research-article

MITRE ATT&CK-driven Cyber Risk Assessment

Authors: Mohamed Ahmed, Sakshyam Panda, Christos Xenakis, Emmanouil PanaousisAuthors Info & Claims

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Article No.: 107, Pages 1 - 10

https://doi.org/10.1145/3538969.3544420

Published: 23 August 2022 Publication History

Abstract

Assessing the risk posed by Advanced Cyber Threats (APTs) is challenging without understanding the methods and tactics adversaries use to attack an organisation. The MITRE ATT&CK provides information on the motivation, capabilities, interests and tactics, techniques and procedures (TTPs) used by threat actors. In this paper, we leverage these characteristics of threat actors to support informed cyber risk characterisation and assessment. In particular, we utilise the MITRE repository of known adversarial TTPs along with attack graphs to determine the attack probability as well as the likelihood of success of an attack. We further identify attack paths with the highest likelihood of success considering the techniques and procedures of a threat actor. The assessment is supported by a case study of a health care organisation to identify the level of risk against two adversary groups– Lazarus and menuPass.

References

[1]

M Ugur Aksu, M Hadi Dilek, E İslam Tatlı, Kemal Bicakci, H Ibrahim Dirik, M Umut Demirezen, and Tayfun Aykır. 2017. A quantitative CVSS-based cyber security risk assessment methodology for IT systems. In 2017 International Carnahan Conference on Security Technology (ICCST). IEEE, 1–8.

[2]

Alfian Alwi and Khairul Akram Zainol Ariffin. 2018. Information Security Risk Assessment for the Malaysian Aeronautical Information Management System. In 2018 Cyber Resilience Conference (CRC). IEEE, 1–4.

[3]

Lotfi ben Othmane, Harold Weffers, and Martijn Klabbers. 2013. Using attacker capabilities and motivations in estimating security risk. In Workshop on risk perception in it security and privacy, Newcastle, UK.

[4]

Nadia Boumkheld, Sakshyam Panda, Stefan Rass, and Emmanouil Panaousis. 2019. Honeypot type selection games for smart grid networks. In International Conference on Decision and Game Theory for Security. Springer, 85–96.

Digital Library

[5]

Aristeidis Farao, Sakshyam Panda, Sofia Anna Menesidou, Entso Veliou, 2020. SECONDO: A platform for cybersecurity investments and cyber insurance decisions. In International Conference on Trust and Privacy in Digital Business. Springer, 65–74.

Digital Library

[6]

Aristeidis Farao, Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2021. P4G2Go: A Privacy-Preserving Scheme for Roaming Energy Consumers of the Smart Grid-to-Go. Sensors 21, 8 (2021), 2686.

[7]

Andrew Fielder, Emmanouil Panaousis, Pasquale Malacaria, Chris Hankin, and Fabrizio Smeraldi. 2016. Decision support approaches for cyber security investment. Decision support systems 86 (2016), 13–23.

[8]

Pedro Tubío Figueira, Cristina López Bravo, and José Luis Rivas López. 2020. Improving information security risk analysis by including threat-occurrence predictive models. Computers & Security 88(2020), 101609.

Digital Library

[9]

Gemini George and Sabu M Thampi. 2019. Vulnerability-based risk assessment and mitigation strategies for edge devices in the Internet of Things. Pervasive and Mobile Computing 59 (2019), 101068.

Digital Library

[10]

Anna P Golushko and Vadim G Zhukov. 2020. Application of Advanced Persistent Threat ActorsTechniques aor Evaluating Defensive Countermeasures. In 2020 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus). IEEE, 312–317.

[11]

GOV.UK Department of Digital, Culture, Media and Sport. 2020. Cyber security breaches survey 2020. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020. Accessed: 12-01-2022.

[12]

Sami Haji, Qing Tan, and Rebeca Soler Costa. 2019. A hybrid model for information security risk assessment. Int. j. adv. trends comput. sci. eng.ART-2019-111611 (2019).

[13]

Charles T Harry and Nancy Gallagher. 2019. An Effects-Centric Approach to Assessing Cybersecurity Risk. JSTOR.

