Feature - Mitre Attack Framework

Howdy guys long time no post…

I have since become a permy member of staff and promoting Eramba where I’m working now as it could save our bacon. I thought I’d run this idea past you as Eramba can do about 95% of what i’m looking for and looking at cobbling together with SharePoint Lists and excel the last 5%.

Problem: We are using the Mitre Attack Framework to prioritise our SIEM detections and used then to either rationalise our security technology stack or for purchasing of new technology. I would like to know from my security technology what is it’s potential coverage v’s actual coverage on the framework and then add a lens of whether that TTP is prevented or detected.

The security Technology should map to Internal Controls, Risks, Third Parties, and Mitre TTP’s both Potential and Actual. I think this is then different to Assets. Happy to be corrected.

Below are a couple of links for background info. Happy if this is something you’d be interested on, jumping onto a call to chat it through some more.

ATT&CK® Navigator (mitre-attack.github.io)

Our Work | Center for Threat-Informed Defense (mitre-engenuity.org)

Hi, interesting post. Without giving away to much information on a public forum, I’d like to get in touch with you on this subject.

Hey Erik. Happy if you’d like to send a private message and we can connect

Doesn’t that defeat the purpose of having a forum - we’ll never get the answer!

Whenever I see a post like this, I ask… why can’t this be done as a Compliance Package?

It seems like it would easily handle this - you’ve got a bunch of chapters and items and you’re going to map them to your risks, controls, etc.

I was looking at Compliance packages. That’s why I said it would do about 95% of what I’m looking for but it’s also the mapping of Potential and Actual coverage for security products against the Attack Framework. Similarly if you take NIST as an example NIST Controls map to Attack TTP’s or Threats

This kinda fits into the Threats section in the Risk Management section

hi scotman!

this was an idea a long time ago

Hey Esteban.

Hopefully this depicts a bit better what i’m meaning. Attack TTP’s are just Threats that are attached to Assets which then if vulnerable, becomes a risk.

TTP’s are mapped to NIST Controls NIST 800-53 Control Mappings | Threat-Informed Defense Project (mitre-engenuity.org) which are linked to internal controls. and managed like any compliance program. There can be multiple TTP’s linked to a NIST Control and Multiple NIST Controls to a single TTP.

Underlying all of that you then have security products that are designed to detect or prevent TTP’s. Similar to say ISO27001 you will only select controls based on your risk appetite and identified risks. Same is said with TTP’s if the Threat is not appropriate for your environment you will not put in a counter measure. This is the bit i’m struggling with just now. If I have a security product database I would like to know What TTP’s are configured for detection/prevention. On the flip side. If a new threat is identified and linked to a TTP I would like to be able to review my catalogue of security products to see if the tool has the potential to cover said threat or whether I need to go to market for a new technology to cover the identified threat.

Just to add TTP’s are updated every 6 months by Mitre Attack

image1059×713 66.9 KB

Hi,

How is what you want to see different from DeTT&CT ?

Hey Erik

It is close to what im trying to achieve. I am trying to get a songle source. This is great as a gap analysis to the toolset. I would like to map them to my compliance analysis as well. This help with the statement of Applicability as to why we might not choose a control or have one as a higher priority. Likewise for security incidents if we can map these back to TTP’s both successful and unsuccessful we can see where security controls are failing. I find a lot of tools working doing parts and having to peice the information together