Enterprise Threat Modeling and ATT&CK

After spending some time working with the ATT&CK threat model, which is primarily aimed at modeling threats from a systems perspective, I have been wondering what other frameworks are available to model threats from an organisational or business unit perspective and that can also support the integration with ATT&CK.

Screen Shot 2019-06-07 at 12.49.45.png

The following document:

Enterprise Threat Model Technical Report: Cyber threat model for a notional financial services sector institution

describes the practical application of a threat model for an organization in the financial services sector. The threat model used to describe the practical application is defined in the following document.

Enhanced Cyber Threat Model for Financial Services Sector (FSS) Institutions

While this second document defines the threat model to apply, the first document provides a practical example of the applicability of the model defined. Both documents are of particular interest if you are looking to understand how threat modeling happens over the system level. Additionally, the model supports the following use cases,

  • Cybersecurity technology foraging
  • Cybersecurity test case development for technology validation
  • Cyber wargaming scenario development

Last but not least, it is also of particular interest for the Cyber Threat Intelligence community especially for those in a strategic or risk role as it demonstrates the interconnection between the Cyber Risk Management and Cyber Threat Intelligence disciplines.

From a practical standpoint of view the technical reports follow the following steps to apply the Enterprise Threat model:

  • Create a Business enclave view to map relationships between business applications and network architecture

Screen Shot 2019-06-07 at 15.05.24

  • Create the inherent risk profile ( using FFIEC CAT )
  • Map Cybersecurity controls and defense capabilities in place across the organization

Screen Shot 2019-06-07 at 15.16.39

  • Apply the Enterprise Threat Model (mapping the threat events to business networks and enclaves)

Screen Shot 2019-06-07 at 15.14.43

  • Build an attack scenario for a particular business network or enclave against a threat model and technology and operations construct of the identified business unit. In this section, it is where we use ATT & CK to model an APT as a potential scenario. The results of this section provide an assessment of the cyber defensive technology and process in places and support informed choices in acquisitions of new solutions or existing gaps in the control posture.

Screen Shot 2019-06-07 at 15.32.00

Screen Shot 2019-06-07 at 15.33.21

Screen Shot 2019-06-07 at 15.34.13.png

This model allows mapping the defensive suite of an enterprise against its high-level network topology and business lines. At the same time, the defensive suit can be mapped against the threats events to identify how and if they are mitigated by the current defensive mechanisms. Threat events that are not mitigated or partially mitigated are residual risks and they represent an opportunity for the adversary. The identification of this residual risk can guide decisions such as updates on the control posture of the organization, technology foraging, cyber wargaming, and risk analysis.

The model supports the 3 levels of the cyber threat modeling however it has its limitations as it does not contemplate cloud computing. It is just a matter of time until the cyber community starts gaining more experience with the patterns of attacks and techniques against the cloud thus the community repositories of attack information will grow in this area and it can be incorporated into this framework to model scenarios that include the use of cloud environments.

Screen Shot 2019-06-07 at 19.15.39


Enhanced Cyber Threat Model for Financial Services Sector (FSS) Institutions Threat Model ATT&CK/CAPEC Version

Enterprise Threat Model Technical Report Cyber Threat Model for a Notional Financial Services Sector Institution

FFIEC Cybersecurity assessment tool

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s