Skip to main content

Mapping Resiliency Effects to MITRE ATT&CK Mitigations Examples

In cybersecurity, effects refer to the desired outcomes or impacts on an adversary's behavior or actions that a defender wants to achieve through various measures. These effects can be used to shape an adversary's behavior, disrupt their activities, or limit their ability to achieve their objectives.

Effects are important in cybersecurity because they help defenders to better understand the potential impact of their decisions and actions, as well as evaluate the effectiveness of their defensive measures. By defining and measuring the effects of their actions, defenders can make more informed decisions and adjust their strategies to better mitigate risks and protect their systems from cyber threats. Additionally, using a standardized vocabulary to describe effects can help improve communication and collaboration among cybersecurity professionals, as well as enable more evidence-based claims and hypotheses about the effectiveness of different defensive measures.

Using a standardized vocabulary of effects enables you to define specific, measurable effects that can be associated with a particular cybersecurity measure, such as a defense mechanism or mitigation strategy. By having a clear definition of the specific effect that a cybersecurity measure is intended to achieve, it becomes possible to evaluate whether the measure is effective in achieving that effect. This, in turn, enables the collection of evidence about the effectiveness of a cybersecurity measure, based on the presence or absence of the expected effect. Without a standardized vocabulary of effects, it can be difficult to clearly define and measure the intended outcomes of cybersecurity measures, making it challenging to find evidence of their effectiveness.

I recently wrote an article on the resiliency effects vocabulary that can be found here:

https://cybersecurityscience.blogspot.com/2023/03/resiliency-effects-standardized.html

As a follow up, here is an example mapping of the first few MITRE ATT&CK Mitigations mapped to NIST 800-160 Vol 2 Rev 1 Resiliency Effects. I wanted to provide a simple example of how using the resiliency effects with MITRE ATT&CK mitigations gives the defenders a better understanding how the mitigation will effect the adversary's behavior (in this case, the ATT&CK TTPs mapped to the ATT&CK mitigations).


M1036 Account Use Policies

The M1036 Account Use Policies mitigation can achieve the following effects on adversary behavior:

Deter: By implementing account lockout policies, the mitigation can deter adversaries from attempting to guess passwords or perform brute force attacks. The threat of being locked out of an account after a certain number of failed login attempts can discourage adversaries from attempting to gain unauthorized access.

Impact on Risk: Reduce the likelihood of occurrence.

Delay: By setting account lockout policies, the mitigation can delay an adversary's attempt to guess passwords or perform brute force attacks. This gives defenders more time to detect and respond to the attack, reducing the impact of the attack.

Impact on Risk: Reduce the likelihood of impact, and/or reduce the level of impact.

Detect: By setting account lockout policies and monitoring for failed login attempts, the mitigation can detect when an adversary is attempting to guess passwords or perform brute force attacks. This allows defenders to quickly respond to the attack and prevent further unauthorized access.

Impact on Risk: Reduce the likelihood of impact, and reduce the level of impact.

Overall, the M1036 Account Use Policies mitigation can significantly reduce the risk of brute force attacks by deterring and delaying adversaries, as well as detecting and responding to attacks that do occur.


M1015 Active Directory Configuration

M1015 Active Directory Configuration mitigates the following ATT&CK TTPs:

Degrade: T1134.005 Access Token Manipulation: SID-History Injection

Active Directory can be configured to enable SID filtering, which can prevent an attacker from injecting a SID from a trusted domain into a token to gain access to resources that they would otherwise not have access to. By degrading the attacker's ability to manipulate access tokens, the potential impact of the attack is reduced.

Impact on Risk: Reduce the likelihood of impact and/or reduce the level of impact.

Negate: T1606.002 Forge Web Credentials: SAML Tokens, T1003 OS Credential Dumping, T1558 Steal or Forge Kerberos Tickets

Active Directory can be configured to enforce the use of secure authentication protocols and implement protections such as Kerberos Constrained Delegation to reduce the ability of attackers to steal or forge authentication credentials. By negating the impact of these attacks, the potential harm or damage is reduced.

Impact on Risk: Reduce the likelihood of impact.

Contain: T1003.005 Cached Domain Credentials, T1003.006 DCSync, T1072 Software Deployment Tools, T1552.006 Group Policy Preferences

Active Directory can be configured to implement password policies that prevent the use of cached domain credentials and protect against DCSync attacks. Additionally, the use of secure LDAP, signing, and encryption can be implemented to contain attacks that attempt to exploit software deployment tools or Group Policy Preferences. By containing the attack, the level of impact is reduced.

Impact on Risk: Reduce the level of impact.

Detect: T1649 Steal or Forge Authentication Certificates, T1550.003 Use Alternate Authentication Material: Pass the Ticket

Active Directory can be configured to implement logging and monitoring to detect unusual activity such as attempts to steal or forge authentication certificates or pass the ticket attacks. By detecting the attack early, the security team can take steps to prevent further damage.

Impact on Risk: Reduce the likelihood of impact, and reduce the level of impact.

Scrutinize: T1552 Unsecured Credentials

Active Directory can be configured to implement password policies that enforce the use of strong passwords and prevent the storage of unsecured credentials. By scrutinizing the attacker's actions, the security team can develop more effective defenses to prevent future attacks.

Impact on Risk: Reduce the likelihood of impact.

Total Impact on Risk: M1015 Active Directory Configuration reduces the likelihood of occurrence, the likelihood of impact, and the level of impact of attacks targeting the mitigated TTPs.


