Understanding the Predicted Coverage Across MITRE Tactics Chart
What is the MITRE framework?
A framework of tactics and techniques designed to classify and identify attacks, including attribution and objective, and assess an organization’s risk. It is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations used to develop threat models and methodologies in cybersecurity.
To learn more, visit our in-depth MITRE ATT&CK Framework Knowledge Base article.
How do I read the radar (spider) chart?
A radar chart displays data across several unique quantitative variables. The spokes on this particular chart originate at 0 and extend to 100 and plots the variable’s value. Each variable’s range is normalized to one another, so when a line is drawn, the length of a line from zero (the center) to the variable’s max value will be the same for every variable.
By connecting the value, a circular band forms, and a region is shaded in to aid readability.
The radar chart offers the ability to judge and assess data by comparing different variables and providing immediate visibility on outliers important to you.
What do the different categories mean? (Source)
- Initial Access - Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.
- Execution - Execution consists of techniques that result in adversary-controlled code running on a local or remote system.
- Persistence - Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
- Privilege Escalation - Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.
- Defense Evasion - Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.
- Credential Access - Credential Access consists of techniques for stealing credentials like account names and passwords.
- Discovery - Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.
- Lateral Movement - Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.
- Collection - Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives.
- Command and Control - Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network.
- Exfiltration - Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it.
- Impact - Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.
What do the Predictive Minimum, Value, and Maximum dotted lines represent?
When using attested data, a clear data point can be plotted, but when attested is not available, we leverage our predictive data that has up to 91% accuracy.
The middle line represents the Predicted Value of our analysis using Exchange and outside-in data mapped to the MITRE ATT&CK framework, while the Predictive minimum and Maximum lines represent the confines of our confidence around the value.
How are the Predictive Minimum and Maximum bands and Predictive Value determined?
The predictive analysis workflow queries a Bayesian network to sample a broad distribution of potential assessment outcomes. For each one, control answer predictions are analyzed to determine how well MITRE ATT&CK techniques and tactics have been mitigated. For instance, if many security controls relating to the "Command and Control" tactic are predicted to be in place, then that tactic will score higher. The distribution of tactic outcomes is then banded into the 15th, 50th, and 85th percentiles to indicate the typical/median tactic effectiveness (50th percentile) along with a range of most probable outcomes (15th -> 85th percentile).
Interpreting The Chart
What does the shaded region of the graph represent?
The shaded region indicates the range of likely predicted outcomes for the twelve tactics. When it is wider, there is more uncertainty in the company’s cyber posture. When narrower, the model has more confidence in the predicted outcome.
What does it mean when the Predictive Value is closer to the center versus outside?
Values closer to the center of the chart indicate a low score and a poorer ability to mitigate the given tactic, while values closer to the outside of the chart reflect higher scores and a better ability to prevent the adversary from achieving the tactic.
What does the dashed line represent?
The dashed line within the shaded area corresponds to the typical (median) outcome of the predictive model. When taken together, the dashed line and shaded area convey the range of tactic-mitigating effectiveness this company will likely have based on what the model knows about them.
Using The Chart
How do I best use this feature for my organization?
While Attack Scenario Analytics evaluates a third party’s attested data against 13 key categories established by the global standard MITRE framework, Predictive Expansion uses the GRX’s predictive data to provide a similar level of visibility on any third party in your portfolio without an assessment.
Evaluate your third party against categories to view the level of risk posed to your organization. With this insight, you will be able to pinpoint outliers that will require further assessments to ensure they meet your security standards. This can help focus your budget and resources on those third parties who potentially have a more severe impact on your day-to-day operations.
I am receiving predictive results but no Attested Coverage Across MITRE Tactics results, even though I have attested assessments. Why is this?
If the assessment were conducted on a content release of 29 or lower, it would not display results because the MITRE framework is mapped to content release 30 and onwards. With Attack Scenario Analytic’s Predictive Expansion, this issue is not a concern and allows you to make a decision leveraging our predictive data.
If I’m a Customer and all I see is Predictive data from a third party, what should I do?
Addressing your core dependency and relationship with the third party will determine your next actions. For example, if “Privilege Escalation” is vital to your day-to-day operations and the third party’s Predictive Value or Predictive Maximum is outside the range acceptable to you, an assessment would be warranted to better understand their security coverage relevant to this particular tactic.
If I’m a Member and all I see is Predictive Data on myself, what should I do?
It would be highly recommended to conduct an assessment of your organization so we can best represent you in our Exchange with attested data to the Customer's relevant insight and confidence in your security standards.
Comments
0 comments
Please sign in to leave a comment.