Most of the posts in the past couple of months have focused on threat modeling tools and use cases. Process-level stuff is interesting, but how do we make sure the inputs are valid? My good friend Mark and I explore that with customers during our Cisco Live interactive breakout, and the things we learn are eye-opening! You can have all the process in the world, but if the inputs are trash, so too will be the outputs. How do we get to the root of it all: What scares you most? We need to ensure we aren’t just wasting our time, right? So how do we paint a great threat picture?
Continue readingTag: Threat Intelligence (Page 4 of 6)
If you are a security professional, MITRE’s ATT&CK is everywhere these days. Even in places it does not belong! That being said, there are a ton of tools, projects, and extensions to ATT&CK. Some are fundamental (like Navigator) while others are niche. How do we tell what is right for us? What projects are essential to power up your security program? For my upcoming Cisco Live presentation in February, I take a crack at mapping ATT&CK’s massive ecosystem to roles and functions. Am I off to a good start? Let’s me share how I tackled this and you can let me know!
Continue readingIf you take a look at the long list of breaches that make front-page news, you may think that a single framework can do a decent job of explaining the mechanisms. But that is not the case – some of the largest most famous breaches or vulnerabilities were web application related like the Equifax breach, Yahoo, First American, Facebook, and more. We can thank these breaches for endless credit monitoring – thanks folks! When we talked about MITRE ATT&CK, we discussed a very popular methodology that focused greatly on network and endpoint attacks. Web and application attack patters are missing, though, so how do we discuss a web or application threat? CAPEC helps us understand those web attack patterns and defend against them!
Continue readingWe’ve covered a lot of different angles to threat modeling. The main takeway for me is that there is no “best approach” – pick what makes sense to you! How you justify that is up to you, and hopefully less controversial than John Lennon’s denial that “Lucy in the Sky with Diamonds” was about LSD. Here we’re talking about the Diamond Model of Intrusion Analysis. This model describes an active event under investigation, but it is mentioned here because it is helpful to understand how this information so directly links to the other models we’ve discussed before. So what makes the Diamond Model a useful threat modeling tool for analysts on the front line?
Continue readingEarly adopters certainly focused on using ATT&CK for glamorous use cases like Threat Intelligence and Adversary Emulation. Conducting gap analysis with ATT&CK to prioritize engineering efforts is a high-return effort for you and your organization. It’s my favorite of the use cases because it can help any organization! Before the availability of CTI for everyone, many gap assessments conducted by organizations without dedicated threat intelligence teams. The only means available were often based on notional system architectures driven by market trends or vendor pressures. You may have experienced this yourselves – and you may have mountains of shelf-ware purchased in response to the latest fad. By leveraging CTI from frameworks like ATT&CK, you can now ensure that every defensive measure you take provides actual value in countering the threat actors and techniques that are likely to target you.
Continue reading