A popular method that organizations lean on to reduce their cybersecurity risks is marrying a popular tool that cyber pros consult when they analyze hacking groups — in a way they think everyone can use.
The project to conjoin the National Institute of Standards and Technology’s cybersecurity framework and MITRE ATT&CK framework, announced Tuesday, comes with backing from big players: JPMorgan Chase, a nonprofit center operated by an offshoot of MITRE, the cybersecurity company AttackIQ and the nonprofit Center for Internet Security that’s perhaps best known for its work with state and local governments.
The idea behind the mapping project is to harmonize the risk management sides of cyber with the threat intelligence side of cyber, via models that any organization can employ. Usually unifying those two sides would be something that only a large outfit, like the U.S. military or major investment banks, would be able to pull off, AttackIQ said in a white paper. This project aims to make it more widely available.
“You bought all these security controls,” said Carl Wright, chief commercial officer of AttackIQ. “You have all these security people. You have all these processes. Can you detect or block all known adversary behaviors?”
The Center for Threat-Informed Defense at MITRE Engenuity — a spinoff of MITRE, a federally-funded not-for-profit — made 6,300 individual links between the latest version of the NIST framework and ATT&CK.
One way to use the “mappings” that connected hacking group techniques in ATT&CK to the security controls of the NIST framework would be to look at which controls are relevant to how an adversary operates to bolster defenses against it, said Richard Struse, director of the center.
The center’s mapping itself isn’t an idea it invented; other organizations have had similar projects, Struse said, but that wasn’t the point.
“What we saw any opportunity to do with the center’s R&D project was to do a really thorough job of doing a mapping document,” he said, “then make it available so that other organizations that maybe were thinking that mapping, they can just start with what we have, and then go in, tune it and validate and make it relevant to their organization.”
AttackIQ, for instance, said that it is using the mapping project in one of its products to “directly illustrate gaps and identify risks that arise through non-compliance” with the NIST framework, which is mostly voluntary but mandatory in some places, such as federal agencies.
The project is going to require steady upkeep to match shifting techniques of hacking groups, Struse said.