This document discusses how to use the MITRE ATT&CK framework to help quantify cybersecurity risk and prioritize security projects. It outlines some of the challenges in measuring risk impact and likelihood, and how ATT&CK can provide standardized threat data to help estimate risk reduction from security controls. Examples are given showing how ATT&CK tactics and techniques can be mapped to existing security solutions to help compare solutions and demonstrate risk reduction through quantitative metrics. Some limitations are also discussed around needing time to calibrate estimates and the simplifications in the examples.

1. MEASURE WHAT MATTERS: HOW TO USE
MITRE ATT&CK TO DO THE RIGHT THINGS
IN THE RIGHT ORDER

2. curl http://169.254.169.254/latest/meta-data/profile
Daniel Wyleczuk-Stern (he/him)
@Daniel_Infosec

3. Agenda
• Assumptions
• The Problem
• Books & Principles
• The Main Idea
• Examples
• Devil’s Advocate and Disclaimers

4. Assumptions
• Security is technical risk management
• Leadership needs to spend just enough to reduce risk to an
appropriate level
• Our field is not good at quantitative risk management yet
Risk Reduction ROI =
Reduction in Risk ($) – Cost of Control ($)
Cost of Control ($)
Risk = Likelihood x Impact
Reduction in risk = (Annualized Rate of Occurrence) x (Expected Monetary Loss) x
(Decrease in Risk Probability)

5. The Problem
How do you calculate all that?
How do we measure impact/likelihood?
How do we estimate how much risk we
will reduce by implementing a solution?
How do we ensure standardization across
multiple potential projects?

6. Books

7. Guiding Principles
Your problem is not
as unique as you
think
You have more data
than you think
You need less data
than you think
An adequate
amount of new data
is more accessible
than you think
Some reduction in
uncertainty is better
than none
Risk quantification is
possible through
understanding
threats

8. Application Security Gets It
Results:
Standardized,
repeatable, and
defendable threat
models
Threat Property Violated
Spoofing Authentication
Tampering Integrity
Repudiation Non-Repudiation
Information
Disclosure
Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
STRIDE Framework

9. The Main Idea
• Use ATT&CK TTPs in your threat models
• Helps with:
– Consistency
– Estimates/research
– Standardization
– Measurements!

10. SO MUCH DATA!!!
https://www.rapid7.com/research/report/2020-threat-report/

11. DIY Data

12. Impact Data Exists
Cost of a Data Breach Report - 2019

13. Examples
Threat modeling and measurement with
ATT&CK helps avoid recency bias
VS
$50k/month $5k/month

14. PAM Before

15. PAM After

16. Impact Before

17. Impact After

18. Passwordless SSO

19. Passwordless SSO

20. Impact Before

21. Impact Before

22. Devil’s Advocate
• Isn’t this just threat modeling with
ATT&CK?
• You can’t just make up numbers!
• These examples are too simple

23. Disclaimers
• You have to invest time in calibrating your
people (CTI is a good first group)
• This can be hard - still learning and
improving at my current organization

24. Questions?

25. Misc References
• https://github.com/vlegoy/rcATT
• https://www.rapid7.com/research/report/2020-threat-report/
• https://github.com/mitre-attack/tram
• https://insights.sei.cmu.edu/sei_blog/2018/12/threat-
modeling-12-available-methods.html
• https://www.accenture.com/_acnmedia/PDF-96/Accenture-
2019-Cost-of-Cybercrime-Study-Final.pdf
• https://www.ibm.com/downloads/cas/ZBZLY7KL
• https://securitybulwark.com/ (for their PAM image)
• https://medium.com/@nopasswordlogin/passwordless-as-a-
service-3b8fd43a796e (for the passwordless login image)