.org/attackics/index.php/Main_Page (accessed on 3 January 2021).
- Alexander, O.; Belisle, M.; Steele, J. MITRE ATT&CK® for Industrial Control Systems: Design and Philosophy; The MITRE Corporation: Bedford, MA, USA, 2020. [Google Scholar]
- Claroty. The Global State of Industrial Cybersecurity; Claroty: New York, NY, USA, 2020. [Google Scholar]
- Zafra, D.K.; Lunden, K.; Alexander, O.; Brubaker, N.; Agboruche, G. In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for Enterprise and ICS to Communicate Adversary Behaviors; FireEye, Inc.: Milpitas, CA, USA, 2020; Available online: https://www.fireeye.com/blog/executive-perspective/2020/09/merging-mitre-attack-for-enterprise-and-ics-to-communicate-adversary-behaviors.html (accessed on 4 January 2021).
- Georgiadou, A.; Mouzakitis, S.; Bounas, K.; Askounis, D. A Cyber-Security Culture Framework for Assessing Organization Readiness. J. Comput. Inf. Syst. 2020. [Google Scholar] [CrossRef]
- Georgiadou, A.; Mouzakitis, S.; Askounis, D. Designing a Cyber-security Culture Assessment Survey Targeting Critical Infrastructures during Covid-19 Crisis. Int. J. Netw. Secur. Appl. 2020, 13, 33–50. [Google Scholar]
- Georgiadou, A.; Mouzakitis, S.; Askounis, D. Working from Home during COVID-19 Crisis: A Cyber-Security Culture Assessment Survey. Mendeley Data, V1. 2020. Available online: https://data.mendeley.com/datasets/59tp8sdgr8/1 (accessed on 9 May 2021). [CrossRef]
- Georgiadou, A.; Mouzakitis, S.; Askounis, D. Working from home during COVID 19 crisis: A cyber security culture assessment survey. Secur. J. 2021. [Google Scholar] [CrossRef]
- Energy Shield. 2019. Available online: https://energy-shield.eu/ (accessed on 25 March 2020).
- Greenfield, D. Cybersecurity Survey Reveals IT/OT Bridges and Disconnects; AutomationWorld: Chicago, IL, USA, 2020; Available online: https://www.automationworld.com/cybersecurity/article/21130642/cybersecurity-survey-reveals-itot-bridges-and-disconnects (accessed on 27 April 2021).
- MITRE Corporation. Mitigations Enterprise|MITRE ATT&CK; MITRE Corporation: Bedford, MA, USA, 2020; Available online: https://attack.mitre.org/mitigations/enterprise/ (accessed on 27 April 2021).
- MITRE Corporation. Mitigations Attackics; MITRE Corporation: Bedford, MA, USA, 2020; Available online: https://collaborate.mitre.org/attackics/index.php/Mitigations (accessed on 27 April 2021).
- Lee, L. Cybercrime has evolved: It’s time cyber security did too. Comput. Fraud Secur. 2019, 2019, 8–11. [Google Scholar] [CrossRef]
ID | Name | ATT&CK for Enterprise | ATT&CK for ICS |
---|---|---|---|
M0800 | Authorization Enforcement | ● | |
M0801 | Access Management | ● | |
M0802 | Communication Authenticity | ● | |
M0803 | Data Loss Prevention | ● | |
M0804 | Human User Authentication | ● | |
M0805 | Mechanical Protection Layers | ● | |
M0806 | Minimize Wireless Signal Propagation | ● | |
M0807 | Network Allowlists | ● | |
M0808 | Encrypt Network Traffic | ● | |
M0809 | Operational Information Confidentiality | ● | |
M0810 | Out-of-Band Communications Channel | ● | |
M0811 | Redundancy of Service | ● | |
M0812 | Safety Instrumented Systems | ● | |
M0813 | Software Process and Device Authentication | ● | |
M0814 | Static Network Configuration | ● | |
M0815 | Watchdog Timers | ● | |
M0816 | Mitigation Limited or Not Effective | ● | |
M1013 | Application Developer Guidance | ● | ● |
M1015 | Active Directory Configuration | ● | ● |
M1016 | Vulnerability Scanning | ● | ● |
M1017 | User Training | ● | ● |
M1018 | User Account Management | ● | ● |
M1019 | Threat Intelligence Program | ● | ● |
M1020 | SSL/TLS Inspection | ● | ● |
M1021 | Restrict Web-Based Content | ● | ● |
M1022 | Restrict File and Directory Permissions | ● | ● |
M1024 | Restrict Registry Permissions | ● | ● |
M1025 | Privileged Process Integrity | ● | |
M1026 | Privileged Account Management | ● | ● |
M1027 | Password Policies | ● | ● |
