How to Win Friends and Influence Your (Less Technical) Decision Makers
Written by Maggie MacAlpine.
One of the greatest challenges facing cyber defenders is translating operational security into risk for their stakeholders, particularly senior leadership. The goal is to bridge the technical language of cyber analysts to the business language of executives. Risk management, reputation, legal liability and, most importantly, cost are among their chief concerns.
If you’re reading this article, chances are that keeping your organization’s senior leadership informed on its cybersecurity posture is or will be a regular part of your responsibilities. Love it or hate it, presenting to these decision makers is key to maintaining, and ideally improving, that security posture. These presentations can be their own art form and every art form has its tools. Fortunately, the Center for Threat-Informed Defense (Center) has developed such tools and made them free for the community’s use.
Introducing Attack Flow
Attack Flow was designed to help defenders move from tracking individual adversary behaviors to tracking the sequences of behaviors that adversaries employ to move towards their goals. This format allows defenders to present their analysis of an attack and their defensive posture strategically while de-emphasizing raw data, technical jargon, and other information that executives do not need to make a business decision. We have spoken elsewhere about how Attack Flow can help accurately visualize threats in a standardized way. Here, we will demonstrate how it can be used to communicate high-level principles to management.
Winning Friends and Influencing Decision Makers
Having the tools is not the same thing as knowing how best to implement them. Presenting data for maximum impact can be its own challenge. The intended goal might be to inform, reassure, or raise awareness among your senior leadership. For tips on how to do this, let’s call upon experts at organization’s like Gartner and FAIR, who have spoken at length on the subject. These tips can be combined with Attack Flow visuals for maximum impact.
- Keep it brief.
- Educate using current events and well-known breaches.
3. Demonstrate measures taken to reduce risk.
4. State the “ask” clearly.
5. Interpret the data.
6. Offer options.
Keep It Brief
As the saying goes, a picture is worth a thousand words. Where Attack Flow shines is its ability to distill complex attacks into standardized flow charts. Keith Wilson, Director of Cybersecurity Education at AttackIQ, noted that “Attack Flow communicates a complex set of attacker actions in a simple visual format. This is crucial for executives seeking to quickly understand how an incident unfolded. Attacker behavior does not occur in a vacuum; being able to easily consume all of the context in a graphic format is invaluable.”
Let’s use as an example the Equifax Attack Flow, created by Lauren Parker here at the Center. The reports compiled to create this flow represent 70 pages of documentation. While the details and specifics buried in those pages are valuable to defenders, they may be overwhelming to non-practitioners. Creating an executive summary is the first step for conveying this information to decision makers. But executive summaries can fail to provide critical details. Instead of boring slides with static text, you can navigate Attack Flow visually to hold your audience’s attention, and ensure they not only hear but see your key points.
Tip: By using the “Jump to Parent/Children” function under “View”, you can move fluidly through the flow, zooming in on each step along the way.
Educate Using Current Events and Well-Known Breaches
The Equifax Breach is a particularly useful example of an Attack Flow because it is an incident that is well known even in the mainstream. This breach impacted the data of as many as 148 million individuals in the U.S alone. It is not out of the question that even a member of senior leadership who is less informed on recent breaches might raise the specter of this breach to ask about an organization’s security posture. Whether or not this 2017 breach is relevant to your organization, it is still important to be able to answer the question rather than dismiss it. Even older breaches can be valuable tools for educating leadership on security principles that will help them make informed decisions going forward.
What are some valuable lessons you could impart on your senior leadership with these breaches? Take, for example, relating cyber breaches to business outcomes. Was something valuable stolen? Did the FTC impose fines? Did they have to settle lawsuits? Did it damage their reputation? Do any executives have individual legal exposure?
Once you have established the context for understanding these breaches, Attack Flow can help you demonstrate a concrete comparison and contrast. How would you have fared in the same situation? You can show this with Attack Flow by mapping the breach that occurred onto your security controls.
Walking leadership through the Attack Flow step by step can be valuable for educating and informing. But for the purpose of demonstrating security posture as well as potential gaps, the Attack Flow Visualizer is a useful tool. In the example above, we can easily see the techniques used in the Equifax breach (the shaded cells) and the overall flow of the attack the red arrows).
Using the Visualizer, defenders can upload their own coverage heatmap (or heatmaps for tools used in their environments) built in the MITRE ATT&CK® Navigator, and project an example Attack Flow onto it.
Demonstrate Measures Taken to Reduce Risk
When presenting to senior leadership, one common goal is to demonstrate how past investment in security has been put to work. This is a chance for defenders to show off their successes and their team’s hard work.
You may have noticed that the above heatmap is a little sparse! Switching from a view of techniques used in the Equifax breach to a heatmap that shows defensive coverage for Enterprise ATT&CK techniques gives a foundation to start thinking strategically about your defensive posture against and attack. Here’s an example of a defensive coverage heatmap with an Attack Flow overlay.
Notice the gaps in this heat map — circled techniques from the attack flow that have no shading. These might be areas of concern for an organization. Or this flow can be used to demonstrate how the attack was interrupted at various points, thanks to the hard work a team has already done.
As Center member Taylor Parizo noted, “We’re using Attack Flow for just that scenario, explaining campaign activity in a visual top-down format. Breaking out conditionals, types of malware and how certain stages of the attack chain affect the next, it creates an easy-to-follow flow that focuses on more specific details.
