In cybersecurity, effects refer to the desired outcomes or impacts on an adversary's behavior or actions that a defender wants to achieve through various measures. These effects can be used to shape an adversary's behavior, disrupt their activities, or limit their ability to achieve their objectives.
Effects are important in cybersecurity because they help defenders to better understand the potential impact of their decisions and actions, as well as evaluate the effectiveness of their defensive measures. By defining and measuring the effects of their actions, defenders can make more informed decisions and adjust their strategies to better mitigate risks and protect their systems from cyber threats. Additionally, using a standardized vocabulary to describe effects can help improve communication and collaboration among cybersecurity professionals, as well as enable more evidence-based claims and hypotheses about the effectiveness of different defensive measures.
Using a standardized vocabulary of effects enables you to define specific, measurable effects that can be associated with a particular cybersecurity measure, such as a defense mechanism or mitigation strategy. By having a clear definition of the specific effect that a cybersecurity measure is intended to achieve, it becomes possible to evaluate whether the measure is effective in achieving that effect. This, in turn, enables the collection of evidence about the effectiveness of a cybersecurity measure, based on the presence or absence of the expected effect. Without a standardized vocabulary of effects, it can be difficult to clearly define and measure the intended outcomes of cybersecurity measures, making it challenging to find evidence of their effectiveness.
I recently wrote an article on the resiliency effects vocabulary that can be found here:
https://cybersecurityscience.blogspot.com/2023/03/resiliency-effects-standardized.html
As a follow up, here is an example mapping of the first few MITRE ATT&CK Mitigations mapped to NIST 800-160 Vol 2 Rev 1 Resiliency Effects. I wanted to provide a simple example of how using the resiliency effects with MITRE ATT&CK mitigations gives the defenders a better understanding how the mitigation will effect the adversary's behavior (in this case, the ATT&CK TTPs mapped to the ATT&CK mitigations).
M1036 Account Use Policies
The M1036 Account Use Policies mitigation can achieve the following effects on adversary behavior:
Deter: By implementing account lockout policies, the mitigation can deter adversaries from attempting to guess passwords or perform brute force attacks. The threat of being locked out of an account after a certain number of failed login attempts can discourage adversaries from attempting to gain unauthorized access.
Impact on Risk: Reduce the likelihood of occurrence.
Delay: By setting account lockout policies, the mitigation can delay an adversary's attempt to guess passwords or perform brute force attacks. This gives defenders more time to detect and respond to the attack, reducing the impact of the attack.
Impact on Risk: Reduce the likelihood of impact, and/or reduce the level of impact.
Detect: By setting account lockout policies and monitoring for failed login attempts, the mitigation can detect when an adversary is attempting to guess passwords or perform brute force attacks. This allows defenders to quickly respond to the attack and prevent further unauthorized access.
Impact on Risk: Reduce the likelihood of impact, and reduce the level of impact.
Overall, the M1036 Account Use Policies mitigation can significantly reduce the risk of brute force attacks by deterring and delaying adversaries, as well as detecting and responding to attacks that do occur.
M1015 Active Directory Configuration
M1015 Active Directory Configuration mitigates the following ATT&CK TTPs:
Degrade: T1134.005 Access Token Manipulation: SID-History Injection
Active Directory can be configured to enable SID filtering, which can prevent an attacker from injecting a SID from a trusted domain into a token to gain access to resources that they would otherwise not have access to. By degrading the attacker's ability to manipulate access tokens, the potential impact of the attack is reduced.
Impact on Risk: Reduce the likelihood of impact and/or reduce the level of impact.
Negate: T1606.002 Forge Web Credentials: SAML Tokens, T1003 OS Credential Dumping, T1558 Steal or Forge Kerberos Tickets
Active Directory can be configured to enforce the use of secure authentication protocols and implement protections such as Kerberos Constrained Delegation to reduce the ability of attackers to steal or forge authentication credentials. By negating the impact of these attacks, the potential harm or damage is reduced.
Impact on Risk: Reduce the likelihood of impact.
