Assessing & Mapping Security Tool Capabilities to the ATT&CK Matrix
Cybersecurity Capstone — Part Three
--
This article is part of my capstone blogging series, which will detail my project as I progress. For the list of all articles, visit my Cybersecurity Master’s Capstone list. Additionally, in this post and future ones, I’ll refer to the companies I’m analyzing as Company A, B, C, and so on for confidentiality reasons.
So as to not re-invent the wheel, I’m making the assumption you’ve read my Project Proposal so I won’t be explaining the goals and objectives of my project or related details. If you haven’t read the proposal yet, which provides all of that background, definitely give that a read for more context.
Additionally, Parts One and Two detail the first two steps of this exercise where I identified the threat actors and malware variants targeting Company A and its industry, then gathered the TTPs used in historical cyber events. This information was then compiled to create an ATT&CK framework heatmap, which is what will be used throughout the capabilities mapping covered in this article.
As a quick level set, in the last article, I had just wrapped up the creation of an ATT&CK matrix heatmap that portrays the techniques used by Company A’s threat actors and the priority malware variants.
This heatmap uses a scoring scale of 0–105, where the score is equal to the number of cyber events each technique has been used in. Many of the techniques were only seen in one or two attacks, which are shown in light yellow. The techniques highlighted in dark orange and red are ones used in a higher number of cyber events, and therefore should be prioritized over the other, less common techniques.
As mentioned in Part Two, this is useful information, but we haven’t gone far enough for it to really provide value to a security operations team yet. The next phase in this exercise is to map security tool capabilities to this framework so we can better understand how the company’s defenses stack up against these techniques.