M1028 | Operating System Configuration | ● | ● |
M1029 | Remote Data Storage | ● | |
M1030 | Network Segmentation | ● | ● |
M1031 | Network Intrusion Prevention | ● | ● |
M1032 | Multi-factor Authentication | ● | ● |
M1033 | Limit Software Installation | ● | |
M1034 | Limit Hardware Installation | ● | ● |
M1035 | Limit Access to Resource Over Network | ● | ● |
M1036 | Account Use Policies | ● | ● |
M1037 | Filter Network Traffic | ● | ● |
M1038 | Execution Prevention | ● | ● |
M1039 | Environment Variable Permissions | ● | |
M1040 | Behavior Prevention on Endpoint | ● | |
M1041 | Encrypt Sensitive Information | ● | ● |
M1042 | Disable or Remove Feature or Program | ● | ● |
M1043 | Credential Access Protection | ● | |
M1044 | Restrict Library Loading | ● | ● |
M1045 | Code Signing | ● | ● |
M1046 | Boot Integrity | ● | ● |
M1047 | Audit | ● | ● |
M1048 | Application Isolation and Sandboxing | ● | ● |
M1049 | Antivirus/Antimalware | ● | ● |
M1050 | Exploit Protection | ● | ● |
M1051 | Update Software | ● | ● |
M1052 | User Account Control | ● | |
M1053 | Data Backup | ● | ● |
M1054 | Software Configuration | ● | ● |
M1055 | Do Not Mitigate | ● | |
M1056 | Pre-compromise | ● |
Level | Dimension | Domain | MITRE ATT&CK Mitigation |
---|---|---|---|
Organizational | Assets | Application Software Security | M0813 |
M0815 | |||
M1013 | |||
M1040 | |||
M1042 | |||
M1045 | |||
Data Security and Privacy | M0803 | ||
Hardware Assets Management | M0813 | ||
M1034 | |||
Hardware Configuration Management | M0815 | ||
M1024 | |||
M1028 | |||
M1039 | |||
M1046 | |||
Network Configuration Management | M0814 | ||
M1037 | |||
Network Infrastructure Management | M1037 | ||
Software Assets Management | M0815 | ||
M1033 | |||
M1038 | |||
M1040 | |||
M1042 | |||
M1044 | |||
M1045 | |||
M1048 | |||
M1054 | |||
Personnel Security | M0804 | ||
Physical Safety and Security | M0805 | ||
M0812 | |||
Continuity | Backup Mechanisms | M1029 | |
M1053 | |||
Business Continuity & Disaster Recovery | M0810 | ||
M0811 | |||
M1053 | |||
Continuous Vulnerability Management | M1016 | ||
M1051 | |||
Access and Trust | Access Management | M0800 | |
M0801 | |||
M1015 | |||
M1022 | |||
M1030 | |||
M1035 | |||
Account Management | M1015 | ||
M1018 | |||
M1032 | |||
M1036 | |||
M1052 | |||
Password Robustness and Exposure | M1027 | ||
M1043 | |||
Privileged Account Management | M1025 | ||
M1026 | |||
Role Segregation | M0800 | ||
Wireless Access Management | M0806 | ||
Operations | Efficient Distinction of Development, Testing and Operational Environments | M1048 | |
Risk Assessment | M1019 | ||
Defense | Boundary Defense | M0802 | |
M0807 | |||
M0808 | |||
M0809 | |||
M1020 | |||
M1031 | |||
Cryptography | M1041 | ||
Email and Web Browser Resilience | M1021 | ||
Malware Defense | M1049 | ||
Security Awareness and Training Program | M1017 | ||
Security Governance | Audit Logs Management | M1047 | |
Penetration Tests and Red Team Exercises | M1050 | ||
Individual | Behavior | Security Behavior | M1017 |
Competency | Security Skills Evaluation | M1017 | |
Μ1027 | |||
Training Completion and Scoring | M1017 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Georgiadou, A.; Mouzakitis, S.; Askounis, D. Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework. Sensors 2021, 21, 3267. https://doi.org/10.3390/s21093267
Georgiadou A, Mouzakitis S, Askounis D. Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework. Sensors. 2021; 21(9):3267. https://doi.org/10.3390/s21093267
Chicago/Turabian StyleGeorgiadou, Anna, Spiros Mouzakitis, and Dimitris Askounis. 2021. "Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework" Sensors 21, no. 9: 3267. https://doi.org/10.3390/s21093267
APA StyleGeorgiadou, A., Mouzakitis, S., & Askounis, D. (2021). Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework. Sensors, 21(9), 3267. https://doi.org/10.3390/s21093267