Multi Level Threat Modelling using MITRE ATT&CK
Cyber security teams use threat modelling to represent sets of adversary tactics and techniques that may be used to a compromise their computer systems. These threat models contain representations of the ICT systems, networks and applications, combined with techniques used to exploit each component, from initial access through to exfiltration (or for achieving an alternative malicious goal, such as denial of service). This blog looks at how Security Operations Centre (SOC) teams use threat models to create use cases and how modelling specific sectors using the MITRE ATT&CK framework helps categorise threats and map controls, thus giving the SOC the insight needed to better defend the business.
What is Threat Modelling?
Threat modelling is a methodical, systematic approach to analysing the weak points of an ICT system for potential vulnerabilities, enumerating each of these weak points based on impact and remediation.
Threat modellers require sound technical skills that understand the purposes of controls such as authentication, authorisation, and techniques based on encryption for determining breaches to confidentiality and integrity (and many more). The modern approach used by modellers isn’t new; rather the methodology used today evolved from attack tree modelling, something that’s been around since the ‘90s. You can read more about attack trees in Bruce Schneier’s paper, Toward A Secure System Engineering Methodology.
Implementation of Threat Modelling systems
Today, the most popular implementation of threat modelling systems is the one developed as a core element of Microsoft’s Security Development Lifecycle (SDL). There are five steps Microsoft suggests that security engineers need to follow to define their threat models:
- Defining security requirements;
- Creating an application diagram;
- Identifying threats;
- Mitigating threats; and
- Validating that threats have been mitigated.
The SDL requires that threat modelling is done during every development cycle, thus ensuring production teams examine and treat security risks in every release. To help embed threat modelling in the development lifecycle, Microsoft created a special tool to assist with standard notation and visualisation, allowing engineers to quickly align components, data flows and security boundaries with threats. If you are interested in using this tool, you can explore it here. There are many more methods that security engineers can use for threat modelling, and if you want a full overview of these, this CSO Online article is useful.
Threat Modelling and MITRE ATT&CK
We’ve looked at several use cases for the MITRE ATT&CK framework already in other blog posts, but let’s look at how we can use MITRE ATT&CK as the basis for a threat model and how we can use the information within ATT&CK to synthesise something specific to an industry sector.
On their own, the techniques within each MITRE ATT&CK matrix are without context, since they express the method an attack would use, not the impact of the technique being successful. This is why risk assessments are so important. If you consider for a moment what risks are, they are a combination of vulnerability, threat, impact and likelihood, and you need to represent all of these in a quantifiable (or pseudo quantifiable) way so that the risk value makes sense within your business context.
Create a Threat Model that can represent your risks
We know that attackers exploit vulnerabilities within our systems to gain access to or achieve their malicious objectives. We can also discover from ATT&CK the techniques these adversaries use to attack exploitable weaknesses, and we can easily determine from consulting the business what the impact (value) of a successful breach might be. Armed with all this information, finally a threat model that represents risks can be created, so that an appropriate level of control and risk mitigation can be undertaken by the business.
This model helps security engineers communicate better with their management and executives, as quantifiable risks are much better conversation drivers than technical jargon and hyperbole. But what about threat models that apply to specific industry sectors?
Strategic Threat Models
Individualised threat models based on the systems you protect are incredibly important to security engineers and developers, but for strategic planning purposes, industry or sector threat models are an excellent approach to clearly explaining cyber risk to senior management and boards.
The American Homeland Security Systems Engineering & Development Institute (HSSEDI) has taken this approach in building an industry threat model for the Financial Services Sector (FSS), but as an overall strategy this can be applied to any sector using the same approach. You can read the HSSEDI paper here entitled: Enhanced Cyber Threat Model for Financial Services Sector (FSS) Institutions.
Three levels of Threat Modelling
Three levels of threat modelling are described in the HSSEDI paper: strategic planning, acquisition/engineering, and operations. At the strategic level, organisations can use models to assess business level risks and gaps in controls, and properly understand their own strategic position within the sector they operate.
To gain context that a category of APT is predominantly operating in your sector provides better insight into the purpose for your overall security programme, it can guide decision making at the highest level. However, security engineers and operations teams also benefit from these strategic viewpoints, since engineering threat models are based on the strategic viewpoint, but the details of the techniques and attack patterns are better aligned to specific contextual controls (thus allowing security architects to devise appropriate control mechanisms and tests). At the operational level, the SOC team uses the model of specific, realistic threats detailed in the ATT&CK framework, with lists of tools and software to understand how those attacks manifest and figure out how they would use their monitoring systems to detect and respond to attacks.
Adopt MITRE ATT&CK into your business
The MITRE ATT&CK Framework is an extremely helpful tool in the creation of threat models for organisations to use at all levels of their business operations, from the boardroom to the SOC. Why not give your Board the benefit of strategic threat models to help them understand the prevailing threats your business faces, as well as providing your SOC team with detailed operational threat models to build use cases and monitoring rules for specific threats.