Turn Your Threat Model to Supermodel with ATT&CK
Written by Tyler Schechter
Cybersecurity teams use threat modeling as a critical component of defensive cyber operations to understand and reduce threats to their systems and environments. To stay up to date on various threats, teams rely on cyber threat intelligence (CTI) reporting. Increasingly, CTI vendors providing these reports characterize adversarial behaviors in the form of tactics, techniques and procedures (TTPs) using MITRE ATT&CK®. Teams need a scalable and repeatable process to combine relevant adversary TTPs with theorized adversarial behaviors used in threat modeling methodologies like Attack Trees, STRIDE, or PASTA.
Recognizing the need for this process, the Center for Threat-Informed Defense (Center) created the Threat Modeling with ATT&CK project. We want cybersecurity teams to integrate ATT&CK into threat modeling methodologies and we want developers to understand and prioritize defenses against relevant threat behaviors. This project unites these defenders under ATT&CK to create more secure systems and environments.
At the core of all threat modeling activities are four key questions, outlined in the Threat Modeling Manifesto and used in other popular guides like OWASP’s threat modeling process:
· Question 1 — What are we working on?
· Question 2 — What could go wrong?
· Question 3 — What are we going to do about it?
· Question 4 — Did we do a good job?
These questions are typically answered using a mix of industry-standard threat modeling methodologies like Attack Trees, STRIDE, or PASTA. Partnering with AttackIQ, Citigroup, HCA Healthcare, Infineon Technologies, JPMorgan Chase Bank, and Verizon Business, the Center’s process provides steps to integrate ATT&CK into existing methodologies to improve your answers to each question above. The process, summarized below, allows your team to leverage your existing CTI data and tools to prioritize the most concerning threat behaviors while striking a balance between theoretical and observed threats. On the Center’s project website, you will find detailed instructions, videos, and examples of each of the below steps applied to a fictional Internet of Things (IOT) device called the Ankle Monitoring Predictor of Stroke (AMPS).
Question 1 — What are we working on?
“What are we working on” establishes the ground truth for the system you want to threat model — what it does, what it’s made of, what it talks to, and so on. We realized early on that there wasn’t much standardized guidance out there as to how a team goes about answering this question in a simple and repeatable way. We used data flow diagrams (DFDs) to capture components and information exchanges of a system or application. But The question remains: for which components do we build a DFD? More importantly, where in our organization do we get this information?
The Center’s process explains relevant documentation, stakeholders, and even recommends a few types of meetings that will improve data gathering. The process also provides a means to identify the critical components within a given system’s DFD: Mission and System decomposition and functional thread analysis. Using this process, analysts can identify critical tasks that must be performed for the system to successfully accomplish its function(s) and highlight the critical components of a system that those critical tasks rely upon.
Question 2 — What could go wrong?
“What could go wrong” directly addresses the ‘threat’ portion of ‘threat modeling’. To answer this question, teams typically use a mix of structured threat enumeration methods like Attack Trees, STRIDE, or PASTA to capture and categorize the types of threats against a given component identified in Question 1. Using Attack Trees as an example methodology, the Center’s process provides a step-by-step breakdown of how to best leverage your existing CTI data and tools with ATT&CK as a common language between observed behaviors and theorized capabilities. The Center explains how to include theoretical and evidence-based threat research into your methodology of choice while tailoring each threat’s importance to your specific organizational need.
Above is a graphical representation of the process outlined in detail on the Center’s site. Following it will allow your team to accurately prioritize threat behavior by striking the appropriate balance between theory and evidence. Our example illustrates the process with Attack Trees, and is generalizable to handle your method of choice (e.g., STRIDE) in its place. In the process you can also use your own CTI to get a comprehensive view of threats against your system.
Question 3 — What are we going to do about it?
“What are we going to do about it” is where threat modeling directly impacts and changes your system. You can build your list of potential threats, but the impact comes when you identify means of mitigating those threats. In this step of the process, you compare prioritized threat TTPs from Question 2 to your organization’s security stack to determine whether you have the capability to defend against some of these threats.
This is where a detailed understanding of your security stack’s capabilities is necessary. Don’t have intimate knowledge of these capabilities? No problem! The Center’s process applies Mappings Explorer to show how some of the most common technology platform security capabilities map to the ATT&CK framework.
The Threat Modeling with ATT&CK process overlays threat TTPs and defensive capabilities to determine which relevant TTPs can be mitigated and to what extent. The result is a map of the residual risk posed by TTPs given your current security posture. The Center recommends a few ways to search for mitigations to these residual risk TTPs and chief among them are those mitigations recommended in each technique or sub-technique’s page on ATT&CK’s website.
Question 4 — Did we do a good job?
“Did we do a good job” is a chance to pause and reflect on the success of your modeling activities.
While out of scope for the Center’s work, this step of the process poses high-level questions to evaluate the impact of your work and determine when to reevaluate your threat models.
Anticipate and Mitigate
This process bridges the gap between industry-standard threat modeling methodologies and ATT&CK, enabling cyber defenders to focus on the activity of threat modeling with understanding of adversary behaviors. Meaningful integration of ATT&CK creates a threat-informed process and helps practitioners focus priorities and understand how an adversary could compromise systems. The creation of this threat modeling process enables organizations of any size or maturity level to model threats to their own assets and in their own environments in combination with their existing tools and CTI data. Visit our site for the entire process along with examples and tutorial videos. Don’t wait! Become the model for threat modeling today!
Get Involved
We want to hear from teams out there who have brainstormed their own ways to integrate ATT&CK into threat modeling methodologies. We’d also love to hear from anyone else who gives the process a try. Your feedback and any examples trying this on your own systems would continue to advance the standard process of Threat Modeling with ATT&CK. For any general or technical questions contact ctid@mitre-engenuity.org directly.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2024 MITRE Engenuity. Approved for Public Release. Document number CT01222.
