Chapter 2. The Evidence-Based Security Framework
Embarking on a journey to change the approach to measuring success, information security teams can begin using an evidence-based framework. To begin, and to prove its benefit, one can start by testing some of the critical controls within the security architecture and measuring how effectively they work against the most relevant (high-risk) adversary TTPs.1
Speaking a Common Language
While the most relevant adversarial TTPs can be different for each organization, as one chooses the attack types to focus on, a good way to explore TTPs is by working with the ATT&CK knowledge base, which is freely accessible and community supported. This knowledge base is also constantly updated by information security professionals as they discover new threats, new TTPs, and emerging attack vectors. What keeps the ATT&CK TTP catalog very current is that the TTP discovery process is facilitated by MITRE’s Collaborative Research into Threats (or CRITS), an open source tool that helps researchers and security professionals collect and archive attack artifacts and submit their findings for the use of others in the community. To help defenders find what they need on the ATT&CK knowledge base, attacker TTPs are categorized by attacker objectives, making it easier to look for relevant TTPs. Each is also numbered so that defenders can refer to the same item in their proactive plans and response activities. There are 14 areas (columns) for tactics, and under ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access