Validating enterpriseLang : A Domain- Specific Language Derived from the Meta Attack Language Framework

Abstract: Enterprise data systems are continuously growing in complexity and size. The attack area of these systems has increased and introduced new vulnerabilities a potential adversary could exploit. Evaluating cyber security in enterprise IT infrastructure is difficult and expensive. Recently, a new threat modeling language was proposed for enterprise systems based on the MITRE Enterprise ATT&CK Matrix, namely enterpriseLang. This language is a domain- specific language built on the Meta Attack Language (MAL) framework. The purpose of enterpriseLang is to enable a simplified and cost- effective environment for enterprises to evaluate the security of their systems without disturbing the data flow of the actual system. However, how can we be sure that enterpriseLang is correct and effective enough to be used in practice? The language needs to be thoroughly validated to be used by companies for cyber security evaluation of enterprise systems. We have validated enterpriseLang by implementing it to model and simulate three real- world cyber attacks against, Equifax, National Health Service (NHS) and Garmin. The validation method was mainly based on the evaluation of two specific issues. Based on our results we concluded that we consider enterpriseLang to be correct and effective enough to be used in practice. On the contrary, we identified some aspects of the language that should be improved.