Prioritizing Cybersecurity Controls based on Coverage of Attack Techniques

Status:

This project started in 2023 and has been successfully completed in 2024.

Researchers:

Silvia La (ETH)
Dr. Martin Ochoa
Vivien Bilquez (Zurich Insurance)

Industry Partner:

Zurich Insurance

Description:

The objective of this project is to study existing mappings of controls in NIST Special Publication 800-53 to attacks in MITRE ATT&CK and to suggest an automatic or semi-automatic methodology to integrate attack frequencies and impacts to produce a priority ordering  on controls to implement. This methodology will be implemented as a software prototype that allows domain experts to query it using various criteria.

As a first step, we design a Cyber Threat Intelligence feed model that, based on a a recent vulnerability statistics report or a vulnerability database, automatically computes attack frequencies. Our model proposes how to extend existing data structures used to exchange threat intelligence reports. We also review and evaluate existing prototypes that attempt to extract used techniques from textual descriptions of campaigns based on natural language processing.

We then devise an automated methodology to integrate the attack frequencies from the threat intelligence feed into the mapping in order to prioritize most impactful controls. Several algorithms are explored to allow an automatic computation of sets of controls to implement to optimize a risk minimization criteria (for instance, which controls mitigate the most frequently occurring attack techniques).

Last, we preliminary evaluate the methodology by instantiating it using information of malware campaigns from the past years and various example queries. We further discuss how our methodology can be evaluated in future work by means of an analysis of data breaches occurrences vs. implemented controls.