In this chapter, we’ll discuss how to analyze your environment, identify coverage gaps, and how to identify areas for improvement. Then, we’ll cover how to map those gaps to the ATT&CK Framework to increase coverage and build out maturity in your security posture.
This chapter covers the following topics:
It’s not logical to think that you can immediately review any/all controls from the MITRE ATT&CK Framework. Doing so will not only create a massive headache for yourself and your team but also could lead to adding unnecessary tools and leaving you trying to obtain the impossible. A perfect example is the Actions on Objectives control, which is complicated. The main principle is that there are various actions on an objective (actions taken against a target system such as a network or host) that can be carried out, such as stealing credentials, installing malware, and so on, but until an attack starts, you are unable to predict what is going to occur at some undetermined time in the future. In this case, you want to have a strong defense-in-depth approach by implementing standard security controls. Also, with regard to controls, it helps to understand that you will inevitably experience a compromise at some point in time if you haven’...
Prioritization can be made using a variety of approaches, and it sometimes can come down to a feeling. For the record, when possible, you should use a quantitative method for prioritization, primarily based on capabilities. To start with, you need to have your gaps identified. That can be done through a risk registry, a purple team exercise, an audit, and so on. From there, you need to take a look at your resources; this includes the current technical capabilities, the personnel and their skill sets, the budget constraints to upgrade or bring in new tools and services, and the work cycles you have available or can make available. After you take a look at your resources, you want to then begin assigning prioritization and scoping out levels of effort, potential fixes, and stakeholders. One helpful tool is to diagram and actually write down the risks. If we were to step through a process, we could start with the following gaps:
Security vulnerabilities and coverage gaps are a fact of life for anyone who works in infosec. Here are a few different outlined security coverage issues that I’ve experienced and their applicable mapping and prioritization on a quad chart, as well as a discussion about what work streams I would implement. All of these issues are extremely common and hopefully can provide insight for you as you look at your environment.
The first issue that I’ve run into multiple times is a lack of logging, or a lack of logging the proper security logs. The reason that this is a problem is that logs are the first place a security responder will look when investigating an alert and attempting to find anything that is suspicious or malicious. If logging is not up to par, there are likely compromised activities occurring that you are not aware of because logs are also typically used to set up detection and alerts. To identify whether this is an...
As you can see, some of the concepts we’ve learned previously, such as purple team exercises and threat modeling, can all play a role when it comes to prioritization and mapping tactics to gaps. As you’ll continue to see, security, in general, is interconnected, which means that when processes and teams work in synergy, then you are more likely able to implement a defense-in-depth approach to make your organization more secure. In the next chapter, we’ll continue to talk through implementation and examine some of the mistakes that get made when implementing securing infrastructure and processes. I’ll also walk through some of my previously failed security projects to go through what the lessons learned from those experiences were and what I would do differently if I were to complete those projects again.
© 2023 Packt Publishing Limited All Rights Reserved
