Uniting Threat Vulnerability and Risk

I have an unclear vision for a long time on “how i can combine Risk, Vulnerability and Threat data available and use it flexibly for various needs with an output readable by machines and humans”

That though became a reality last week.! Clearly planned the stages and i was able to execute it as per design. I got Vulnerability data from NVD, Threat data from CTID and MITRE, Risk Framework data from NIST SP800 53. After getting these data, there was a challenge in finding an analytical tool where i can import the data and do various operations on data (Slice and dice, aggreate, extract, explode, join, replace etc).

I did few searches and experimented some analytic tools — Google, Zoho, ADX, Superset, Splunk, Tableau etc. Nothing makes me feel the best than ADX (Azure Data Explorer). So fixed ADX as the tool, with the available subscription, i was able to aggregate, pack and extract needed data.

Below is my effort and outcome of the analytics.

We can summarize based on NIST Control Family or CVE or Attack Techniques. This output data can be exported in machine readable formats like Json, XML etc and can be a feed to other systems or products. This can also be used for correlating with other data for further analytics or enrichment.

Ref
https://ctid.mitre-engenuity.org/our-work/nist-800-53-control-mappings/
https://github.com/center-for-threat-informed-defense/

Use Cases

If you get an advisory saying “An attack Technique say T1234 is very active and is targeting your industry say Banking”. We will be able to relate past know vulnerability exploited by the group and the controls which are to be checked and validated to counter these actors upon us. These actions will give us necessary information to give confidence to board that we will not be a opportunistic victim of this campaign. These information will help to prioritize Vulnerably remediation based on Threat landscape. This knowledge can also be used on strengthening and revalidating focused Protective controls.