MITRE ATT&CK framework itself doesn’t provide recommendation for severity levels, but generally these are relative, and provide a context of what needs to be prioritized.

While the MITRE ATT&CK framework provides invaluable context for understanding adversary behavior, it does not inherently assign severity levels to identified threats. To address this, Zetafence incorporates a separate severity classification service. This service calculates security scores based on a variety of factors, including the nature of the vulnerability, its potential impact, and the organization’s specific risk tolerance. By combining the contextual insights from MITRE ATT&CK with precise severity ratings, Zetafence delivers a comprehensive risk assessment.

At Zetafence, we provide various severity levels for this purposes including:

CRITICAL, HIGH, NORMAL, LOW, WARN

Note that there are alternate approaches to scoring threat systems such as:

CVSS (Common Vulnerability Scoring System): This industry standard assigns a severity score to vulnerabilities based on exploitability, impact, and scope.

NIST Cloud Configuration Scoring System (CCSS): Based on CVSS, CCSS focuses on misconfigurations in Infrastructure as Code (IaC) deployments specific to the cloud.

ATT&CK TechniquesDependency Formation Concepts