In an era of rapidly evolving cyber threat actors and attacks, organizations must be proactive and adaptive in their defense strategies. A threat-centric approach allows entities to anticipate and counter potential attacks, rather than merely reacting to specific incidents.
In this blog post, we’ll discuss MITRE ATT&CK capabilities and threats; MITRE D3FEND skill mapping and capabilities; and threat sophistication level.
A proactive defense strategy begins with a threat-centric approach to identify key skills and capabilities. The MITRE D3FEND framework is a great reference for all possible defensive actions.
The MITRE ATT&CK framework is a standardized knowledge base of Adversary Techniques, Tactics & Common Knowledge which lets us categorizes threat actions. Similarly, D3FEND breaks up defensive actions into techniques and groups into categories of tactics.
Most organizations aren't going to do all of these techniques in house, and so we can break down the complexity by defining levels of each technique based on the knowledge and skill required. This is called a defensive capability representing an implemented technique.
For example, consider the Dynamic Analysis skill as we move through the levels of increasing capability and defensive effort.
Threat levels turn vague terms such as "Operating System Monitoring" into concrete actions that can be implemented and measured. The large matrix of security capabilities can be reduced to the detect-and-defend-against threats that matter the most to you. The D3FEND framework is linked to ATT&CK via a digital artifact ontology, which means these defensive capabilities can be matched to the threat capabilities they mitigate at each level. This allows leaders to focus on developing the defensive skills that map to the threats they are most concerned about.
Generally, most organizations are concerned about vague threats like "ransomware" or "data loss." The trouble comes when choosing defensive strategies because these broad categories lack precision and vary wildly in terms of attacker and defender effort.
RangeForce cybersecurity threats are names that specify the who, what, how, and why of cyber-attack. A threat encompasses more than just a single offensive technique or tactic; it must be a sequence of actions executed over time to compromise a target with a specific goal in mind.
For example, Cybercrime Ransomware actors employ various methods to compromise a target with the ultimate objective of encrypting sensitive data and extorting the organization for monetary gain. Less sophisticated actors might use more opportunistic attacks to achieve similar goals, which is the Commodity Ransomware threat. The end goal of both types of actors is the same—encrypting data to extort money. But the methods, tactics, and technologies they employ can vary significantly, which means organizations need different defensive strategies for each.
The goal of ATT&CK is to map out all known techniques used by adversaries to gain access and compromise their targets, but similar to D3FEND it doesn’t attempt to specify sophistication or effort. Thus the threat-centric model leverages a new definition— an attack capability is a weaponized ATT&CK technique.
Each ATT&CK technique has a range of weaponized forms that can be public (common), altered (uncommon), or bespoke (rare). These capability levels are defined as:
These ATT&CK capabilities can be mitigated by the D3FEND techniques at the corresponding capability level.
D3FEND Capability |
Mapped Skill |
Mitigates ATT&CK Capability |
Description |
Managed |
Knows |
Public |
Managed capabilities are best against public threats with a distinctive IoC (signature). |
Tailored |
Understands |
Altered |
This can include managing block lists for different products or managing alerts around types of behaviors in order to mitigate altered capabilities that still use identifiable TTPs. |
Optimized |
Applies |
Bespoke |
Expert-level, optimized knowledge of a technique is required to find bespoke threats. |
Leveling is important for measuring and learning relevant skills without wasting effort on simple things that your current organizational maturity has mastered, or high sophistication threats you will never see.
It is important to note that just because a D3FEND technique correlates to an ATT&CK technique, it will not always work against it. There is an element of risk management in terms of specific deployments which can be mitigated by having multiple D3FEND capabilities providing coverage for each key action a cyber threat will take. This means there is a limited set of D3FEND capabilities (knowledge and skills) for each threat, which can be found by combining the ATT&CK capability definition with RangeForce threat definitions.
RangeForce threats exist within a specific sophistication level which is defined as how much effort the threat actor is willing to put into a specific target. Defining threats this way enables us to set an important scope around what types of actions they are capable of, and thus what types of defensive actions need to be built. It is often also helpful to combine related threats into threat categories which helps security organizations understand their current and future maturity.
Within each threat category (e.g. Ransomware), there are specific levels of threats based on threat sophistication level, defined as the amount of time they are willing to put into each engagement.
Threat Sophistication Level |
Targets |
Hours of Effort per Target |
TTPs Used |
Opportunistic Actors Example: Script Kiddie |
Anyone susceptible to available attacks |
<1 |
Publicly-available, requiring low skill to use and target |
Prudent Actors Example: low-level e-crime |
Industries or countries of interest |
1 |
Paid or publicly-available, requiring medium skills, e.g., exploit toolkits |
Emerging Actors Example: most e-crime |
Industries or countries of interest |
10 |
Some altered public tools and paid tools. May have interactive capabilities, e.g., Metasploit |
Established Actors Example: most nation-states |
Specific organizations to include collection and attacks |
100 |
Mainly internally-developed tools and capabilities. Limited numbers of targets |
Strategic Actors Example: high level nation-states |
Specific organizations to include collection and attacks |
1000+ |
Whatever gives the best OPSEC for the situation. Very limited use of the capabilities |
Threat sophistication level has profound impact on the ATT&CK capabilities available to the organization and thus which D3FEND capabilities your organization needs to effectively mitigate the threat.
RangeForce's learning modules and defensive team threat exercises are mapped to these categories, providing a comprehensive understanding of the cyber threat landscape while enabling targeted upskilling of security personnel. This threat-centric methodology empowers organizations to prioritize the threats most pertinent to their operations.
This strategic combination ensures that security professionals are equipped with the most relevant and up-to-date skills needed to tackle evolving cyber threats. This model applies to organizations of all sizes, from those with a single security practitioner to those with hundreds.
Ready to assess your team's current level and start threat-centric capability development? Schedule a demo today!