AI-Powered Cyber Risk Management: Automating Incident Response with MITRE ATT&CK and Security Controls

      The modern digital landscape is fraught with ever-increasing cyber threats, a challenge that weighs heavily on organizations of all sizes. Small and medium-sized enterprises (SMEs) are particularly vulnerable, often constrained by limited in-house expertise, insufficient knowledge, and financial resources to combat sophisticated attacks. Traditional approaches to cyber incident analysis are typically manual, demanding considerable time and specific analytical skills from security teams. These processes involve sifting through unstructured incident descriptions, identifying adversary techniques, mapping them to relevant security controls, and then assessing the effectiveness of these controls – a workflow prone to human error, inconsistency, and an inability to scale with the sheer volume of incidents.

      To address these critical limitations, new research presents a groundbreaking framework that leverages Artificial Intelligence (AI) and Natural Language Processing (NLP) to revolutionize cyber risk management. This innovative approach automates the intricate process of connecting cyber incidents directly to adversary techniques, security controls, and measurable outcomes, promising to transform how organizations respond to and mitigate cyber threats.

The Evolution of Cyber Security Frameworks

      The cyber security community has widely adopted two pivotal frameworks to standardize threat intelligence and defensive strategies. The MITRE ATT&CK framework has become the de facto global standard for describing adversary behavior, offering a comprehensive, structured taxonomy of techniques observed in real-world attacks (MITRE, n.d., as cited in the source paper). Concurrently, the Centre for Internet Security (CIS) Critical Security Controls provide a prioritized, actionable set of measures designed to establish a robust defense-in-depth security posture (Centre for Internet Security, n.d., as cited in the source paper).

      While these frameworks are invaluable, the manual effort required to link cyber incidents to specific ATT&CK techniques and subsequently to the corresponding CIS controls remains a significant operational bottleneck. Furthermore, assessing the efficacy of implemented security controls often relies on subjective judgment rather than objective data. Without quantifiable metrics that adhere to SMART criteria (Specific, Measurable, Achievable, Relevant, and Time-bound), organizations struggle to justify security investments, prioritize improvements, or demonstrate compliance effectively. This absence of objective data makes it difficult to understand whether security measures are truly reducing risk or merely creating an illusion of safety.

Introducing the Cyber Catalog: A Unified Knowledge Base

      The core of this new framework is the 'Cyber Catalog,' a comprehensive knowledge base meticulously designed to integrate three critical components: CIS Critical Security Controls, MITRE ATT&CK techniques, and SMART metrics. This unified resource establishes clear, systematic mappings between security controls and adversary techniques, with each control explicitly linked to quantifiable, objective metrics. The Cyber Catalog effectively bridges a fundamental gap in operational cyber security, offering practitioners a single, authoritative reference point that connects threat intelligence directly to actionable security measures and measurable performance indicators.

      The creation of the Cyber Catalog involved significant methodological challenges in constructing these mappings and defining objective metrics. Each entry is designed to ensure that organizations can move beyond generic security assessments to data-driven evaluations of their defenses. This integrated approach allows for a clearer understanding of how specific controls address particular adversary behaviors, providing the foundation for more strategic and effective cyber risk management.

Automating Connections with Advanced Natural Language Processing

      To operationalize the Cyber Catalog framework, the researchers turned to advanced Natural Language Processing (NLP). NLP enables computers to understand, interpret, and generate human language. In this context, it is used to automatically map free-text cyber incident descriptions to the structured techniques within the MITRE ATT&CK framework. The research specifically focused on fine-tuning `all-mpnet-base-v2`, a highly regarded sentence-transformers model known for converting text into numerical vectors, or "embeddings," that capture semantic meaning.

