The Value of a Threat-Centric Approach to Cybersecurity Readiness

In an era of rapidly evolving cyber threat actors and attacks, organizations must be proactive and adaptive in their defense strategies. A threat-centric approach allows entities to anticipate and counter potential attacks, rather than merely reacting to specific incidents.

In this blog post, we’ll discuss MITRE ATT&CK capabilities and threats; MITRE D3FEND skill mapping and capabilities; and threat sophistication level.

MITRE ATT&CK Overview

A proactive defense strategy begins with a threat-centric approach to identify key skills and capabilities. The MITRE D3FEND framework is a great reference for all possible defensive actions. 

The MITRE ATT&CK framework is a standardized knowledge base of Adversary Techniques, Tactics & Common Knowledge which lets us categorizes threat actions. Similarly, D3FEND breaks up defensive actions into techniques and groups into categories of tactics.

Most organizations aren't going to do all of these techniques in house, and so we can break down the complexity by defining levels of each technique based on the knowledge and skill required. This is called a defensive capability representing an implemented technique.

  • Managed capability: System managed by a third party (e.g. security provider or software company). The security professional needs to know the capability in order to select and implement the required capabilities.
  • Tailored capability: Function that has been tailored for a given environment. The security professional needs to understand how to use the capability and make changes (e.g., tuning) for a specific environment.
  • Optimized capability: Process that requires the professional to be able to apply the defensive technique using various tool sets in order to be effective. This could include baselining an environment and alerting on deviations or creating a specific policy that only allows known good forms of behavior. This is the highest effort but it is required to find the most evasive offensive capabilities.

For example, consider the Dynamic Analysis skill as we move through the levels of increasing capability and defensive effort.

  • Knows: Learners develop the ability to use a commercial sandbox tool to execute suspicious files and observe their behavior in a controlled environment, suitable for identifying public malware.
  • Understands: Learners learn to choose the appropriate sandbox environment for specific files, gaining the knowledge needed to use and configure the sandbox tool for particular use cases, sufficient for detecting most altered malware.
  • Applies: Learners acquire the expertise to manually step through the execution of a file in a debugger, such as Ghidra, to analyze the behavior of sophisticated malware, necessary for finding bespoke malware.

Threat levels turn vague terms such as "Operating System Monitoring" into concrete actions that can be implemented and measured. The large matrix of security capabilities can be reduced to the detect-and-defend-against threats that matter the most to you. The D3FEND framework is linked to ATT&CK via a digital artifact ontology, which means these defensive capabilities can be matched to the threat capabilities they mitigate at each level. This allows leaders to focus on developing the defensive skills that map to the threats they are most concerned about.

Generally, most organizations are concerned about vague threats like "ransomware" or "data loss." The trouble comes when choosing defensive strategies because these broad categories lack precision and vary wildly in terms of attacker and defender effort.

RangeForce Threats

RangeForce cybersecurity threats are names that specify the who, what, how, and why of cyber-attack. A threat encompasses more than just a single offensive technique or tactic; it must be a sequence of actions executed over time to compromise a target with a specific goal in mind.

For example, Cybercrime Ransomware actors employ various methods to compromise a target with the ultimate objective of encrypting sensitive data and extorting the organization for monetary gain. Less sophisticated actors might use more opportunistic attacks to achieve similar goals, which is the Commodity Ransomware threat. The end goal of both types of actors is the same—encrypting data to extort money. But the methods, tactics, and technologies they employ can vary significantly, which means organizations need different defensive strategies for each.

The goal of ATT&CK is to map out all known techniques used by adversaries to gain access and compromise their targets, but similar to D3FEND it doesn’t attempt to specify sophistication or effort. Thus the threat-centric model leverages a new definition— an attack capability is a weaponized ATT&CK technique.

Each ATT&CK technique has a range of weaponized forms that can be public (common), altered (uncommon), or bespoke (rare). These capability levels are defined as:

  • Public: How many hours would it take to target a public capability for a single target? Measurement of how readily available/skill the capability is.
  • Altered: How many hours are needed to alter a public capability for a single target? Measurement of how much additional time/skill is needed to alter a public technique but still be fundamentally the same.
  • Bespoke: How many hours are needed to develop a bespoke capability for a single target? Measurement of how much time it would take to come up with a completely novel sub-technique or method.

MITRE D3FEND Techniques

These ATT&CK capabilities can be mitigated by the D3FEND techniques at the corresponding capability level.

D3FEND Capability

Mapped Skill

Mitigates ATT&CK Capability

Description

Managed

Knows

Public

Managed capabilities are best against public threats with a distinctive IoC (signature).

Tailored

Understands

Altered

This can include managing block lists for different products or managing alerts around types of behaviors in order to mitigate altered capabilities that still use identifiable TTPs.

Optimized

Applies

Bespoke

Expert-level, optimized knowledge of a technique is required to find bespoke threats.

 

Leveling is important for measuring and learning relevant skills without wasting effort on simple things that your current organizational maturity has mastered, or high sophistication threats you will never see.

It is important to note that just because a D3FEND technique correlates to an ATT&CK technique, it will not always work against it. There is an element of risk management in terms of specific deployments which can be mitigated by having multiple D3FEND capabilities providing coverage for each key action a cyber threat will take. This means there is a limited set of D3FEND capabilities (knowledge and skills) for each threat, which can be found by combining the ATT&CK capability definition with RangeForce threat definitions.

The RangeForce Threat-Centric Approach

RangeForce threats exist within a specific sophistication level which is defined as how much effort the threat actor is willing to put into a specific target. Defining threats this way enables us to set an important scope around what types of actions they are capable of, and thus what types of defensive actions need to be built. It is often also helpful to combine related threats into threat categories which helps security organizations understand their current and future maturity. 

Within each threat category (e.g. Ransomware), there are specific levels of threats based on threat sophistication level, defined as the amount of time they are willing to put into each engagement.

Threat Sophistication Level

Targets

Hours of Effort per Target

TTPs Used

Opportunistic Actors

Example: Script Kiddie

Anyone susceptible to available attacks

<1

Publicly-available, requiring low skill to use and target

Prudent Actors

Example: low-level e-crime

Industries or countries of interest

1

Paid or publicly-available, requiring medium skills, e.g., exploit toolkits

Emerging Actors

Example: most e-crime

Industries or countries of interest

10

Some altered public tools and paid tools. May have interactive capabilities, e.g., Metasploit

Established Actors

Example: most nation-states

Specific organizations to include collection and attacks

100

Mainly internally-developed tools and capabilities. Limited numbers of targets

Strategic Actors

Example: high level nation-states

Specific organizations to include collection and attacks

1000+

Whatever gives the best OPSEC for the situation. Very limited use of the capabilities

Threat sophistication level has profound impact on the ATT&CK capabilities available to the organization and thus which D3FEND capabilities your organization needs to effectively mitigate the threat.

RangeForce's learning modules and defensive team threat exercises are mapped to these categories, providing a comprehensive understanding of the cyber threat landscape while enabling targeted upskilling of security personnel. This threat-centric methodology empowers organizations to prioritize the threats most pertinent to their operations.

This strategic combination ensures that security professionals are equipped with the most relevant and up-to-date skills needed to tackle evolving cyber threats. This model applies to organizations of all sizes, from those with a single security practitioner to those with hundreds.

Ready to assess your team's current level and start threat-centric capability development? Schedule a demo today!