Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
- 1. EVALUATING AND ENHANCING SECURITY MATURITY THROUGH MITRE ATT&CK MAPPING
- 2. Pranusha Somareddy • Over the last 7 years, actively worked on Penetration Testing, Blue Teaming, Infrastructure and Product Security. • Founding and Senior Security Engineer at Lark Health
- 3. Agenda ● Human error in security breaches ● Map MITRE ATT&CK Techniques to security controls ● Security Awareness is Security Maturity ● Evaluating security awareness ● Enhancing security awareness
- 4. Human Error in Security breaches 2017 Equifax announced a data breach that exposed the personal information of 147 million people. 2018 Panera Bread exposed millions of customer records because of a misconfigured API that allowed access to sensitive information. 2019 Capital One data breach exposed data of 100 million credit card applicants 2020 The University of California disclosed a breach in which unauthorized access was gained to personal and financial information employees. 2021 Colonial Pipeline, a major fuel pipeline operator in the United States, fell victim to a ransomware attack. 2022 Robinhood disclosed a data breach that potentially gave access user data.
- 5. Mapping Security Controls Initial Access • MFA Authentication • SSO based logins • Phishing awareness training • Continuous Patch Management Execution & Persistence • Principle of Least Privilege • Quarterly access auditing • Role Based Access Control • Logging and Monitoring Exfiltration • Strong Encryption techniques • Limited Access to Data • Policies and procedures to report data breaches
- 6. Initial Access M1017 - User Training M1032 - MFA Authentication M1027 - Password Policies TA0001 - Initial Access T1566 - Phishing T1078 - Valid Accounts
- 7. Execution & Persistence M1026 - Privileged Account Management M1017 - User Training M1026 - User Account Management M1032 - Multi- factor Authentication Execution and Persistence T1204 - User Execution T1651 - Cloud Administration Command T1609 - Container Administration Command T1098- Account Manipulation T1556 - Modify Authentication Process M1027 - Password Policies
- 8. Data Collection M1047 - Audit M1041 - Encrypt Sensitive Information M1026 - User Account Management M1032 - Multi- factor Authentication Data Collection T1213 - Data from Information Repositories T1530 - Data from Cloud Storage T1005 - Data from Local System M1057 - Data Loss Prevention M1017 - User Training
- 9. Evaluate Security Awareness ● Identify the Security Champions ● Phishing Email campaigns ● Simulation Red Team Activities ● Security Awareness questionnaires ● Code Review Analysis ● Security Feedback loop
- 10. Enhance Security Awareness Customized Security Trainings Instill Security Importance in Managers Security Engineer Collaboration Incident Response Tabletop Exercises Educative Security Newsletters Enhance Security Awareness to Enhance Security Maturity
- 11. Achieving security maturity is not a one-time event but it is a continuous journey