M1049 Antivirus/Antimalware Mitigation

This mitigation involves using antivirus and antimalware tools to detect and prevent malicious software from executing on a system. The specific effects of this mitigation on adversary behavior are as follows:

Detect: The antivirus/antimalware tool can detect the presence of malicious software on the system by scanning files and processes for known signatures or suspicious behaviors. This can detect the following ATT&CK TTPs:

  • T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
  • T1059 Command and Scripting Interpreter
    • T1059.001 PowerShell
    • T1059.005 Visual Basic
    • T1059.006 Python
  • T1027 Obfuscated Files or Information
    • T1027.002 Software Packing
    • T1027.009 Embedded Payloads
  • T1566 Phishing
    • T1566.001 Spearphishing Attachment
    • T1566.003 Spearphishing via Service
  • T1221 Template Injection

Impact on Risk: Detecting malicious software reduces the likelihood of occurrence and minimizes the level of impact of an attack.

Degrade: The antivirus/antimalware tool can quarantine or remove malicious software from the system, making it less effective or disabling it entirely. This can degrade the following ATT&CK TTPs:

    • T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
  • T1059 Command and Scripting Interpreter
    • T1059.001 PowerShell
    • T1059.005 Visual Basic
    • T1059.006 Python
  • T1027 Obfuscated Files or Information
    • T1027.002 Software Packing
    • T1027.009 Embedded Payloads
  • T1566 Phishing
    • T1566.001 Spearphishing Attachment
    • T1566.003 Spearphishing via Service
  • T1221 Template Injection

Impact on Risk: Degrading the effectiveness of malicious software reduces the likelihood of impact and minimizes the level of impact of an attack.

Preempt: The antivirus/antimalware tool can prevent malicious software from executing on the system by blocking access to known malicious websites or blocking the execution of suspicious files. This can preempt the following ATT&CK TTPs:

  • T1566 Phishing
    • T1566.001 Spearphishing Attachment
    • T1566.003 Spearphishing via Service

Impact on Risk: Preventing malicious software from executing reduces the likelihood of occurrence and minimizes the level of impact of an attack.

In summary, the M1049 Antivirus/Antimalware Mitigation achieves the detect, degrade, and preempt effects on various ATT&CK TTPs, reducing the likelihood of occurrence and minimizing the level of impact of an attack.


These are just a few quick example mappings to help defender's understand what mapping effects to ATT&CK mitigation would look like and the type of additional information they provide. What do you think of the resiliency effects and their impact on risk as additions to MITRE ATT&CK mitigation information to help defenders better understand how the mitigation effects adversary behavior?  The same effects vocabulary can be applied to MITRE ATT&CK mitigations, MITRE Engage actions, ATT&CK Evals, Security Control mappings, etc to provide defenders with a common vocabulary for understanding how cybersecurity technologies, mitigations, engagement actions, and security controls effect adversary behavior. 

Popular posts from this blog

The Interconnected Roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and IT in Modern Organizations

In the rapidly evolving digital landscape, understanding the interconnected roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and Information Technology (IT) is crucial for any organization. These concepts form the backbone of an organization's defense strategy against potential disruptions and threats, ensuring smooth operations and the protection of valuable data. Risk Management is the overarching concept that involves identifying, assessing, and mitigating any risks that could negatively impact an organization's operations or assets. These risks could be financial, operational, strategic, or related to information security. The goal of risk management is to minimize potential damage and ensure the continuity of business operations. Risk management is the umbrella under which information security, cybersecurity, and business continuity fall. Information Security is a subset of risk management. While risk management covers a wide range of pot...

Attack Path Scenarios: Enhancing Cybersecurity Threat Analysis

I. Introduction A. Background on Cybersecurity Threats Cybersecurity threats are an ongoing concern for organizations of all sizes and across all industries. As technology continues to evolve and become more integral to business operations, the threat landscape also becomes more complex and sophisticated. Cyber attackers are constantly seeking new ways to exploit vulnerabilities and gain unauthorized access to sensitive data and systems. The consequences of a successful cyber attack can be severe, including financial losses, reputational damage, and legal consequences. Therefore, it is critical for organizations to have effective cybersecurity strategies in place to identify and mitigate potential threats. B. Definition of Attack Path Scenarios Attack Path Scenarios are a type of threat scenario used in cybersecurity to show the step-by-step sequence of tactics, techniques, and procedures (TTPs) that a cyber attacker may use to penetrate a system, gain access to sensitive data, and ach...

A Deep Dive into the Analysis and Production Phase of Intelligence Analysis

Introduction In the complex and ever-evolving world of intelligence, the ability to analyze and interpret information accurately is paramount. The intelligence cycle, a systematic process used by analysts to convert raw data into actionable intelligence, is at the heart of this endeavor. This cycle typically consists of five stages: Planning and Direction, Collection, Processing, Analysis and Production, and Dissemination. Each stage plays a vital role in ensuring that the intelligence provided to decision-makers is accurate, relevant, and timely. While all stages of the intelligence cycle are critical, the Analysis and Production phase is where the proverbial 'rubber meets the road.' It is in this phase that the collected data is evaluated, integrated, interpreted, and transformed into a form that can be used to make informed decisions. The quality of the intelligence product, and ultimately the effectiveness of the decisions made based on that product, hinge on the rigor and ...