After months of research, adversary emulation, lab building, testing, and validation, I’m pleased to share that my cybersecurity research paper, “A Risk-Based Framework for Prioritising Cybersecurity Controls Using MITRE ATT&CK with Empirical Validation via Adversary Emulation,” has now been published on ResearchGate and Zenodo.
This research was driven by a simple but important question:
Are organisations truly prioritising cybersecurity controls based on actual attacker behaviour and business risk, or are they still relying primarily on compliance checklists and generic best practices?
The Problem
Many organisations deploy security controls reactively or uniformly without considering which threats are most likely to impact them operationally. As threat actors evolve, defenders often struggle with limited resources, detection gaps, and uncertainty around where to invest security efforts first.
Traditional frameworks provide governance and structure, but they do not always directly align defensive priorities with real-world attacker tactics, techniques, and procedures (TTPs).
This is where the MITRE ATT&CK framework becomes highly valuable.
What the Research Introduces
The research proposes a threat-informed and risk-based methodology for prioritising cybersecurity controls by integrating:
- MITRE ATT&CK adversary mappings
- Quantitative risk scoring
- Detection telemetry
- Control maturity analysis
- Adversary emulation
- Residual risk calculations
The framework evaluates attacker behaviours not only from a technical perspective, but also from a business risk perspective.
Instead of asking:
“What controls should we implement?”
The framework encourages organisations to ask:
“Which attacker behaviours present the greatest operational risk, and which controls will reduce that risk most effectively?”
Practical Validation Through Adversary Emulation
To validate the framework, I built a complete attack simulation lab using:
- MITRE Caldera
- Sysmon
- Wazuh
- Windows Server 2022
- Windows 11
- Ubuntu-based attack infrastructure
A simulated attack chain titled “Sneaky Data Thief” was executed to emulate:
- PowerShell abuse
- Credential harvesting
- Host discovery
- SMB lateral movement
- Beaconing activity
- Cloud-based data exfiltration
The resulting telemetry was mapped back to MITRE ATT&CK techniques and analysed to identify detection gaps, control effectiveness, and residual risk reduction opportunities.
Key Takeaways
One of the biggest findings from this research is that threat-informed defence and adversary emulation can significantly improve cybersecurity decision-making when combined with measurable risk analysis.
Even partial adoption of this approach can help organisations:
- Improve defensive prioritisation
- Reduce attack surface exposure
- Identify detection blind spots
- Better align security investments with business risk
- Move from reactive to intelligence-led security operations
The goal is not perfection.
The goal is smarter prioritisation.
Research Links
Zenodo: https://doi.org/10.5281/zenodo.20083240
Acknowledgements
Special thanks to Prof. Kamal Bechkoum for his academic guidance and valuable feedback throughout this journey.
I’d also like to thank my old friend Syed Gilani for his discussions, technical feedback, and encouragement during the development and validation of this work.
wirecat 
Leave a comment