Guidelines for Assigning Risk Scores and Confidence Levels
There is currently no single universally accepted system for assessing risk scores for MITRE ATT&CK techniques. The recommendations below are based on an analysis of the techniques' potential impact on information assets and can be adapted according to the specifics of a particular infrastructure and threat landscape.
Assigning Risk Scores
Assessment Criteria
A risk scoring system is used to evaluate the threat level, assigning scores to techniques based on their potential impact on the confidentiality, integrity, and availability of information assets.
Scoring Scale
- Low Risk (1-3 points): reconnaissance and information gathering techniques (Discovery tactics)
- Medium Risk (4-6 points): techniques for gaining access, code execution, privilege escalation, and maintaining persistence
- High Risk (7-9 points): techniques that directly lead to significant damage: compromise of critical credentials, data encryption, or data destruction
Examples of Techniques with Assigned Risk Scores
| ATT&CK Technique | Name | Assigned Risk Score | Brief Justification |
|---|---|---|---|
| T1200 | Hardware Additions | +5 | Unauthorized hardware connection creates a bypass point for security mechanisms. |
| T1059 | Command and Scripting Interpreter | +2 | Standard functionality often used by attackers; base risk. |
| T1003.001 | OS Credential Dumping: LSASS Memory | +9 | Direct credential extraction leading to full compromise. |
| T1560 | Archive Collected Data | +4 | Preparation of data for exfiltration, indicating an advanced attack stage. |
Scoring Logic
The risk score is a static weight assigned to a technique, determined by its role in a cyber attack. Impact techniques and Credential Access techniques receive the highest scores, while Discovery techniques are rated lower. These weights are intended for the initial assessment of incident severity and prioritization.
Assigning Confidence Levels
Purpose
Determines how accurately a detection rule or signal indicates genuinely malicious activity versus legitimate operational activity.
Confidence Scale
| Confidence Level | Numeric Value | Assessment Criteria |
|---|---|---|
| High Confidence | 1.0 | The alert almost unequivocally indicates malicious activity. Typical for signatures of known malware, detection of public exploit use with reliable IOCs. Minimal false positive rate. |
| Medium Confidence | 0.75 | Strong suspicion of an attack, but additional verification is required. Typical for system utilities run with unusual parameters, or activities resembling methods of known cyber groups. Moderate false positive rate. |
| Low Confidence | 0.5 | The action is suspicious but has a high probability of being legitimate. For example, a single execution of system utilities (ipconfig) without other contextual clues. High false positive rate. |