AttackIQ and The Chertoff Group help enterprise customers build and sustain security programs

AttackIQ, the largest independent leader of the continuous security validation market, announced a partnership with The Chertoff Group, a leading global security risk management firm, to offer a joint solution to help organizations measure security risk, train security staff and justify security investments.

The service, called the ATT&CK Diagnostic, is designed to help enterprise customers build and sustain security programs that are strategic, risk-based and focused on proven effectiveness.

Leveraging AttackIQ’s automated testing platform which operationalizes the MITRE ATT&CK framework1, the industry’s most authoritative approach to mapping threat actors to tactics, techniques and procedures (TTPs), the ATT&CK Diagnostic measures the effectiveness of an organization’s defensive countermeasures with unparalleled transparency and precision.

The ATT&CK Diagnostic creates a risk-based threat model, maps a customer’s current defenses to TTPs in the threat model, clearly identifying what technologies and standards are addressing what TTPs, and identifying holes in coverage.

This TTP-coverage map enables customers to prioritize future defensive countermeasure investments based on actual risk reduction.

Customers of the joint offering receive hands-on support to familiarize the technical team in conducting threat-specific planning and controls assurance testing. They are also coached on how to make specific business cases for security tools or personnel investments that align with their organization’s specific security needs.

Technical teams receive in-depth training to empower organizations to leverage the AttackIQ platform and the ATT&CK Diagnostic TTP map to continuously evaluate countermeasure performance and make strategic, threat-informed decisions to further mature the program.

“We are excited to formally announce this partnership with AttackIQ because it helps clients attain an unmatched level of visibility into actual security performance,” said Michael Chertoff, executive chairman and co-founder of The Chertoff Group and former Secretary of Homeland Security.

“Our expertise combined with MITRE’s ATT&CK framework and AttackIQ’s technical prowess will give our clients unique insight into how effectively their defensive capabilities actually address risk, enrich training for security staff and offer real business case justification for security investments.”

While adversaries can change hash values, IP addresses, domains and other indicators leveraged as part of their tradecraft, it is much more difficult for them to change overall tactics and techniques.

That is why AttackIQ and The Chertoff Group built the ATT&CK Diagnostic service to help organizations orient their defenses around TTPs and maintain protection against real-world, known threats.

Additionally, because there is often ambiguity on the extent to which a defensive measure actually addresses specific threat activity (particularly depending on how it is configured and implemented), it is essential for organizations to understand precisely how their protective and detective capabilities perform against simulated threat activity run against their technology stack.

“Recent research from the Ponemon Institute found that American enterprises spend $18.4 million on average every year on cybersecurity tools and technology, yet more than half don’t know if these tools are even working,” said Brett Galloway, CEO of AttackIQ.

“The AttackIQ platform is designed to address this very problem. We have worked with The Chertoff Group for over a year in developing the ATT&CK Diagnostic, and have used the approach as a proof of concept with multiple customers, receiving overwhelmingly strong, positive feedback.

“It is our belief that this solution is a true game-changer in the security industry, providing customers with an unmatched assessment of control effectiveness, targeted training and meaningful security investment justification.”

In a climate where cybersecurity attacks and data breaches are costing companies billions of dollars every year and more and more stringent privacy and security regulations are emerging, cybersecurity planning and preparedness must be risk-based.

The Chertoff Group and AttackIQ are bringing an unprecedented level of precision and transparency to risk-based planning and evaluation, empowering organizations to more effectively anticipate, withstand, recover and evolve from cyber-attacks.

“We have a proven methodology that leverages the MITRE ATT&CK framework to assess risk, which allows us to measure and demonstrate effectiveness against today’s real-world threats,” said Adam Isles, principal and strategic advisory services-cyber lead at The Chertoff Group.