MITRE ATT&CK
A structured threat-modeling framework cataloging real-world adversarial behaviors to enhance defenses.
- MITRE: U.S. non-profit R&D organization
- ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge
- Purpose: Standardize understanding of attacker methods; build accurate threat models
- Funding & Access: U.S. CERT & DHS; freely available at
https://attack.mitre.org - Tactics & Techniques:
- Initial Access: Drive-by, Supply-chain compromise, External remote services
- Persistence: Account creation, Auth modification, Malicious browser extensions
- Environment Matrices: Enterprise, Mobile, Cloud (Windows, macOS, Linux, network devices)
- Structured Approach:
- Tactics (e.g., Execution, Privilege Escalation, Defense Evasion)
- Each tactic → specific Techniques
- Example:
- Technique: Spear-phishing with malicious attachment
- Scenario: Attacker poses as regulator, lures finance user into opening a weaponized PDF
- Defensive Strategies: Map detections to ATT&CK techniques to speed response and mitigation
OWASP
Non-profit focused on web application security.
- Mission: Make software security visible for informed risk decisions
- Resources: Community-led OSS projects, global chapters, conferences
- OWASP Top 10:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable Components
- Identification & Auth Failures
- Integrity Failures
- Logging & Monitoring Failures
- Server-Side Request Forgery
- Top 3 Explained:
- Broken Access Control: Missing enforcement → unauthorized data/function access
- Cryptographic Failures: Improper encryption → data compromise
- Injection: Untrusted input to interpreters → unintended commands/data access
- Use in PenTest+: Core checklist for web vulnerability assessments
OWASP MASVS
Mobile Application Security Verification Standard – security baseline for mobile apps.
- Control Groups:
- STORAGE: Encrypt data at rest; prevent leakage
- CRYPTO: Use industry-standard algorithms; manage keys securely
- AUTH: Strong authn/authz; multi-factor for sensitive ops
- NETWORK: SSL/TLS, certificate pinning
- PLATFORM: Secure WebViews, IPC controls
- CODE: Sanitize inputs; keep dependencies up to date
- RESILIENCE: Tamper detection; obfuscation
- PRIVACY: Minimal data collection; informed consent
- Related Guides: MASTG (testing), MAS Checklist
PTES
Penetration Testing Execution Standard – end-to-end pentest framework.
- Pre-engagement: Scoping, timelines, rules of engagement
- Information Gathering: OSINT, footprinting (passive & active)
- Threat Modeling: Asset & threat capability analysis
- Vulnerability Analysis: Validate findings with active/passive tests
- Exploitation: Simulate real attacks; demonstrate impact
- Post-exploitation: Privilege escalation, lateral movement
- Reporting: Actionable remediation for technical & non-technical audiences
CREST
Council of Registered Ethical Security Testers – accredits high-quality pentest providers.
- Accreditation: Rigorous audits, code of conduct, ethics
- Members: 300+ leading security firms worldwide
- CDPT Guidelines: Standardized, defensible test scoping, execution, reporting
OSSTMM
Open-Source Security Testing Methodology Manual – scientific, repeatable OpSec assessment.
- Developer: ISECOM
- Goal: Fact-based security metrics; legal compliance
- Scope: Digital, human, physical security
- Process: Objective testing, evidence-driven results
- Resources: Hacker Highschool, Cybersecurity Playbook
STRIDE
Microsoft’s threat model covering six risk categories:
- Spoofing — identity fraud; mitigate with strong auth
- Tampering — data alteration; mitigate with hashes/MACs
- Repudiation — untraceable actions; mitigate with logging/audit trails
- Information Disclosure — data leaks; mitigate with RBAC/encryption
- Denial of Service — service disruption; mitigate with rate-limiting, redundancy
- Elevation of Privilege — unauthorized rights; mitigate with least privilege
Purdue Model (ICS Security)
Hierarchical zones organizing IT/OT segmentation.
- Level 5: External/Vendor/Cloud (enterprise controls)
- Level 4: Business IT (ERP, logistics)
- DMZ (3.5): Firewall/proxy buffer between IT & OT
- Level 3: MES (manufacturing ops)
- Level 2: SCADA (control systems)
- Level 1: PLCs (device control)
- Level 0: Physical process (sensors/actuators)
Ensures isolation, zone-specific security controls
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation – risk-focused framework.
- Phase 1: Build enterprise security requirements (manager & staff knowledge)
- Phase 2: Identify infrastructure vulnerabilities (mapping & evaluation)
- Phase 3: Develop risk management strategy (risk analysis & protection plan)
Self-directed, blends org insight with technical assessment
DREAD
Quantitative risk rating model—scores (0–10) on:
- Damage Potential
- Reproducibility
- Exploitability
- Affected Users
- Discoverability
Total Score → Risk Level:
- Critical (40–50)
- High (25–39)
- Medium (11–24)
- Low (1–10)
Demo: MITRE ATT&CK in Action
- Active Scanning: Identify open ports/services
- Content Injection: Insert malicious code into web content
- Access Token Manipulation: Forge tokens to impersonate users