Fred Rohrer's Blog

Mastering Risk Assessments: Leveraging CIA, STRIDE, and MITRE ATT&CK

Fred Rohrer -

In my years working in cybersecurity, I've learned that thorough risk assessments are key to protecting a company's assets. Over time, I've put together a process that combines the CIA triad, STRIDE methodology, and the MITRE ATT&CK framework to cover all our bases.

I start by looking at risks through the lens of the CIA triad: Confidentiality, Integrity, and Availability. This helps me figure out what's most important and where we might be vulnerable. For example, if we're dealing with a customer database, I make sure we're keeping sensitive info confidential, that the data stays accurate, and that the system is always up and running.

Next, I use the STRIDE methodology to break down potential threats:

  • Spoofing: Could someone pretend to be someone they're not?
  • Tampering: Is there a chance of unauthorized changes to our data or systems?
  • Repudiation: Might users deny their actions?
  • Information Disclosure: Could sensitive data be exposed?
  • Denial of Service: Are we at risk of attacks that could shut down our systems?
  • Elevation of Privilege: Can someone gain access levels they shouldn't have?

By sorting threats this way, I can create specific controls to address each risk, making sure we don't overlook anything critical.

Then I map these risks to the MITRE ATT&CK framework, which gives a detailed view of the tactics and techniques attackers might use. This helps me understand possible attack paths and prioritize our defenses based on the most likely and damaging threats.

After identifying and categorizing the risks, I develop controls to mitigate them. This might involve technical solutions like firewalls, encryption, and access controls, as well as administrative steps like crafting policies, setting procedures, and training our team.

To make sure these controls are effective, I set up Key Performance Indicators (KPIs) to monitor how they're doing over time. For instance, I might track how many systems have the latest patches, the number of security incidents each month, or how quickly we're detecting and responding to threats.

By regularly checking these KPIs against our targets, I can see if our controls are working as intended. If something's off, I'll dig into the cause and take action—maybe updating a control, providing extra training, or dedicating more resources where needed.

In a nutshell, by using the CIA triad, STRIDE, and the MITRE ATT&CK framework, I can conduct thorough risk assessments and develop targeted controls. Setting up KPIs and keeping an eye on them ensures these controls stay effective, helping to protect our organization's assets.