Cybersecurity Science with Shawn Riley

When we delve into the world of cybersecurity, MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures) emerge as a paramount concept, offering a microscopic lens into an adversary's modus operandi. However, the precision and effectiveness of TTP analysis are heavily anchored on the quality of underlying data. Here, we deep-dive into the quintessential data characteristics and their bearing on TTPs and provide example methods to quantitatively score different aspects. 1. Data Accuracy: Relevance: In the sprawling matrix of cybersecurity, precision is key. Accurate data ensures that specific adversary techniques or tools are identified with certainty. Any inaccuracy can lead to detrimental false positives or false negatives, possibly allowing malicious entities to navigate defenses unchecked. Scoring Metric: A pragmatic approach would be to evaluate the percentage of errors or inconsistencies in data over a predetermined period. A lower error percentage signifies superior data ac

The Pyramid of Pain, a concept masterfully crafted by David J. Bianco, offers a unique perspective into the world of cybersecurity. It doesn't merely categorize threat indicators; it arrays them in a manner that demonstrates the relative pain they can inflict upon adversaries when defenders take action against them. As we delve into the nuances of the pyramid, it becomes evident that TTPs (Tactics, Techniques, and Procedures) form its apex. Here, the MITRE ATT&CK framework emerges as an invaluable companion. ATT&CK, which stands for "Adversarial Tactics, Techniques, and Common Knowledge," offers an extensive and detailed matrix that embodies the essence of TTPs. This globally-accessible knowledge base catalogs the specific methods employed by adversaries across various platforms, bridging the strategic insights from the Pyramid of Pain with actionable intelligence.                      Image Source: https://center-for-threat-informed-defense.github.io/summiting-th

In the rapid evolution of cybersecurity, professionals constantly adapt to the sophisticated tactics employed by adversaries. One significant transition that underscores this evolution is the shift from relying on Indicators of Compromise (IoCs) to leveraging Indicators of Behavior (IoBs) and employing Attack Flows for a more holistic analysis and response to cyber threats. This shift is not merely a change in terminology but a paradigm shift aimed at proactively identifying, understanding, and mitigating cyber threats in a more effective and efficient manner. This article delves into the differences between IoCs and IoBs, introduces the concept of Attack Flows, and outlines the implications of these transitions on various cybersecurity teams including Detection & Response, Threat Intelligence, Threat Hunting, and Risk Management teams. The Limitations of Indicators of Compromise Traditionally, cybersecurity efforts have revolved around identifying and responding to IoCs, which are