[14]

Hiscox. 2021. Hiscox cyber readiness report 2021. https://www.hiscox.co.uk/cyberreadiness. Accessed: 12-01-2022.

[15]

Romuald Hoffmann, Jarosław Napiórkowski, Tomasz Protasowicki, and Jerzy Stanik. 2020. Risk based approach in scope of cybersecurity threats and requirements. Procedia Manufacturing 44 (2020), 655–662.

[16]

Ioannis Kalderemidis, Aristeidis Farao, Panagiotis Bountakas, Sakshyam Panda, and Christos Xenakis. 2022. GTM: Game Theoretic Methodology for optimal cybersecurity defending strategies and investments. In The 17th International Conference on Availability, Reliability and Security.

Digital Library

[17]

Peter Katsumata, Judy Hemenway, and Wes Gavins. 2010. Cybersecurity risk management. In 2010-MILCOM 2010 Military Communications Conference. IEEE, 890–895.

[18]

Tobias Kiesling, Matias Krempel, Josef Niederl, and Jürgen Ziegler. 2016. A model-based approach for aviation cyber security risk assessment. In 2016 11th international conference on availability, reliability and security (ARES). IEEE, 517–525.

[19]

H Kure and Shareeful Islam. 2019. Assets focus risk management framework for critical infrastructure cybersecurity risk management. IET Cyber-Physical Systems 4, 4 (2019), 332–340.

[20]

Halima Kure and Shareeful Islam. 2019. Cyber threat intelligence for improving cybersecurity and risk management in critical infrastructure. JUCS-Journal of Universal Computer Science 25 (2019), 1478.

[21]

Charles Lim and Alex Suparman. 2012. Risk analysis and comparative study of the different cloud computing providers in Indonesia. In 2012 International Conference on Cloud Computing and Social Networking (ICCCSN). IEEE, 1–5.

[22]

Richard P Lippmann and James F Riordan. 2016. Threat-based risk assessment for enterprise networks. Lincoln Lab. J 22, 1 (2016), 33–45.

[23]

MITRE. [n.d.]. MITRE ATT&CK. https://attack.mitre.org/. Accessed: 14-07-2021.

[24]

Antonio Muñoz, Aristeidis Farao, Jordy Ryan Casas Correia, and Christos Xenakis. 2020. ICITPM: integrity validation of software in iterative continuous integration through the use of Trusted Platform Module (TPM). In European Symposium on Research in Computer Security. Springer, 147–165.

[25]

Scott Musman, Mike Tanner, Aaron Temin, Evan Elsaesser, and Lewis Loren. 2011. Computing the impact of cyber attacks on complex missions. In 2011 IEEE International Systems Conference. IEEE, 46–51.

[26]

Sakshyam Panda, Aristeidis Farao, Emmanouil Panaousis, and Christos Xenakis. 2019. Cyber-Insurance: Past, Present and Future. Springer Berlin Heidelberg, Berlin, Heidelberg, 1–4. https://doi.org/10.1007/978-3-642-27739-9_1624-1

[27]

S Panda, I Oliver, and S Holtmanns. 2018. Behavioural modelling of attackers choices. In Asian Control Conference. 119–126.

[28]

Sakshyam Panda, Emmanouil Panaousis, George Loukas, and Christos Laoudias. 2020. Optimizing investments in cyber hygiene for protecting healthcare users. In From Lambda Calculus to Cybersecurity Through Program Analysis. Springer, 268–291.

[29]

Sakshyam Panda, Stefan Rass, Sotiris Moschoyiannis, Kaitai Liang, George Loukas, and Emmanouil Panaousis. 2021. HoneyCar: A Framework to Configure Honeypot Vulnerabilities on the Internet of Vehicles. arXiv preprint arXiv:2111.02364(2021).

[30]

Sakshyam Panda, Daniel W Woods, Aron Laszka, Andrew Fielder, and Emmanouil Panaousis. 2019. Post-incident audits on cyber insurance discounts. Computers & Security 87(2019), 101593.