We start our reporting by listing out all ATT&CK (sub)techniques with procedural examples and if applicable, artifacts like command line and registry keys. That data is then used to create the attack flow. By approaching it this way, it ensures our reporting is clear and that we’ve included the right amount of context for behaviors in order to make creating the attack flow much easier. It’s like a different way of proof-reading.”
State the “Ask” Clearly
Unfortunately, in the ever-evolving world of cybersecurity, it’s impossible to have 100% coverage against all threats. However, it is possible to reduce risk with the judicious application of resources, perhaps through new tools or training. Presentations to senior leadership and decision makers are often a key place for making the request for such resources.
Organizations have many demands on limited resources and unfortunately, when security is going well, it often becomes invisible, making it difficult to justify. It is paramount to explain the risk and demonstrate what is needed to decrease that risk. Don’t leave your decision makers guessing. Make a clear statement of what resources or tools are needed.
Interpret the Data
Some gaps are more important to fill than others. Sometimes, a level of risk is acceptable compared to the costs involved in reducing it to the theoretical minimum. By using the ATT&CK Navigator to create the defensive organization heatmap, and Attack Flow to demonstrate the impact of the adversary’s attack, it’s possible to quickly and easily show where security measures could be bulked up.
Note in the second example how some techniques are a lighter shade of purple, indicating less defensive coverage. In the case of “Exploit Public-Facing Application” under the Initial Access tactic, perhaps this defender would like to bulk up the defense of their public-facing applications. By using color gradation in this way, even a non-technical viewer can easily spot where more investment of resources might be needed.
It is also possible that an outsider viewer would look at this heatmap and see that no further resources are necessary. Everything relevant to this one breach seems covered, so why worry? Rather than assume that even a simple diagram could be easily interpreted, always be sure to offer your conclusions, rather than asking the audience to figure it out.
After all, if the costs are prohibitive or the level of risk acceptable, the most logical conclusion might be to not make any changes. The partial coverage already in place might be sufficient, given the sturdy coverage available at all the other points in the attack. Security is expensive. It’s not always possible to cover every eventuality. Some techniques might not even make sense for your organization to cover.
As Mark Haase, Chief Engineer for the Center noted, “The beauty of thinking about attacks as sequences (or “graphs”) is that you can say, ‘Hey, maybe this technique is hard to detect, but I’ve got this other chokepoint over here that I actually could detect.’ It is a common belief in cyber that ‘defenders have to block 100% of attacks to win, attackers only need to score one goal to win.’ But part of threat-informed defense is turning that around: ‘defenders only have to detect one attacker behavior before they evict them’.”
Tip: Sometimes organizations use a traffic light system of red-yellow-green to display coverage or lack thereof. However, that can lead to unnecessary alarm. It is a natural instinct to want to remove areas of red from a heatmap, but those areas might not be critical for your organization make it look like there are widespread failures in the defensive posture. Using gradients of a single color has been found to help keep the discussion focused on critical areas of coverage, without big splotches of red to cause unnecessary alarm.
Advanced Attack Flow Visualizing: Ragnar Locker
While a board member, or a member of senior leadership might ask about the organization’s defensive posture against an older, infamous breach like the Equifax Breach, more recent breaches may be more relevant to an organization and require ongoing briefs.
Take ransomware attacks, for example.
According to Fortinet’s “50 Ransomware Statistics and Latest Ransomware Trends for 2024”, which summarizes data from numerous sources across the industry, ransomware has seen a 13% increase each year since 2021, with 70% of businesses projected to suffer one or more ransomware attacks in subsequent years.
Ransomware continues to be a top-of-mind threat to organizations and one that probably won’t be going away any time soon. This is because ransomware and ransomware gangs are constantly evolving. Defenders are forced to evolve with them. Your presentations to senior leadership may be less about demonstrating that airtight security has already been established (insofar as it ever can be) and more of an ongoing negotiation of cost of resources vs. risk.
Let’s use Ragnar Locker as an example of the sort of ransomware threat you might need to brief your organization about. Ragnar Locker is the name of both a ransomware software and a ransomware gang. They are known to breached energy, critical manufacturing, financial services, government, and information technology sectors. This ransomware gang is a part of a ransomware family, working with multiple ransomware variants and threat actor groups.
An Attack Flow based on the Ragnar Locker profile can be found here.
The above mockup provides a more in-depth example of how a defender’s system would hold up against Ragnar Locker ransomware as defined in the Attack Flow. Note that while there are gaps in coverage, which may alarm senior leadership, not all of these gaps are necessarily relevant if the attack is stopped at an earlier stage where coverage is strong. Gaps may be areas in which additional tools or training are needed.
When speaking to leadership, it is important to provide clear data as well as a clear ask. Are more tools or training needed to cover certain gaps? Or, given cost and resources, are these gaps considered acceptable risk?
What’s Next?
Try it out for yourself!
- The Attack Flow GitHub page provides a variety of resources for users, including an overview, use cases, a guide to best practices, example flows of famous (and infamous) breaches, and the Attack Flow Builder so you can create your own flows.
- Check out MITRE’S ATT&CK Navigator here for building your own heatmap.
Get Involved
We would love to hear about how you’re using our work! If you have any feedback or contributions you’d like to make to the project, please email us at ctid@mitre-engenuity.org or submit an issue via Github!
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2024 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0100
