Fortinet : MITRE Attack Flow Gives CISOs Valuable Context for Better Risk Management

MITRE Engenuity's Center for Threat-Informed Defense (CTID) recently released its latest version of the Attack Flow project. This is the third project FortiGuard Labs has worked on in partnership with CTID, and we're particularly excited about the promise this effort holds to advance the entire cybersecurity industry. CTID and Fortinet­-in collaboration with additional research partners-introduced Attack Flow earlier this year with the goal of developing "a common data format for describing sequences of adversary behavior in order to improve defensive capability."

One of the most powerful things you can do when fighting cybercrime is shifting the economics of an attack, and this new standard focused on adversary behavior does just that. It allows for a deeper understanding of the unfolding details around an attack. By adding another dimension to cyber intrusion data, cyber defenders can narrow in even more on the paths an attacker is most likely to take and then put the proper roadblocks in place to stop them.

Attack Flow is invaluable for security leaders and their teams. Understanding and visually communicating the flow of an attack-as well as its potential outcomes and affected assets-can make us all more effective defenders.

What's New in Attack Flow and Why it Matters to CISOs

With its latest release, CTID introduced updates that will help security teams more easily describe, display, and share sequences of adversary behavior. Defenders typically track attacker behaviors individually, focusing on one specific action at a time. Attack Flow enables defenders to "zoom out" and analyze a more holistic view of a potential threat. As a result, they can crisply communicate what they're seeing and make more informed decisions about how to stop bad actors in their tracks effectively. Attack Flow is also valuable in helping CISOs identify commonly targeted assets, and how attackers get to them. This is very valuable information when establishing an efficient cybersecurity posture, as it helps prioritize assets that are most likely to be attacked.

Now in its version 2 of the project the attack flows are even more capable of capturing the detailed nuances of attacks, such as the ability to use precondition filters andlogical constructs such as "AND" and "OR." Now with ATTACK Flow being expressed in STIX it is possible to leverage the full capabilities of STIX objects to design the attack flows, either manually or through automated tools.

Threat analysts aren't the only ones who benefit from the latest Attack Flow release. These updates will help facilitate cross-team collaboration-especially during incident investigations when every second counts-and provide CISOs with a broader view of the threats targeting the business.

Below is a brief overview of the latest Attack Flow enhancements and their value to security teams and the broader organization.