Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the Right Order

From MITRE ATT&CKcon Power Hour January 2021

By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake

Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.

  • Login to see the comments

  • Be the first to like this

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the Right Order

  2. 2. curl Daniel Wyleczuk-Stern (he/him) @Daniel_Infosec
  3. 3. Agenda • Assumptions • The Problem • Books & Principles • The Main Idea • Examples • Devil’s Advocate and Disclaimers
  4. 4. Assumptions • Security is technical risk management • Leadership needs to spend just enough to reduce risk to an appropriate level • Our field is not good at quantitative risk management yet Risk Reduction ROI = Reduction in Risk ($) – Cost of Control ($) Cost of Control ($) Risk = Likelihood x Impact Reduction in risk = (Annualized Rate of Occurrence) x (Expected Monetary Loss) x (Decrease in Risk Probability)
  5. 5. The Problem How do you calculate all that? How do we measure impact/likelihood? How do we estimate how much risk we will reduce by implementing a solution? How do we ensure standardization across multiple potential projects?
  6. 6. Books
  7. 7. Guiding Principles Your problem is not as unique as you think You have more data than you think You need less data than you think An adequate amount of new data is more accessible than you think Some reduction in uncertainty is better than none Risk quantification is possible through understanding threats
  8. 8. Application Security Gets It Results: Standardized, repeatable, and defendable threat models Threat Property Violated Spoofing Authentication Tampering Integrity Repudiation Non-Repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization STRIDE Framework
  9. 9. The Main Idea • Use ATT&CK TTPs in your threat models • Helps with: – Consistency – Estimates/research – Standardization – Measurements!
  10. 10. SO MUCH DATA!!!
  11. 11. DIY Data
  12. 12. Impact Data Exists Cost of a Data Breach Report - 2019
  13. 13. Examples Threat modeling and measurement with ATT&CK helps avoid recency bias VS $50k/month $5k/month
  14. 14. PAM Before
  15. 15. PAM After
  16. 16. Impact Before
  17. 17. Impact After
  18. 18. Passwordless SSO
  19. 19. Passwordless SSO
  20. 20. Impact Before
  21. 21. Impact Before
  22. 22. Devil’s Advocate • Isn’t this just threat modeling with ATT&CK? • You can’t just make up numbers! • These examples are too simple
  23. 23. Disclaimers • You have to invest time in calibrating your people (CTI is a good first group) • This can be hard - still learning and improving at my current organization
  24. 24. Questions?
  25. 25. Misc References • • • • modeling-12-available-methods.html • 2019-Cost-of-Cybercrime-Study-Final.pdf • • (for their PAM image) • service-3b8fd43a796e (for the passwordless login image)