Conclusions highlight the strengths of the MITRE ATT&CK framework: as a knowledge base, as a means to discover the techniques most likely to be used by an attacker and as a common referential between risk and detection (e.g. SOC, Security Operation Center).
They also highlight its drawbacks: it requires a very detailed assessment, with a heavy associated workload; the framework contents misses some cases as it focuses mostly on technical risks coming from an external attacker.
It can be used as a risk identification technique in EBIOS RM workshop #4, for drawing operational scenarios or for adding detailed data to them. However, no approach studied here offers a definitive and easy approach to achieve this.
Compared to other risk identification techniques such as the EBIOS RM standard one, using MITRE ATT&CK would generate more detailed results but at the cost of an additional workload and a greater complexity requiring advanced skills and experience. A rough comparison would be that an analysis using ATT&CK is 2 times more valuable but 5 times more expensive.
Accordingly, using the MITRE ATT&CK framework in a risk assessment context should be subject to conditions – exposed in the conclusion of this document – but can prove valuable if exploited properly and if the context enables it. Using ATT&CK in EBIOS RM:
- Enables mapping of risks against SOC detection means, and helps interactions between “Risk teams” and “SOC teams”
- Can leverage data on implemented mitigations (when such data exists and is of good quality) for likelihood assessment and risk treatment proposal
- Enables a deep-dive into the details, for the (quite uncommon) cases where such a level of detail is required
Regular surveys and investigations on the topic could prove helpful in the future, as the ATT&CK framework is regularly improved, and additional tools may also reduce the workload while still producing the same valuable assessment.