Chapter 2. The Evidence-Based Security Framework

Embarking on a journey to change the approach to measuring success, information security teams can begin using an evidence-based framework. To begin, and to prove its benefit, one can start by testing some of the critical controls within the security architecture and measuring how effectively they work against the most relevant (high-risk) adversary TTPs.1

Speaking a Common Language

While the most relevant adversarial TTPs can be different for each organization, as one chooses the attack types to focus on, a good way to explore TTPs is by working with the ATT&CK knowledge base, which is freely accessible and community supported. This knowledge base is also constantly updated by information security professionals as they discover new threats, new TTPs, and emerging attack vectors. What keeps the ATT&CK TTP catalog very current is that the TTP discovery process is facilitated by MITRE’s Collaborative Research into Threats (or CRITS), an open source tool that helps researchers and security professionals collect and archive attack artifacts and submit their findings for the use of others in the community. To help defenders find what they need on the ATT&CK knowledge base, attacker TTPs are categorized by attacker objectives, making it easier to look for relevant TTPs. Each is also numbered so that defenders can refer to the same item in their proactive plans and response activities. There are 14 areas (columns) for tactics, and under ...

Get Evidence-Based Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.