The title of this blog post may not be entirely correct, as it is difficult to compare vulnerability assessment with MITRE ATT&CK based gap assessment in objective measures. However, this post aims to evangelize the joint raison d’être of vulnerability assessment and adversarial technique/procedure-based gap assessment. 

Most CISOs/CIOs are familiar with vulnerability assessment and its outcomes, but not everyone is familiar with the adversarial technique/procedure-based gap assessment. Therefore, let’s start with the latter. 

Numerous cybersecurity assessment frameworks exist, but many of them are focused only on compliance or lack objectivity. The MITRE ATT&CK Framework is a widely accepted knowledge base that describes adversary tactics, techniques, and sub-techniques. Its latest version (v12) consists of 14 tactics, 193 techniques, and 401 sub-techniques and is considered the most pragmatic way to address infrastructure attacks today. 

While having a plan for cybersecurity is essential, the input data used to make decisions is crucial. The results of a MITRE-based gap assessment provide a strategy that includes key performance indicators that must be addressed. It is similar to a vulnerability assessment and is also an operative task, but it is also tactical and strategic. It lays the foundation for defining annual technical KPIs and is the most objective viewpoint for determining what should be seen and what is not visible in terms of attack techniques. 

The development of IT security detection capabilities based on this assessment can ensure a clean conscience even in case an attack. This is the most complicated thing for adversaries, as intelligence is not useful if it cannot be processed by the entity. 

To make the assessment as usable as possible in real life, several aspects are to be considered when defining the scope of the assessment. A sector-specific threat intelligence report provides an actionable plan to mitigate white spots in the detection ecosystem of entities. 

A sector-specific heatmap is required to pinpoint the most relevant incidents, and the search process is structured by setting up the scope of the search and then breaking it down. After reviewing the data and identifying specific malware and tools used in each cyber incident, the nature of the attack and campaign must be analyzed. 

During the detection phase, a large set of sector-specific indicators can be gathered and shared with the community using the MISP threat intelligence platform. Sigma rules become the de facto standard for expressing SIEM queries, and they can be integrated into MISP events. 

Building a playbook for all detections with RACI and implementing it into each entity’s incident response plan is one of the most important steps. Testing can be done using Red or Purple Teaming activities. 

Updating the ATT&CK heatmap is challenging but worthwhile, as actors may change their behaviors and their TTPs may evolve over time. Updating can be supplemented with in-house or commercial threat intelligence solutions. 

In conclusion, regular vulnerability testing is mandatory, but it provides only a snapshot reflection. Attack techniques are most constant, and the capability to detect them is currently the silver bullet. It can have many benefits to entrust a third party to conduct the assessment, such as knowledge of relevant procedures and not just techniques, conducting audits across industries, as well sampling data from many sources. Should the audit be conducted based only on techniques, it may result in a false sense of security. 

Download our MITRE ATT&CK for Enterprise (v11) Gap Analysis Report to learn more!