The formula developed for this project to calculate the severity of a red team finding based on TTP Frequency, Exploitability, and Complexity is the following:
Severity = Roundup(TTP Frecuency + ExploitabilityComplexity)Where:
TTP Frequency: Refers to how often threat actors use a specific TTP during a time frame.
Exploitability: Refers to the technical requirement level an attacker needs and how easy it is to exploit it successfully.
Complexity: Refers to the difficulty or ease with which the red team finding can be remediated.
In this formula, the severity of the red team finding is calculated by adding the TTP Frequency and Exploitability and dividing the result by the Complexity. The higher the severity score, the more critical the red team finding is.
The CRTFSS score is the sum of the TTP frequency and exploitability values divided by the remediation complexity value. TTP Frequency and Exploitability are rated on a scale of 0-5, and Complexity is calculated to be anywhere from 1-5.
The TTP frequency score can be set from 1 to 5. However, if the Red Team Finding doesn't have a direct MITRE ATT&CK® ID translation, it can be set to 3 or higher if the organization considers it more critical.
* Values used for the remediation complexity calculation
CRTFSS scores range from 0.1-10.0, where a higher value represents a higher severity of the finding.