      The fine-tuning process involved an extensive, augmented dataset comprising 74,986 incident-technique pairs. This domain-specific training significantly enhanced the semantic similarity recognition between diverse cyber incident descriptions and the precise language of MITRE ATT&CK techniques. To address the complexity of one-to-many mappings (where a single incident might relate to multiple techniques) and prevent false negative penalties during training, a modified loss function was developed, combined with hard negative mining to improve the model’s discrimination capabilities. Such rigorous data preparation and model training are crucial for delivering reliable AI solutions in sensitive fields like cyber security, mirroring the meticulous approach ARSA Technology takes in developing its custom AI solutions for mission-critical applications.

Unprecedented Accuracy for Real-World Security

      The results of the fine-tuning were substantial and highly promising. The customized NLP model achieved a Spearman correlation of 0.7894 and a Pearson correlation of 0.8756. These figures represent significant improvements over top baseline models, including a delta (Δρ) of 0.2042 compared to the original `all-mpnet-base-v2` model, 0.2118 over `all-distilroberta-v1`, and 0.2309 over `all-MiniLM-L12-v2`. Furthermore, the fine-tuned model exhibited significantly lower prediction errors (Mean Absolute Error, MAE = 0.135; Mean Squared Error, MSE = 0.027) compared to all baseline models, confirming its superior accuracy and consistency in mapping incidents to techniques.

      This level of precision and reduction in error is transformative for cyber security operations. It means faster, more accurate incident triage, reducing the burden on human analysts and allowing them to focus on complex decision-making rather than manual classification. The research team has made the Cyber Catalog, the training dataset, the trained model, and implementation code publicly available, encouraging further research and facilitating practical deployment, particularly for resource-constrained environments. This commitment to open resources underlines the practical, impact-driven philosophy shared by leading technology providers like ARSA Technology, which has been experienced since 2018 in delivering deployable AI solutions.

Operationalizing Cyber Risk Management for Enhanced Enterprise Security

      This framework directly addresses the pressing need for automated, scalable approaches to cyber incident analysis and risk management. By accurately mapping cyber incidents to MITRE ATT&CK techniques and linking them to CIS security controls with objective metrics, organizations can achieve:

• Accelerated Incident Triage: Automated identification of relevant adversary techniques allows security teams to quickly understand the nature of an attack, leading to faster and more effective responses.
• Improved Cyber Risk Management: The direct linkage between incidents, techniques, and security controls enables a clearer understanding of an organization's risk exposure and the effectiveness of its existing defenses. This allows for data-informed decision-making on where to allocate resources and prioritize improvements.
• Objective Control Assessment: By defining quantifiable metrics (SMART criteria) for each control, organizations can move beyond subjective judgments to evidence-based assessment of their security posture. This helps in justifying security expenditures and demonstrating compliance to stakeholders.

      For enterprises looking to enhance their security posture, solutions leveraging such AI capabilities can be critical. For instance, platforms offering AI Video Analytics could be enhanced with similar NLP models to process security alerts and CCTV footage descriptions, correlating them with known threat patterns and suggesting relevant physical or digital controls. Edge AI systems like ARSA’s AI Box Series could deploy these models for real-time, on-premise threat intelligence processing, ensuring data sovereignty and low latency in critical environments. (Source: Sherif, E., Yevseyeva, I., Basto-Fernandes, V., & Cook, A. (2024). Operationalising Cyber Risk Management Using AI: Connecting Cyber Incidents to MITRE ATT&CK Techniques, Security Controls, and Metrics. arXiv preprint arXiv:2603.12455.)

The Future of Data-Informed Security

      This research represents a significant leap forward in bridging the gap between raw threat intelligence and operational security management. By providing an actionable, automated tool for systematic cyber incident response and evidence-based risk management, it empowers organizations to move from reactive defenses to proactive, intelligence-driven strategies. The ability to automatically classify incidents, understand adversary intent, and objectively measure control effectiveness will ultimately lead to reduced risk exposure, enhanced organizational cyber resilience, and a stronger overall security posture in an increasingly complex threat landscape.

      Ready to explore how AI can strengthen your enterprise's security and operational intelligence? Let ARSA Technology help you engineer advanced, data-informed solutions for your unique challenges. Request a free consultation today.