Digital Library

[31]

Pietro Russo, Alberto Caponi, Marco Leuti, and Giuseppe Bianchi. 2019. A web platform for integrated vulnerability assessment and cyber risk management. Information 10, 7 (2019), 242.

[32]

Alberto Sardi, Alessandro Rizzi, Enrico Sorano, and Anna Guerrieri. 2020. Cyber risk in health facilities: A systematic literature review. Sustainability 12, 17 (2020), 7002.

[33]

Emma Scott, Sakshyam Panda, George Loukas, and Emmanouil Panaousis. 2022. Optimising User Security Recommendations for AI-powered Smart-homes. In 2022 IEEE Conference on Dependable and Secure Computing (DSC). IEEE.

[34]

Hermawan Setiawan, Fandi Aditya Putra, and Anggi Rifa Pradana. 2017. Design of information security risk management using ISO/IEC 27005 and NIST SP 800-30 revision 1: A case study at communication data applications of XYZ institute. In 2017 International Conference on Information Technology Systems and Innovation (ICITSI). IEEE, 251–256.

[35]

Zhanna Malekos Smith, Eugenia Lostri, and James A. Lewis. 2020. The hidden costs of cybercrime. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf. Accessed: 12-01-2022.

[36]

George Suciu, Cristiana-Ioana Istrate, Alexandru Vulpe, Mari-Anais Sachian, Marius Vochin, Aristeidis Farao, and Christos Xenakis. 2019. Attribute-based access control for secure and resilient smart grids. In 6th International Symposium for ICS & SCADA Cyber Security Research 2019 6. 67–73.

[37]

Yose Supriyadi and Charla Wara Hardani. 2018. Information system risk scenario using COBIT 5 for Risk and NIST SP 800-30 Rev. 1 A case study. In 2018 3rd International Conference on Information Technology, Information System and Electrical Engineering (ICITISEE). IEEE, 287–291.

[38]

Ashleigh Wiley, Agata McCormac, and Dragana Calic. 2020. More than the individual: Examining the relationship between culture and Information Security Awareness. Computers & Security 88(2020), 101640.

Digital Library

Cited By

Nunes JFranco MScheid EKozenieski GLindemann HSoares LNobre JGranville L(2024)SIM-Ciber: Uma Solução Baseada em Simulações Probabilísticas para Quantificação de Riscos e Impactos de Ciberataques Utilizando Relatórios EstatísticosAnais do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2024)10.5753/sbseg.2024.241682(570-585)Online publication date: 16-Sep-2024
https://doi.org/10.5753/sbseg.2024.241682
El Amin HSamhat AChamoun MOueidat LFeghali A(2024)An Integrated Approach to Cyber Risk Management with Cyber Threat Intelligence Framework to Secure Critical InfrastructureJournal of Cybersecurity and Privacy10.3390/jcp40200184:2(357-381)Online publication date: 9-Jun-2024
https://doi.org/10.3390/jcp4020018
Ogura TFujita JMatsumoto N(2024)Cyber Attack Scenario Generation Method for Improving the Efficient of Security Measures in Industrial Control Systems産業制御システム向けセキュリティ対策効率化のためのサイバー攻撃シナリオ生成手法IEEJ Transactions on Electronics, Information and Systems10.1541/ieejeiss.144.35144:1(35-42)Online publication date: 1-Jan-2024
https://doi.org/10.1541/ieejeiss.144.35
Show More Cited By

Index Terms

MITRE ATT&CK-driven Cyber Risk Assessment

Recommendations

Linking CVE’s to MITRE ATT&CK Techniques
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

The MITRE Corporation is a non-profit organization that has made substantial efforts into creating and maintaining knowledge bases relevant to cybersecurity and has been widely adopted by the community. ATT&CK ”Adversarial Tactics, Techniques, and Common ...
Probabilistic Attack Sequence Generation and Execution Based on MITRE ATT&CK for ICS Datasets
CSET '21: Proceedings of the 14th Cyber Security Experimentation and Test Workshop

