FortiGuard Labs Threat Research

MITRE Attack Flow Gives CISOs Valuable Context for Better Risk Management

By Douglas Jose Pereira dos Santos | November 03, 2022

MITRE Engenuity’s Center for Threat-Informed Defense (CTID) recently released its latest version of the Attack Flow project. This is the third project FortiGuard Labs has worked on in partnership with CTID, and we’re particularly excited about the promise this effort holds to advance the entire cybersecurity industry. CTID and Fortinet­—in collaboration with additional research partners—introduced Attack Flow earlier this year with the goal of developing "a common data format for describing sequences of adversary behavior in order to improve defensive capability.”

One of the most powerful things you can do when fighting cybercrime is shifting the economics of an attack, and this new standard focused on adversary behavior does just that. It allows for a deeper understanding of the unfolding details around an attack. By adding another dimension to cyber intrusion data, cyber defenders can narrow in even more on the paths an attacker is most likely to take and then put the proper roadblocks in place to stop them.

MITRE Attack Flow is invaluable for security leaders and their teams. Understanding and visually communicating the flow of an attack—as well as its potential outcomes and affected assets—can make us all more effective defenders.

What’s New in MITRE Attack Flow and Why it Matters to CISOs

With its latest release, CTID introduced updates that will help security teams more easily describe, display, and share sequences of adversary behavior. Defenders typically track attacker behaviors individually, focusing on one specific action at a time. Attack Flow enables defenders to "zoom out" and analyze a more holistic view of a potential threat. As a result, they can crisply communicate what they’re seeing and make more informed decisions about how to stop bad actors in their tracks effectively. Attack Flow is also valuable in helping CISOs identify commonly targeted assets, and how attackers get to them. This is very valuable information when establishing an efficient cybersecurity posture, as it helps prioritize assets that are most likely to be attacked.

Now in its version 2 of the project, the attack flows are even more capable of capturing the detailed nuances of attacks, such as the ability to use precondition filters and logical constructs such as "AND" and "OR." Now with ATTACK Flow being expressed in STIX it is possible to leverage the full capabilities of STIX objects to design the attack flows, either manually or through automated tools.

Threat analysts aren’t the only ones who benefit from the latest Attack Flow release. These updates will help facilitate cross-team collaboration—especially during incident investigations when every second counts—and provide CISOs with a broader view of the threats targeting the business.

Below is a brief overview of the latest Attack Flow enhancements and their value to security teams and the broader organization.

"By adding another dimension to cyber intrusion data, organizations can narrow in even more on the paths an attacker is most likely to take and then put the proper roadblocks in place to stop them."

Gain More Context Accuracy

By leveraging Attack Flow, defenders will be able to more accurately identify specific threat actors, campaigns, malware types and families. Although TTPs provide very fine grained fingerprinting of such data, a deepening of the understanding of each of these allows an unprecedented shift in the ability of defenders to respond quickly and effectively. This can also be used in machine learning models as another dataset to classifying malware attack data.

Additionally, Attack Flow emphasizes techniques and their order or relationships. Does one technique need to be successful for another to trigger? This deepening focus on TTPs gives analysts the ability to analyze potential attack patterns and find the “choke points” so that they can make it increasingly difficult for attackers to find new “flows” to bypass organizational security controls.

Enable Your Team to Think Like Attackers

Running Attack Flow allows for deeper testing of current security controls and helps identify gaps. For example, analysts can more easily identify targeted assets and what attackers might use the assets for, from simple crypto mining, to bulk data exfiltration. 

This process also offers benefits for threat hunters. Using Attack Flow, they can look for the potential next step of an attack. They can also map out the attack paths that cybercriminals use most often in an attempt to compromise environments.

Facilitate Easier-to-Understand Business-level Discussion

Clear and timely communication is paramount whether communicating with a security team about a potential threat, presenting a new resource proposal, or communicating budget to the board.

The recent updates made to Attack Flow offer distinct benefits when it comes to communication. First, a team can quickly document and present information in a standard and straightforward format. Instead of combing through a list of SIEM-based alerts, they can visually map out and answer essential questions, such as:

  • “What is the attacker doing?”
  • "What steps are they taking, and in what order are they completing them?"
  • “What assets are targeted?”
  • “What is the attacker’s end goal?”

In addition to giving analysts enhanced tools to communicate the scope of an issue and the appropriate next steps, these same flows can be used when conversing with executives or board members. Attack Flow users can now overlay flows with targeted assets to profile risk to communicate the business impacts of an attack, such as exposure, financial loss, or operational downtime.

Use Attack Flow to Increase Your Team’s Agility and Effectiveness

Attack Flow can facilitate communication and collaboration among cyber defenders as well as between defenders and senior leadership, from the purple team executing an adversary emulation exercise, to the CISO who’s briefing executives. Beyond enabling communication and collaboration, Attack Flow creates an opportunity to collect and analyze sets of flows. That analysis opens the door to predictive intelligence that will allow us all to defend against our adversaries more effectively.

If your team hasn’t experimented with Attack Flow yet, encourage them to download and review CTID’s example attack flows, to learn more.


Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.