diff --git a/src/assets/methodology/actionability_without_utility.png b/src/assets/methodology/actionability_without_utility.png index 567718e..34ea595 100644 Binary files a/src/assets/methodology/actionability_without_utility.png and b/src/assets/methodology/actionability_without_utility.png differ diff --git a/src/assets/methodology/weighting-examples.png b/src/assets/methodology/weighting-examples.png index 559fc08..e51b380 100644 Binary files a/src/assets/methodology/weighting-examples.png and b/src/assets/methodology/weighting-examples.png differ diff --git a/src/assets/methodology/weighting_function.png b/src/assets/methodology/weighting_function.png index 7b081c0..f2c957b 100644 Binary files a/src/assets/methodology/weighting_function.png and b/src/assets/methodology/weighting_function.png differ diff --git a/src/components/MethodologyDetails.vue b/src/components/MethodologyDetails.vue index edd82e2..5480f8a 100644 --- a/src/components/MethodologyDetails.vue +++ b/src/components/MethodologyDetails.vue @@ -46,7 +46,8 @@ is just as, if not more, important than other techniques. We tried to account for this by allowing users to choose which analytics and controls should be included in the weighted list.

- + Scatterplot mapping number of detections on the x axis and number of mitigations on the y axis. Each point represents a single technique. The majority of techniques are below 20 detections and under 30 mitigations, but there are about 20 outliers.

You can see there are quite a few outliers, especially for detections. Keep in mind that there are known to be duplicates, so there is likely some double counting.

@@ -92,7 +93,8 @@

For example scores, the cutoffs are 0 and 100 for detections, and 0 and 55 for mitigations.

Examples of potential utility functions are illustrated below:

- + line graph that visualizes different examples of the recommended piecewise utility function with lower and upper cutoffs used to normalize a technique's mitigation and detection score into a single number

Defining Attribute Weighting

We then define weights for each of the attributes to rank their importance. Once we have the weights @@ -188,14 +190,16 @@

  • You can see that the highest score that a technique with no mitigations can have is about 0.45
    • - + scatterplot displaying number of detections on the x axis and number of mitigations on the y axis with actionability scores calculated from the actionability formula overlayed on top. Most techniques have an actionability score between 0 and 0.45

    Here's what actionability would look like if we didn't use utility functions to scale detections and mitigations. We can see that actionability is now unbounded, which will make things difficult to combine later on. Also, even if a technique has zero mitigations, it could still receive a high actionability score if its detections is high enough.

    - + scatterplot displaying number of detections on the x axis and number of mitigations on the y axis with actionability scores overlayed on top. Since these scores have not been scaled with the utility function, actionability is unbounded and the highest value is 350 as opposed to 0. Most techniques have a score between o and 100.
    @@ -240,14 +244,16 @@

    The MITRE team considered choke point to be the middle technique where many other techniques could go into and come out of in an attack flow proceeding.

    - + example of a choke point where six techniques all point to process injection as the next technique in an attack flow before moving on to another technique

    T1055: Process Injection Successful Choke Point

    T1055: Process Injection is a great example of many techniques calling Process Injection as the next technique in succession for the cyber attack then proceeding to any number of other techniques afterwards.

    - + example of a failed choke point where one technique leads to another technique and does not have another technique afterwards.

    T1491: Defacement Non-Successful Choke Point

    T1491: Defacement is a great @@ -281,7 +287,8 @@ cutoff should be no lower than the smallest value for its attribute.]

    Examples of potential utility functions are illustrated below:

    - + line graph that visualizes different examples of the recommended piecewise utility function with lower and upper cutoffs used to normalize a technique's mitigation and detection score into a single number

    Attribute Weighting

    We define the weights and We can make a scatter plot of the number of before and after techniques among the potential chokepoints:

    - + Scatterplot mapping the number of techniques before on the x axis and the number of techniques after on the y axis. Most techniques that are possible chokepoints have more techniques before them than after

    And we can overlay this with a contour plot of the actual chokepoint function (patches of the same color have roughly the same chokepoint score)

    - + Scatterplot mapping the number of techniques before on the x axis and the number of techniques after on the y axis with chokepoint scores overlayed on top. Most techniques have a chokepoint score below 0.45
    -

    and we can compare this with a plot of what the chokepoint function would look like had we not used - utility functions to scale the number of before and after techniques

    +

    And we can compare this with a plot of what the chokepoint function would look like had we not used + utility functions to scale the number of before and after techniques:

    - + Scatterplot mapping the number of techniques before on the x axis and the number of techniques after on the y axis with chokepoint scores overlayed on top. Because it is not normalized by the utility function, chokepoint scores can range up to 30.
    @@ -381,17 +391,20 @@

    The weighting function and its parameters may sound complicated in text, but it is best understood visually:

    - + Line graph that visualizes the weight of a technique on the y axis over time on the x axis. Techniques have a weight of wmin until decline is reached, at which point the weight increases in a straight line until full is reached. For the full time period, the weight is 1.

    Some examples of the weighting function using various parameters are given below:

    - + Examples of three weighting functions, demonstrating how changing the values for full, decline, and wmin can alter the weighting function. The smaller the distance between full and decline and the larger the distance between wwmin and 1, the steeper the slope of the weighting function becomes.

    Normalizing Prevalence Scores

    Since only a few techniques make up a large majority of all sightings, we need to be careful about accounting for these outliers when we put the prevalence scores on a zero-to-one scale.

    - + bar chart showing unnormalized prevalence on the x axis and weight on the y axis. The scale is so varied that most weights are hardly visible, demonstrating the need for normalization.

    This is a histogram of the distribution of prevalence scores across all techniques for which we have attack times. Note that there are a few techniques that have a prevalence score that is FAR greater than @@ -490,7 +503,11 @@ export default defineComponent({ } ul { - @apply list-disc ml-6 + @apply list-disc ml-6 mb-4 +} + +ol { + @apply mb-4 } ul p { @@ -508,4 +525,8 @@ a { p { @apply mb-2 } + +.MathJax_Display { + margin-bottom: 10px !important; +} \ No newline at end of file diff --git a/src/views/MethodologyPage.vue b/src/views/MethodologyPage.vue index fa1412f..80b0080 100644 --- a/src/views/MethodologyPage.vue +++ b/src/views/MethodologyPage.vue @@ -2,14 +2,15 @@

    Methodology

    -

    A prioritized list of MITRE ATT&CK techniques should actionable and driven - by threat intelligence The Center’s methodology is composed of three different components - Actionability, Choke +

    A prioritized list of MITRE ATT&CK techniques should be actionable and driven + by threat intelligence. The Center’s methodology is composed of three different components - Actionability, + Choke Point, and Prevalence. Algorithms for each component were created to determine a technique’s weight within a specific component, and then each component weight is combined to give an overall weight.

    -
    +