Approaches for applying MITRE ATT&CK framework in EBIOS RM Operational Scenarios

Approaches for applying MITRE ATT&CK framework in EBIOS RM Operational Scenarios

This study explores different approaches for using MITRE ATT&CK (a knowledge base of past security incidents) as a risk identification technique, within the frame of EBIOS RM (a security risk assessment methodology). It discusses the relevance of these approaches, and of the overall use of MITRE ATT&CK for risk assessment.

Conclusions highlight the strengths of the MITRE ATT&CK framework: as a knowledge base, as a means to discover the techniques most likely to be used by an attacker and as a common referential between risk and detection (e.g. SOC, Security Operation Center).

They also highlight its drawbacks: it requires to dive into a very detailed assessment, with a heavy associated workload; the framework contents misses some cases as it focuses mostly on technical risks coming from an external attacker.

It can be used as a risk identification technique in EBIOS RM workshop #4, for drawing operational scenarios or for adding detailed data to them. However, no approach studied here offers a definitive and easy approach to achieve this.

Compared to other risk identification techniques such as the EBIOS RM standard one, using MITRE ATT&CK would generate more detailed results but at the cost of an additional workload and a greater complexity requiring advanced skills and experience. A rough comparison would be that an analysis using ATT&CK is 2 times more valuable but 5 times more expensive.

Accordingly, using the MITRE ATT&CK framework in a risk assessment context should be subject to conditions – exposed in the conclusion of this document – but can prove valuable if exploited properly and if the context enables it. Using ATT&CK in EBIOS RM:

  • Enables mapping of risks against SOC detection means, and helps interactions between “Risk teams” and “SOC teams”
  • Can leverage data on implemented mitigations (when such data exist and is of good quality) for likelihood assessment and risk treatment proposal
  • Enables a deep-dive into the details, for the (quite uncommon) cases where such a level of detail is required

Regular surveys and investigations on the topic could prove helpful in the future, as the ATT&CK framework is regularly improved, and additional tools may also reduce the workload while still producing the same valuable assessment.

Approaches for applying MITRE ATT&CK

framework in EBIOS RM Operational Scenarios

Download pdf