Going Beyond the Basics: Using MITRE ATT&CK® to Enhance Your Risk Assessments and Security Policies

In our last blog post, we explored how the MITRE ATT&CK® framework can help sharpen your cybersecurity strategy. We focused on identifying threats that truly matter and applying that knowledge practically across your security program. 

Today, we are digging deeper into two of the most important and foundational areas, Risk Assessments and Security Policies, and how the MITRE ATT&CK framework enhances them. We will cover what good looks like for each, why they matter, and how the framework can sharpen the focus and add real-world relevance. 

The Purpose and Value of Risk Assessments 

At their core, risk assessments help organizations make informed decisions about where to spend time, money, and resources. A proper risk assessment gives you: 

• Visibility: What assets are critical to your business 
• Threat Understanding: What could go wrong and how 
• Prioritization: Where should you focus limited cybersecurity resources first 

Without a strong risk assessment, security programs become reactive, often spending heavily on low-risk problems while missing the real material risks that could cause serious damage. 

Risk assessments also help align cybersecurity with business strategy. Leadership is more likely to approve cybersecurity investments when they can clearly see how they reduce meaningful risk to revenue, operations, or reputation. 

How MITRE ATT&CK Strengthens Risk Assessments 

Many risk assessments struggle because they start with vague or generalized threat assumptions. MITRE ATT&CK improves the process by grounding it in observed attacker behavior rather than guesswork. 

Here is how to apply it: 

Step 1: Identify Relevant Threat Actors 

Use the MITRE ATT&CK Groups list to find real-world threat actors that target your industry. For example, financial services firms should understand groups like FIN7 or Carbanak. 

Step 2: Map Techniques to Your Assets 

Look at the techniques those threat actors use and identify which ones are relevant to your systems. If ransomware groups commonly exploit remote desktop services, and you have legacy RDP servers exposed, you have a measurable risk. 

Step 3: Cross-Reference with Control Frameworks 

Tie each identified risk to a requirement in frameworks like: 

• NIST CSF Identify Function (ID.RA-2): Understanding threats specific to organizational assets 
• Secure Controls Framework (SCF) TM-02: Threat monitoring requirements 

Step 4: Document Specific, Actionable Risks 

Instead of documenting “Risk of cyber-attack,” capture specific risks like “Risk of ransomware infection through Remote Desktop Protocol exploitation by groups such as FIN7.” 

Real World Example: Improving Risk Management with ATT&CK 

Scenario: 

A manufacturing company conducted annual risk assessments based on hypothetical threats, but they missed real-world credential theft techniques that were increasingly common in their sector. 

After incorporating MITRE ATT&CK, they identified specific techniques like OS Credential Dumping (T1003). 

They asked two important questions: 

• How do we measure the risk this technique poses 
• Where does this map into our existing frameworks like the NIST CSF 

Cross-Referencing Credential Dumping with NIST CSF: 

Credential dumping directly threatens account integrity and privileged access, which can be mapped to: 

• PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes 
• PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties 
• DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed 

Measuring Risk: 

They assessed the likelihood of credential dumping by examining: 

• Whether privileged accounts were adequately monitored 
• Whether logging and alerting for suspicious authentication events were in place 
• Whether service accounts had unnecessary privileges 

They assessed impact by evaluating: 

• What systems and data those credentials could access if compromised 
• The ability of an attacker to move laterally or escalate privileges after obtaining credentials 

This structured mapping allowed them to assign a quantitative risk score that reflected both the likelihood (based on current controls) and impact (based on system criticality). 

Remediation Steps Included: 

• Tightening privileged account management 
• Enhancing EDR alerting on LSASS memory access attempts 
• Enforcing multi-factor authentication on sensitive systems 

After implementing these changes, they reduced credential theft incidents by 60 percent in one year and improved their overall NIST CSF maturity scores under PR.AC and DE.CM categories. 

Some Threats May Require Augmenting the NIST CSF 

Not every adversary technique fits neatly into existing frameworks like NIST CSF. Some attacker behaviors are broader, multi-phase, or exploit organizational processes in ways that require extra attention. 

