Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework provides a rich and actionable repository of adversarial tactics, techniques, and procedures. Its innovative approach has been broadly welcomed by both vendors and enterprise customers in the industry. Its usage extends from adversary emulation, red teaming, behavioral analytics development to a defensive gap and SOC (Security Operations Center) maturity assessment. While extensive research has been done on analyzing specific attacks or specific organizational culture and human behavior factors leading to such attacks, a holistic view on the association of both is currently missing. In this paper, we present our research results on associating a comprehensive set of organizational and individual culture factors (as described on our developed cyber-security culture framework) with security vulnerabilities mapped to specific adversary behavior and patterns utilizing the MITRE ATT&CK framework. Thus, exploiting MITRE ATT&CK’s possibilities towards a scientific direction that has not yet been explored: security assessment and defensive design, a step prior to its current application domain. The suggested cyber-security culture framework was originally designed to aim at critical infrastructures and, more specifically, the energy sector. Organizations of these domains exhibit a co-existence and strong interaction of the IT (Information Technology) and OT (Operational Technology) networks. As a result, we emphasize our scientific effort on the hybrid MITRE ATT&CK for Enterprise and ICS (Industrial Control Systems) model as a broader and more holistic approach. The results of our research can be utilized in an extensive set of applications, including the efficient organization of security procedures as well as enhancing security readiness evaluation results by providing more insights into imminent threats and security risks.

[1]  Sachin Shetty,et al.  Artificial Intelligence Empowered Cyber Threat Detection and Protection for Power Utilities , 2019, 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC).

[2]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[3]  Dimitris Askounis,et al.  Detecting Insider Threat via a Cyber-Security Culture Framework , 2021, J. Comput. Inf. Syst..

[4]  Vasileios Mavroeidis,et al.  Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence , 2017, 2017 European Intelligence and Security Informatics Conference (EISIC).

[5]  Jin-Soo Kim,et al.  Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture , 2018, 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[6]  Jonathan M. Spring,et al.  Learning the Associations of MITRE ATT & CK Adversarial Techniques , 2020, 2020 IEEE Conference on Communications and Network Security (CNS).

[7]  Otis D. Alexander,et al.  MITRE ATT&CK® for Industrial Control Systems: Design and Philosophy , 2020 .

[8]  Scott D. Lathrop,et al.  Towards a definition of cyberspace tactics, techniques and procedures , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[9]  Manisha Parmar,et al.  On the Use of Cyber Threat Intelligence (CTI) in Support of Developing the Commander's Understanding of the Adversary , 2019, MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM).

[10]  Bill Chu,et al.  Learning APT chains from cyber threat intelligence , 2019, HotSoS.

[11]  Arun Warikoo,et al.  The Triangle Model for Cyber Threat Attribution , 2021, Journal of Cyber Security Technology.

[12]  Myung Kil Ahn,et al.  Research on System Architecture and Methodology based on MITRE ATT&CK for Experiment Analysis on Cyber Warfare Simulation , 2020 .

[13]  Jeremy Straub,et al.  Modeling Attack, Defense and Threat Trees and the Cyber Kill Chain, ATT&CK and STRIDE Frameworks as Blackboard Architecture Networks , 2020, 2020 IEEE International Conference on Smart Cloud (SmartCloud).

[14]  Spiros Mouzakitis,et al.  A Cyber-Security Culture Framework for Assessing Organization Readiness , 2020, J. Comput. Inf. Syst..

[15]  D. Askounis,et al.  Working from home during COVID-19 crisis: a cyber security culture assessment survey , 2021, Security Journal.

[16]  김광수,et al.  The Design and Implementation of Simulated Threat Generator based on MITRE ATT&CK for Cyber Warfare Training , 2019 .

[17]  Sri Nikhil Gupta Gourisetti,et al.  Cyber Threat Dictionary Using MITRE ATT&CK Matrix and NIST Cybersecurity Framework Mapping , 2020, 2020 Resilience Week (RWS).

[18]  Muhammad Salman Khan,et al.  A Cognitive and Concurrent Cyber Kill Chain Model , 2018, Computer and Network Security Essentials.

[19]  Lei Zhou,et al.  The impact of information security breaches: Has there been a downward shift in costs? , 2011, J. Comput. Secur..

[20]  Myung Kil Ahn,et al.  Automated Cyber Threat Emulation Based on ATT&CK for Cyber Security Training , 2020 .

[21]  Hafiz M. Farooq,et al.  Optimal Machine Learning Algorithms for Cyber Threat Detection , 2018, 2018 UKSim-AMSS 20th International Conference on Computer Modelling and Simulation (UKSim).

[22]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[23]  Laura Lee,et al.  Cybercrime has evolved: it's time cyber security did too , 2019, Computer Fraud & Security.

[24]  Dimitris Askounis,et al.  Designing a Cyber-security Culture Assessment Survey Targeting Critical Infrastructures During Covid-19 Crisis , 2021, International Journal of Network Security & Its Applications.

[25]  Frank J. Stech,et al.  Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense , 2016, Cyber Deception.

[26]  Kim-Kwang Raymond Choo,et al.  A machine learning-based FinTech cyber threat attribution framework using high-level indicators of compromise , 2019, Future Gener. Comput. Syst..

[27]  Spiros Mouzakitis,et al.  Working from home during COVID-19 crisis: a cyber security culture assessment survey , 2020, Security Journal.