Deriving insights from a cybersecurity assessment requires the structure of real-world threat narratives. Companies in third-party roles operate in different industries, are subject to varied threats, and are used by their customers in distinct ways. Whether assessing a company’s inherent risk or prioritizing control gaps for remediation, CyberGRX must contextualize each third party with the applicable threats for their industry along with how customers actually engage with them. For threat modeling, we have long made use of killchains mapped to our assessment questions. Recent enhancements to the MITRE ATT&CK framework and taxonomy have made it possible to integrate even more closely with the cyber-attack lifecycle described there.
MITRE’s framework provides CyberGRX with the concepts and definitions necessary to future-proof our assessment methodology and facilitate integration with threat feeds and other data sources.
Our custom threat repository, containing over a hundred use-cases, is derived from multiple sources and enumerates the type of adversary, their target(s), and the attack lifecycle (aka killchain) as a series of MITRE techniques used to achieve the compromise. CyberGRX mapped each of these attack techniques into our assessment questions to discover the controls that can mitigate them and identify the supporting controls that indirectly affect their efficacy. Every control is linked to the types of assets it protects so that the customer’s tailored view of conveyed risk from that third party is reflected.
The aggregate threats and their lifecycles of attack steps combine to create a graph-based series of threat interactions. Here we see a representative Phishing attack that employs 9 techniques across 6 tactical goals to disclose sensitive email. It is highlighted among a grayed-out backdrop of all the applicable threats this company faces, each of which varies in the complexity of the attack; some have only a few steps but others, like Advanced Persistent Threats (APTs), may have dozens.
Techniques that are common to many threats or that occur in critical junctures in the graph achieve prominence and are sized larger. When a technique is mitigated well, by virtue of high performing assessment answers, it is colored a darker green. The overall analysis of all this information reveals a great deal of insight, from inherent risk (for when the assessment is not yet available), to residual risk (after actual assessment answers are applied), to prioritized controls in need of remediation (low performing controls common to many prominent attack techniques). CyberGRX exchange customers use this information to get a customized perspective of each third party’s control risks rather than a one-size-fits-all control comparison.
Last year MITRE went live with sub-techniques that had been in preview for nearly a year. This new structure organized many techniques into higher level descriptive categories and moved the more specific approaches underneath those. These two levels are much more suitable for modeling the behavior of an adversary at a more conceptual level.
CyberGRX has been actively refreshing and modernizing our threat database to build upon the MITRE ATT&CK framework. For many users of the exchange, the changes will be subtle, appearing as more accurate risk determinations and better determination of the most relevant control gaps that deserve remediation. For our more advanced users and customers, leveraging ATT&CK opens the door for more compelling visualizations, better data integrations, and improved ways of identifying third party outliers in an often-dynamic threat landscape.