-
Intro
-
General Guidance
-
Tasks
-
Compliance
-
Controls
-
Meta Model
-
Administration
Compliance
Threats
Role-Specific Access
Accessibility for Threat Modelers and Compliance Managers
- Designated Roles: The threat modeling feature in vucavoid is specifically designed for users with the roles of Threat Modeler and Compliance Manager.
-
Role Functions:
- Threat Modelers: Primarily responsible for creating and defining threats based on the MITRE ATT&CK framework.
- Compliance Managers: Utilize the modeled threats for compliance assessments and to inform the organization’s cybersecurity strategies.
Overview of Threats in vucavoid
Purpose and Definition of Threats
- Fundamental Role: Threats in vucavoid are conceptualized to provide a structured approach for understanding and iterating the cyber threat landscape specific to an organization.
- Cyber Threat Focus: The feature exclusively focuses on cyber threats, aligning with the growing need for robust cyber threat intelligence and management.
Basis on MITRE ATT&CK Framework
- Framework Adoption: vucavoid utilizes the MITRE ATT&CK framework, a globally recognized and industry-accepted knowledge base for cyber adversary tactics and techniques.
-
Framework Benefits:
- Comprehensive Coverage: ATT&CK offers a detailed classification of cyber threats, enabling organizations to prepare against a wide range of adversarial tactics and techniques.
- Real-World Relevance: The continuous updates and real-world applicability of the ATT&CK framework ensure that the threat modeling in vucavoid remains current and effective.
- Framework Versions: vucavoid supports all MITRE ATT&CK framework versions from ATT&CK 3.0 onwards, offering flexibility and choice in threat modeling.
Attributes of Threats
Threat Basics
- Title: Assign a concise and descriptive title for each threat, encapsulating its essence and focus.
- Description: Provide a detailed description of the threat, emphasizing its purpose, scope, and how it aligns with your organization’s cybersecurity landscape.
MITRE ATT&CK Composition
- ATT&CK Version Selection: Choose the specific version of the MITRE ATT&CK framework to base the threat model on. This selection determines the available tactics and techniques for modeling.
-
Tactics and Techniques:
- Tactics: Select one or multiple tactics as defined in the chosen ATT&CK version, setting the foundation for the threat model.
- Techniques: After selecting tactics, choose corresponding techniques. These are the specific methods that attackers might use, as per the ATT&CK framework. Each technique contributes to building a comprehensive threat model.
Status Management
-
Progressive Status Updates:
- Initial: Automatically set when a new threat is created.
- In Progress: Changes to this status once the first technique is selected, remaining until all techniques are finalized.
- Final: Manually set this status by finalizing the threat, after which it cannot be altered and is ready for use in challenges.
- Archived: Set this status to archive threats that are no longer relevant. Archived threats are not available for selection or use in challenges.
Manufacturer Defined Flag
- Origin Indicator: This field specifies whether a threat is defined by vucavoid or created by the user’s organization, assisting in distinguishing between standardized and custom threat models.
Modeling Threats in vucavoid
Approach to Modeling Threats
- Strategic Orientation: Decide on your approach to modeling threats in vucavoid, considering whether to focus on attack patterns (adversary profiles like APTs) or defense strategies (based on your organization’s vulnerabilities).
- Attack-Oriented Approach: Analyze relevant adversary profiles and align your threat modeling with tactics and techniques known to be used by these adversaries.
- Defense-Oriented Approach: Evaluate your organization’s specific vulnerabilities and use the standardized techniques from ATT&CK to assess and prepare against potential cyberattacks.
Technical Modeling Process
- Initial Setup: Begin by providing a title and a recommended description for the threat, establishing its basic identity.
-
Tactics and Techniques Selection:
- Tactic Selection: Choose relevant tactics from the selected version of MITRE ATT&CK, which will then dictate the available techniques.
- Technique Inclusion: Add specific techniques under each tactic to form a detailed threat model, considering sub-techniques where applicable.
-
Finalization of Threat Model:
- Completing the Model: Once all relevant tactics and techniques are selected, finalize the threat model to make it usable across vucavoid.
- Status Transition to 'Final': Finalizing the threat changes its status to 'Final', indicating that it is ready for application in challenges.
Using a Threat as a Blueprint
- Replication for Consistency: Leverage existing, finalized threats as blueprints to model new threats, especially useful for regular updates (e.g., monthly industry-specific threats).
- Modification and Adaptation: Copy a threat using the 'replicate' function, then modify it to reflect new or evolving cyber threats, ensuring your threat models stay relevant and up-to-date.
Applying Threats in Challenges
Integration with vucavoid Challenges
- Benchmarking Tool: Modeled threats in vucavoid serve as benchmarks or standards in challenges, particularly for evaluating the resilience of IT assets against specific cyber threat techniques.
- Challenge Configuration: When setting up challenges in vucavoid, select the finalized threats as part of the criteria. This allows for a focused assessment based on the techniques encompassed within the threat model.
Technique-Level Application
- Detailed Assessment: Challenges in vucavoid are conducted at the technique level. This means that each technique within a threat model is used to scrutinize and test the defenses of the selected IT assets.
- Comprehensive Cybersecurity Posture Analysis: By applying threats in challenges, organizations gain a nuanced understanding of their cybersecurity strengths and weaknesses, directly linked to real-world adversarial tactics and techniques.
Documentation and Improvement
- Record Keeping: The results of challenges provide valuable documentation of how well the organization’s IT assets can withstand or counter the modeled threats.
- Continuous Improvement: Based on challenge outcomes, organizations can refine their cybersecurity strategies and controls, ensuring a proactive and adaptive approach to cyber threat management.