Blending Threat And Risk Inside The Security Operation Center

Threat and risk are different but connected concepts. Threat indicates the motivation, capability, and intent of an adversary; risk is the likelihood of a cyber-attack multiplied by its potential impact.

At the strategic level, it’s clear how the two concepts are related – specifically, the assessed threat level of an adversary can raise or lower the risk to an organisation. But, inside the security operations centre (SOC), how do you make the concepts of risk and threat work together at the operational and tactical levels? 

MITRE ATT&CK and NIST: Where Threat Meets Risk

MITRE’s well-established ATT&CK framework is used to model the lifecycle of an attack, showing threat techniques across 14 phases from initial Reconnaissance to final Impact. 

Figure 1: MITRE ATT&CK in action, showing the activity of “APT28” in orange 

NIST is an equally well-established framework for risk management. It outlines over 1,000 suggested controls that, if implemented, should reduce the overall cyber risk to an organisation. 

Together, ATT&CK and NIST provide a bare-bones skeleton to translate assessments of threat into control-centric risk-management strategies. But how does that work in practice? In other words, how do you get from the kind of ATT&CK visualisation shown in Figure 1 to a relevant subsection of the 1,000 or so NIST controls?

Operationalising ATT&CK and NIST

The ATT&CK framework contains a suggested mitigation section for each technique, which recommends NIST controls and other responses. But the number of NIST control recommendations is staggering; finding them all would be an unwieldy and time-hungry task.

Resources have been developed to map ATT&CK techniques to NIST controls – most notably, the MITRE Engenuity project known as NIST 800-53 Controls to ATT&CK Mappings. That project fleshes out the basic framework of the original ATT&CK model into a meatier, more operational framework. 

With such a body of information, analysts have the ability to fully complete the cycle of threat-led risk management. They can collect data about cyber-threat actor activity, translate the data into an ATT&CK format, map that to prioritised NIST controls, then implement and monitor the effectiveness of the NIST controls. This process is shown in Figure 2. 

Figure 2: The conceptual cycle of threat-led risk management

Applying the Concept at Scale

The concept that risk management should be a threat-led process is obvious…how can risk be effectively managed if it does not take threat into account? Regardless, executing that concept within a SOC environment is challenging, and doing so at scale – in response to a volatile threat landscape – is downright difficult. 

At Elemendar, we are developing AI-driven technology that will automate the above process, while still empowering the human analyst to understand how the process is carried out and why certain controls are prioritised over others. Watch this space for future developments in this area.