To practically leverage a dataset, various attack situations should be created according to the user’s objective and how realistic the generated attack sequence is should be expressed. However, there is a limit to manually generating various attack ...
Cyber risk assessment of cyber-enabled autonomous cargo vessel
Abstract
The increasing interest in autonomous ships within the maritime industry is driven by the pursuit of revenue optimization, operational efficiency, safety improvement and going greener. However, the industry’s increasing reliance on emerging ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

August 2022

1371 pages

ISBN:9781450396707

DOI:10.1145/3538969

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

European Commission
European Commission

Conference

ARES 2022

ARES 2022: The 17th International Conference on Availability, Reliability and Security

August 23 - 26, 2022

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
1,062
Total Downloads

Downloads (Last 12 months)475
Downloads (Last 6 weeks)48

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nunes JFranco MScheid EKozenieski GLindemann HSoares LNobre JGranville L(2024)SIM-Ciber: Uma Solução Baseada em Simulações Probabilísticas para Quantificação de Riscos e Impactos de Ciberataques Utilizando Relatórios EstatísticosAnais do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2024)10.5753/sbseg.2024.241682(570-585)Online publication date: 16-Sep-2024
https://doi.org/10.5753/sbseg.2024.241682
El Amin HSamhat AChamoun MOueidat LFeghali A(2024)An Integrated Approach to Cyber Risk Management with Cyber Threat Intelligence Framework to Secure Critical InfrastructureJournal of Cybersecurity and Privacy10.3390/jcp40200184:2(357-381)Online publication date: 9-Jun-2024
https://doi.org/10.3390/jcp4020018
Ogura TFujita JMatsumoto N(2024)Cyber Attack Scenario Generation Method for Improving the Efficient of Security Measures in Industrial Control Systems産業制御システム向けセキュリティ対策効率化のためのサイバー攻撃シナリオ生成手法IEEJ Transactions on Electronics, Information and Systems10.1541/ieejeiss.144.35144:1(35-42)Online publication date: 1-Jan-2024
https://doi.org/10.1541/ieejeiss.144.35
Ruan BLiu JZhao WLiang ZFilkov VRay BZhou M(2024)VulZoo: A Comprehensive Vulnerability Intelligence DatasetProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695345(2334-2337)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695345
Al-Sada BSadighian AOligeri G(2024)MITRE ATT&CK: State of the Art and Way ForwardACM Computing Surveys10.1145/368730057:1(1-37)Online publication date: 7-Oct-2024
https://dl.acm.org/doi/10.1145/3687300
Ahn GJang JChoi SShin D(2024)Research on Improving Cyber Resilience by Integrating the Zero Trust Security Model With the MITRE ATT&CK MatrixIEEE Access10.1109/ACCESS.2024.341718212(89291-89309)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3417182
Al-Sada BSadighian AOligeri G(2024)Analysis and Characterization of Cyber Threats Leveraging the MITRE ATT&CK DatabaseIEEE Access10.1109/ACCESS.2023.334468012(1217-1234)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3344680
Smyrlis MFloros EBasdekis IPrelipcean DSotiropoulos ADebar HZarras ASpanoudakis G(2024)RAMA: a risk assessment solution for healthcare organizationsInternational Journal of Information Security10.1007/s10207-024-00820-423:3(1821-1838)Online publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1007/s10207-024-00820-4
Chen RLi ZHan WZhang J(2024)A Survey of Attack Techniques Based on MITRE ATT&CK Enterprise MatrixNetwork Simulation and Evaluation10.1007/978-981-97-4522-7_13(188-199)Online publication date: 2-Aug-2024
https://doi.org/10.1007/978-981-97-4522-7_13
Elmarkez AMesli-Kesraoui SOquendo FBerruet PKesraoui D(2024)A Similarity Approach for the Classification of Mitigations in Public Cybersecurity Repositories into NIST-SP 800-53 CatalogInformation Security Theory and Practice10.1007/978-3-031-60391-4_5(64-79)Online publication date: 29-Feb-2024
https://dl.acm.org/doi/10.1007/978-3-031-60391-4_5
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents