Blog Post

Cyber Risk Quantification Based on the MITRE ATT&CK® Framework

March 15, 2023

Table of Contents

As the frequency and complexity of cybersecurity risks continue to grow, it is becoming increasingly important for organizations to adopt advanced tools, innovative approaches, and risk models that can help detect the root causes of cyber exposure. One means of doing so is to adopt the open MITRE ATT&CK framework (MITRE), a comprehensive, defensible taxonomy of common tactics, techniques, and procedures (TTPs) cyber attackers use to compromise information systems and steal data.

Leveraging the MITRE Attack Framework to Accurately Model Cyber Risk

As one of several open cybersecurity standards Kovrr’s models align with, the MITRE framework is leveraged to capture the observed core behaviors from both the attacker and defender before, during, and after an incident. The CRQ models capture the likely objective of the attack and the tactics and techniques used by different adversaries to achieve a specific action within the company. Simultaneously, this open framework also accounts for the specific defenses or control measures that organizations can implement to disrupt the attack chain in the future. 

By adopting the MITRE framework into our CRQ methodology, Kovrr is able to model realistic attack behavior based on a wide base of industry expertise. Our models map the MITRE framework to align with common cybersecurity maturity control frameworks such as CIS, NIST, and ISO, replicating the company defenses, calculating the risk reduction already achieved from investment, plus the effectiveness of any future planned security control upgrade.

Proactively Protecting Against the Most Commonly Used Cyber Attack Methods

Kovrr's cyber risk quantification platform breaks down the probability of specific attack vectors affecting different asset groups or leading to various types of events. By analyzing this data with the MITRE attack framework, a CISO can identify actionable insights, such as which adversary tactics and techniques pose the greatest threat to their organization. With this information, the CISO can determine if the organization’s current security defenses are sufficient to protect against these threats and plan the next round of security investments.‍

Effectively Identifying and Mitigating Vulnerabilities Most Likely to be Exploited

Kovrr's platform provides a comprehensive approach to cyber threat management by aligning simulated events with the MITRE attack framework and using industry-wide frequency data to inform its approach. Leveraging this methodology, a CISO can determine if their current security controls are preparing them to mitigate the most critical vulnerabilities now and in the future. If not, the CISO can make more informed decisions and take data-driven action to address these vulnerabilities and root causes of cyber risk and strengthen their company's security controls accordingly.

Acknowledging and Accounting for MITRE Weaknesses

Although undeniably robust, the open framework does not come without its limitations. ⁤⁤The current standardized version, for instance, focuses more on Advanced Persistent Threat (APT) tactics than organized crime techniques, potentially neglecting novel initial vectors. ⁤⁤The framework also faces hierarchical structure issues, either being completely overlooked or radically inconsistent. ⁤

⁤Fortunately, these limitations have not been ignored, and MITRE is actively working on expanding its coverage and has introduced an enterprise version to provide a more comprehensive, diverse view of cyber threats. ⁤In the meantime, to account for these framework weaknesses, Kovrr has adopted proprietary calibration models that include incidents from all adversaries.

Ensuring a Comprehensive Understanding of Cyber Risk at the Board Level

Kovrr's cyber risk quantification platform enables the export of all the attack vectors, allowing a CISO to use the raw data during high-level stakeholder meetings. By supporting the MITRE attack framework along with other open cybersecurity standards, Kovrr's CRQ gives CISOs a clearer, more granular understanding of their risk exposure. With this detailed information, the cybersecurity leader can make more accurate, defensible reports to executive leaders and the board, providing the necessary information to make informed decisions about cybersecurity investments and initiatives.

To MITRE or Not to MITRE?: Assessing the Benefits

While there is no universally adopted open framework for the classification of cyber attacks, MITRE is undoubtedly one of the most standardized, comprehensive approaches for modeling an organization’s unique cyber risk profile. It evaluates events that have occurred in the wild and maps their life cycle, starting with reconnaissance and ending with the final impact. The entire attack matrix includes:

  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact

This attack framework ultimately allows for highly targeted mitigation efforts, even offering actionable mitigation recommendations according to the attack technique. For instance, if an organization finds that they have a high likelihood of experiencing an attack due to a phishing scam and wants to reduce it, the CISO, according to MITRE's recommendations, would invest in audit, network intrusion prevention, and software configuration controls, to name a few.

Even more helpful, common cybersecurity frameworks, such as NIST, CIS, and ISO, can be aligned with MITRE, making it extremely easy to discern which controls correlate with minimizing the likelihood of specific TTPs being used. 

Another benefit of leveraging the MITRE ATT&CK framework is that it is constantly updated to reflect the evolving risk landscape. As threat actors find new TTPs to exploit system vulnerabilities, MITRE accounts for them and enhances the framework accordingly. In doing so, this framework keeps cyber risk managers informed of cyber risk root causes and, thereby, well-prepared to address emerging threats with appropriate defensive measures. 

The Risk of Not Using the MITRE Attack Framework With CRQ

The level of granularity provided by the MITRE framework is unparalleled, offering CISOs and senior stakeholders alike a more nuanced understanding of the specific risks and attack scenarios the organization faces. When using a CRQ approach that does not incorporate this detailed framework, however, CISOs miss out on crucial insights, making it all the more challenging to develop cyber risk management strategies that accurately prioritize initiatives and cost-effectively allocate the budget.

Furthermore, not utilizing MITRE for cyber risk quantification assessments leaves organizations left to connect the identified vulnerabilities and potential attack scenarios with specific control measures manually. For example, a CRQ evaluation may illuminate that a company faces a 68% annual likelihood of a data breach caused by human error, leading to a $5 billion loss. However, because that particular evaluation does not use the MITRE framework, risk managers must independently determine the controls--such as user training, access management, or monitoring--necessary to mitigate this risk.

This process can be extremely time-consuming, prone to error, and, therefore, less effective. By not aligning with the TTPs outlined in the MITRE framework, CRQ assessment results are inherently blurred, and cyber risk managers may end up implementing broad, less-honed cybersecurity programs.

Gaining Deeper, More Detailed Insights With Kovrr’s CRQ Models

Kovrr’s CRQ models capture how the cyber event plays out in three stages, per the MITRE framework.

Implementing the MITRE cyber attack framework at a high level, Kovrr's models are able to capture the core behaviors seen by both the attacker and the defender (or victim) during an incident. Specifically, our methodology accounts for the initial access tactics, network propagation patterns, and the attack's objective or scope of the damage. This robust approach offers a more nuanced understanding of the cyber risk scenarios an organization faces and equips CISOs to assess specific security control impacts.

Moreover, this granularity allows cybersecurity leaders to tailor strategies, ensuring resources are optimized and budgets are appropriately allocated. By harnessing MITRE in this way, Kovrr's CRQ solution helps organizations proactively address specific vulnerabilities and align defense measures with the evolving risk landscape.

To learn more about Kovrr’s CRQ models, the various open cybersecurity standards they support, and how the MITRE ATT&CK framework specifically is harnessed for more accurate, detailed cyber risk assessments, contact one of our cyber risk management experts or schedule a free demo today.

Ariel Antoni

Product Manager

Peter Dyson

Insurance Modeling Specialist

More Blog Posts
Explore All Blog Posts
Industry Recognition