Example from FIN7: 

One of FIN7’s known techniques involves highly targeted social engineering and phone-based vishing campaigns, where attackers impersonate company executives or IT staff to convince employees to perform actions like installing remote access software. 

While aspects of this can be related to the PR.AT-1 (all users are informed and trained) category, the nuance of phone-based social engineering is often underspecified in NIST CSF. Training coverage requirements are broad and may not require simulation or awareness reinforcement around advanced vishing techniques. 

How to Augment: 

Organizations should create additional sub-controls or training enhancements such as: 

• Adding voice phishing simulations to annual training 
• Developing procedures for employee verification during sensitive requests 
• Requiring secondary confirmations for software installation requests 

These augmentations should be logged as part of security awareness improvements and reflected in governance reporting. 

The Purpose and Value of Security Policies 

Security policies are the rulebook that defines how an organization protects its people, data, and systems. 

Good security policies provide: 

• Clarity: Employees know what is expected of them 
• Consistency: Security controls are implemented uniformly 
• Accountability: Responsibilities are clearly assigned 
• Evidence: Demonstrates governance to regulators, partners, and insurance providers 

However, many policies suffer from being too generic. They list “best practices” without connecting them to the actual threats the organization faces, which leaves gaps attackers can exploit. 

How MITRE ATT&CK Improves Security Policies 

The ATT&CK framework allows organizations to move from generic to specific by tying security policies directly to real-world tactics and techniques used by adversaries. 

Here is how to apply it: 

Step 1: Identify the Threats Your Policies Should Address 

For example, if data exfiltration over encrypted channels is a real threat to your organization, your network monitoring policies need to explicitly address detection of encrypted traffic anomalies. 

Step 2: Anchor Policy Language to Tactics and Techniques 

Example: 

• Weak Policy: “Monitor network traffic for suspicious behavior” 
• Strong Policy (ATT&CK-aligned): “Monitor and investigate anomalous encrypted traffic flows to detect potential exfiltration activities consistent with ATT&CK technique Exfiltration Over HTTPS (T1048.002)” 

Step 3: Cross-Reference with Compliance Frameworks 

For stronger validation, map policies to: 

• Secure Controls Framework SCF Network Security (NET-05): Network anomaly detection 
• NIST CSF Protect Function (PR.PT-1): Audit logs to detect and understand anomalous events 

Step 4: Eliminate Ambiguities 

Effective policies clearly state: 

• Scope: Systems, users, and environments covered 
• Ownership: Who is responsible for execution and enforcement 
• Triggers: When action is required (for example, incident thresholds or patch timing requirements) 

How to Confirm Your Improvements Are Effective 

Once you apply ATT&CK to risk assessments and policies, it is important to validate the impact. 

Risk Assessments: 

• Compare historical risk register entries to new, ATT&CK-informed entries 
• Assess whether new risks are more specific and actionable 
• Track mitigation effectiveness annually 

Security Policies: 

• Conduct internal audits against new policy language 
• Validate enforcement through technical control testing 
• Confirm alignment with penetration test and tabletop exercise results 

Bringing It All Together 

Risk assessments and security policies are not check-the-box exercises, they are the foundation for building an intelligent, defensible cybersecurity program. 
MITRE ATT&CK gives organizations a way to ensure that these documents are connected to the real threats they face, making every dollar and every control count. 

However, consistently applying this level of discipline takes leadership focus and experience. 

Ready to Build a Focused, Threat-Driven Security Program? 

Sikich’s Executive Services team, including our vCISO program, partners with organizations to build and mature cybersecurity programs based on real-world threat intelligence. 

We meet with your leadership team regularly, apply frameworks like MITRE ATT&CK, NIST CSF, and SCF to your risk assessments, management, and security policy development processes, and help you drive real, measurable cybersecurity maturity without the full-time executive cost. 

Let us help you make your cybersecurity program strategic, practical, and defensible. Reach out to us today to discuss how our Executive Services can support your security goals.