Connecting the Dots: Integrating Auto-ISAC’s ATM with Deep & Dark Web Intelligence for Proactive Automotive Cybersecurity

In March 2024, Auto-ISAC released a significant resource for the automotive industry’s cybersecurity: the Automotive Threat Matrix (ATM). This is an important milestone for Auto-ISAC and the automotive cybersecurity community, streamlining frameworks and processes to ensure long-term cybersecurity resilience. 

Modeled after the well-known MITRE ATT&CK® framework, the ATM offers a detailed enumeration of automotive-specific threat actor tactics and techniques based on real-world attacks and extensive research. By defining a standardized taxonomy for automotive threats, the ATM aims to accelerate and unify cybersecurity practices across the sector, ensuring that automakers and technology providers can address emerging threats with precision and coordination.

The MITRE ATT&CK® Influence on ATM

The Auto-ISAC ATM draws inspiration from the MITRE ATT&CK® framework, which is widely used across industries as a foundational cybersecurity resource. MITRE ATT&CK® is an open, globally accessible knowledge base documenting real-world adversary tactics and techniques. This foundation has been used to develop specific threat models and methodologies for sectors ranging from government to private industry.

By adopting a structure similar to MITRE ATT&CK®, Auto-ISAC aims to bring a collaborative, accessible resource to the automotive community. Just as MITRE ATT&CK® has brought communities together to create a safer cybersecurity landscape, the ATM is designed to foster cooperation within the automotive industry, enabling participants to protect connected and software-defined vehicles from adversarial threats.

The Role of ATM in Dynamic Automotive Risk Assessment

Implementing the ATM is a step towards holistic and risk management in the automotive industry. By creating a framework that addresses various attack vectors and affected components, the ATM enhances multiple elements of risk management, including:

1. Vulnerability Management: ATM analyzes the affected components, attack vectors, and potential impact, enabling organizations to prioritize patches and mitigation plans.
2. Threat Assessment and Risk Analysis (TARA): The structured taxonomy provided by the ATM allows cybersecurity teams to perform TARA more efficiently, enhancing their ability to mitigate risks in the most accurate and effective manner.
3. Cyber Threat Intelligence: The ATM can also support the analysis and prioritization of intelligence gathering from both surface-level and dark web sources, providing valuable insights into potential threats and adversarial activities that could target the automotive ecosystem.

As vehicles are increasingly updated via OTA mechanisms, SBOM management becomes critical. Risk management frameworks must integrate dynamic SBOM analysis, which is essential for tracking the cybersecurity posture of software-defined vehicles. 

“The ATM is designed to be a common language and threat taxonomy of cyberattacks on vehicles that helps streamline information and intelligence sharing. We are excited to share this framework openly with the automotive industry and thrilled to see it increasingly incorporated into toolsets such as Upstream’s AutoThreat®PRO.”

Faye Francy, Executive Director of Auto-ISAC

Bringing ATM to Life with Cyber Threat Intelligence

Upstream’s AutoThreat® PRO Cyber Threat Intelligence (CTI) offers a comprehensive view of the threat landscape tailored to the mobility domain. The solution delivers actionable findings and mitigation recommendations based on mobility-specific resources, helping detect threats to critical assets and enhance compliance.

Upstream’s CTI platform combines vulnerability intelligence with automotive-specific exploit research. It leverages hundreds of deep, dark, and clear web sources to uncover vulnerabilities and exploits. The scope spans across both on-board and off-board systems: on-board intelligence includes findings related to in-vehicle tampering of connected products such as IVI jailbreaks or TCU rooting; whereas offboard intelligence expands to external and third-party vulnerabilities, including unauthorized access to vehicle data and controls via diagnostic tools or mobile app tampering.

To help the automotive industry operationalize the ATM, Upstream has recently integrated the ATM with AutoThreat®PRO. AutoThreat®PRO categorizes each attack tactic and technique described in the ATM, associating them with relevant attack vectors, affected vehicle components, and potential impacts. 

• Contextual Threat Categorization: AutoThreat®PRO organizes the ATM’s tactics and techniques based on the specific components and vectors they affect, as well as the potential impact, allowing cybersecurity teams to pinpoint vulnerabilities more precisely. The solution also correlates attacks with the MITRE ATT&CK to provide a holistic view.
• Correlation with Deep & Dark Web Intelligence: The platform automatically correlates findings from the deep and dark web with relevant ATM techniques, providing a comprehensive view of current threats that may be targeting connected vehicles. The platform also correlates findings with regulatory requirements, for example, R155 Annex 5, and other frameworks for actionable insights and accelerated compliance. 
• Threat Actor Analysis and Mapping: AutoThreat®PRO offers a unique perspective into threat actors’ activities and motivations. By mapping threat actor intelligence with the ATM, cybersecurity teams can prioritize risks and implement a proactive approach to risk management.
  

Illustration of Upstream’s AutoThreat®PRO heatmap, showcasing the correlation of deep & dark web intelligence on top of the ATM framework (size of the bubble indicates the number of relevant findings).
Source: Auto-ISAC, Upstream Security

In addition to supporting automotive stakeholders, AutoThreat®PRO fosters intelligence sharing within the industry, an essential aspect of the ATM framework. By correlating threat data across multiple sources and sharing findings within a unified structure, it enables a proactive approach to managing cyber risks.

Strengthening Community-Driven Automotive Cybersecurity Resilience

As automotive technology continues to progress, the need for industry-specific cybersecurity frameworks and standards becomes more critical. The Auto-ISAC ATM represents a significant advancement in the automotive sector’s defense capabilities. By adopting these resources, automakers, technology providers, and cybersecurity teams can create a safer ecosystem for connected and software-defined vehicles.

The collaborative effort exemplified by the Auto-ISAC ATM underscores the importance of a unified approach to security. With Upstream’s AutoThreat®PRO, automotive cybersecurity teams can bring this framework to life, transforming theory into actionable intelligence and paving the way for a resilient, secure future in mobility.