This provides a guided step by step walkthrough for threat modeling with MITRE ATT&CK Framework
I've taken 3 classes in using MITRE ATT&CK Framework as a threat modeling tool.
I highly recommend Ismael Valenzuela's work in threat modeling and his portion of the SANS 350 course.
https://www.sans.org/profiles/ismael-valenzuela/
I've been using this threat modeling now for a few years on misc. projects and contract work. Its incredibly helpful in security control designing and architecture.
MITRE ATT&CK Website - this is needed to search for threat groups, techniques, and tools used by threat actors
https://attack.mitre.org/
ATT&CK Navigator - maps out threat group techniques, allows for developing threat models
https://mitre-attack.github.io/attack-navigator/
We are trying to determine the matrices that show known attack techniques of threat groups and develop a model based on those techniques to help anticipate actions of those threat groups and help validate security controls.
We need an industry. For this demonstation I've selected HEALTHCARE as the industry.
Go to https://attack.mitre.org/
Click the search magnifying glass
Search for "healthcare"
For simplicity we will select two threat groups APT 40/Leviathan and APT 41
Now lets go to https://mitre-attack.github.io/attack-navigator/
Lets create a new layer
Select Enterprise under create new layer
Click on the layer and name it to the threat group
The change will be reflect in the layer name
Click the magnifying glass under selection controls
Search for the Threat Group in the search field
Click select next to the threat group
Selected techniques should now appear highlighted
Now we want a bit more visibility in the techniques so we will select a color
The attack techniques should now be colored.
Now we need to add a score to provide a value or weight to the attack techniques
Set the value for score to 1
For this exercise we will add one more, but keep in mind you can add as many as you need for your threat model.
Lets add one more by clicking the +
Lets create a new layer
Name the new layer like in the previous steps
Click enterprise
Click Selection Controls magnifying glass and search for the threat group
Validate that the threat group techniques have been selected
Select the color for threat groups techniques.
Set the score for the techniques just as before
Now we want to add all of the layers (if you don't two thats fine but you can always do more).
Lets add one more by clicking the +
Click Create Layers from other layers, domain should be Enterprise ATT&CK, Expression should be the layers you have (a+b), gradient & coloring should be your first layer
If you've created it correctly you should have a threat model based on the threat groups you selected, color coded with the scores added for a combined score on techniques that overlap.
Next steps would be to export your threat model and use this in comparison to your known security controls, if security controls have not been identified then the threat model can provide insight on security controls for your particular use case.