Contain: T1003.005 Cached Domain Credentials, T1003.006 DCSync, T1072 Software Deployment Tools, T1552.006 Group Policy Preferences
Active Directory can be configured to implement password policies that prevent the use of cached domain credentials and protect against DCSync attacks. Additionally, the use of secure LDAP, signing, and encryption can be implemented to contain attacks that attempt to exploit software deployment tools or Group Policy Preferences. By containing the attack, the level of impact is reduced.
Impact on Risk: Reduce the level of impact.
Detect: T1649 Steal or Forge Authentication Certificates, T1550.003 Use Alternate Authentication Material: Pass the Ticket
Active Directory can be configured to implement logging and monitoring to detect unusual activity such as attempts to steal or forge authentication certificates or pass the ticket attacks. By detecting the attack early, the security team can take steps to prevent further damage.
Impact on Risk: Reduce the likelihood of impact, and reduce the level of impact.
Scrutinize: T1552 Unsecured Credentials
Active Directory can be configured to implement password policies that enforce the use of strong passwords and prevent the storage of unsecured credentials. By scrutinizing the attacker's actions, the security team can develop more effective defenses to prevent future attacks.
Impact on Risk: Reduce the likelihood of impact.
Total Impact on Risk: M1015 Active Directory Configuration reduces the likelihood of occurrence, the likelihood of impact, and the level of impact of attacks targeting the mitigated TTPs.
M1049 Antivirus/Antimalware Mitigation
This mitigation involves using antivirus and antimalware tools to detect and prevent malicious software from executing on a system. The specific effects of this mitigation on adversary behavior are as follows:
Detect: The antivirus/antimalware tool can detect the presence of malicious software on the system by scanning files and processes for known signatures or suspicious behaviors. This can detect the following ATT&CK TTPs:
- T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
- T1059 Command and Scripting Interpreter
- T1059.001 PowerShell
- T1059.005 Visual Basic
- T1059.006 Python
- T1027 Obfuscated Files or Information
- T1027.002 Software Packing
- T1027.009 Embedded Payloads
- T1566 Phishing
- T1566.001 Spearphishing Attachment
- T1566.003 Spearphishing via Service
- T1221 Template Injection
Impact on Risk: Detecting malicious software reduces the likelihood of occurrence and minimizes the level of impact of an attack.
Degrade: The antivirus/antimalware tool can quarantine or remove malicious software from the system, making it less effective or disabling it entirely. This can degrade the following ATT&CK TTPs:
- T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
- T1059 Command and Scripting Interpreter
- T1059.001 PowerShell
- T1059.005 Visual Basic
- T1059.006 Python
- T1027 Obfuscated Files or Information
- T1027.002 Software Packing
- T1027.009 Embedded Payloads
- T1566 Phishing
- T1566.001 Spearphishing Attachment
- T1566.003 Spearphishing via Service
- T1221 Template Injection
Impact on Risk: Degrading the effectiveness of malicious software reduces the likelihood of impact and minimizes the level of impact of an attack.
Preempt: The antivirus/antimalware tool can prevent malicious software from executing on the system by blocking access to known malicious websites or blocking the execution of suspicious files. This can preempt the following ATT&CK TTPs:
- T1566 Phishing
- T1566.001 Spearphishing Attachment
- T1566.003 Spearphishing via Service
Impact on Risk: Preventing malicious software from executing reduces the likelihood of occurrence and minimizes the level of impact of an attack.
In summary, the M1049 Antivirus/Antimalware Mitigation achieves the detect, degrade, and preempt effects on various ATT&CK TTPs, reducing the likelihood of occurrence and minimizing the level of impact of an attack.
These are just a few quick example mappings to help defender's understand what mapping effects to ATT&CK mitigation would look like and the type of additional information they provide. What do you think of the resiliency effects and their impact on risk as additions to MITRE ATT&CK mitigation information to help defenders better understand how the mitigation effects adversary behavior? The same effects vocabulary can be applied to MITRE ATT&CK mitigations, MITRE Engage actions, ATT&CK Evals, Security Control mappings, etc to provide defenders with a common vocabulary for understanding how cybersecurity technologies, mitigations, engagement actions, and security controls effect adversary behavior.