center-for-threat-informed-defense/attack-control-framework-mappings center-for-threat-informed-defense/attack-control-framework-mappings

  • Stars
    star
    362
  • Rank 117,671 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
center-for-threat-informed-defense/attack-control-framework-mappings
github

center-for-threat-informed-defense

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Security control framework mappings to MITRE ATT&CK provide a critically important resource for organizations to assess their security control coverage against real-world threats and provide a bridge for integrating ATT&CK-based threat information into the risk management process.

MITRE ATT&CK® v12 codecov

Security Control Framework Mappings to ATT&CK

This repository contains security control framework mappings to MITRE ATT&CK® with supporting documentation and resources. These mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT&CK knowledge base and provide a foundation for integrating ATT&CK-based threat information into the risk management process. This work was developed by the Center for Threat-Informed Defense in collaboration with our participants.

The most recent mapping update from ATT&CK v10.1 to v12.1 was accomplished by applying the Center’s ATT&CK Sync methodology and tools. This mappings update served as a case study for ATT&CK Sync and a 75% reduction in labor hours was achieved as compared to previous update efforts, due to the ability to quickly focus attention on only those mappings which were materially impacted by changes to ATT&CK. ATT&CK Sync is applicable to any project that relies on ATT&CK and is a freely available, open-source project, as are all Center resources. For more specifics on this effort, please visit the Case Study: NIST 800 53 Mappings.

NIST 800-53 Revision 4 Security Control Mappings

ATT&CK Version Mappings as XLSX (download) ATT&CK Navigator Layers STIX Data
ATT&CK-v12.1 Spreadsheet Navigator Layers STIX
ATT&CK-v10.1 Spreadsheet Navigator Layers STIX
ATT&CK-v9.0 Spreadsheet Navigator Layers STIX
ATT&CK-v8.2 Spreadsheet Navigator Layers STIX

NIST 800-53 Revision 5 Security Control Mappings

ATT&CK Version Mappings as XLSX (download) ATT&CK Navigator Layers STIX Data
ATT&CK-v12.1 Spreadsheet Navigator Layers STIX
ATT&CK-v10.1 Spreadsheet Navigator Layers STIX
ATT&CK-v9.0 Spreadsheet Navigator Layers STIX
ATT&CK-v8.2 Spreadsheet Navigator Layers STIX

A Collaborative Approach

Mapping NIST Special Publication 800-53, or any security control framework, to ATT&CK is a labor intensive and often subjective undertaking. Furthermore, due to the large number of security controls in any given framework and the evolving nature of cyber adversaries, these mappings are often error prone and difficult to maintain. We recognized that there was not only a need for mappings NIST 800-53, but an opportunity to work collaboratively and advance threat-informed defense with the global community. With over 6,300 individual mappings between NIST 800-53 and ATT&CK, we believe that this work will greatly reduce the burden on the community – allowing organizations to focus their limited time and resources on understanding how controls map to threats in their environment.

Repository Contents

  • Frameworks — this directory contains the security control frameworks and their mappings to ATT&CK techniques. Each security control framework has its own directory of documentation and resources.
  • Mapping Methodology — a description of the general process used to create the control mappings
  • Tooling — a set of python tools to support the creation of new mappings and the customization of existing mappings
  • Use Cases - use cases for security control framework mappings to ATT&CK
  • STIX Format — information regarding the STIX representation of the control frameworks and the mappings to ATT&CK
  • Visualization — this document describes some ways the mappings data can be visualized.
  • Contributing — information about how to contribute controls, mappings, or other improvements to this repository
  • Changelog — list of updates to this repository

Getting Involved

There are several ways that you can get involved with this project and help advance threat-informed defense.

First, review the mappings, use them, and tell us what you think. We welcome your review and feedback on the NIST 800-53 mappings, our methodology, and resources.

Second, we are interested in applying our methodology to other security control frameworks. Let us know what frameworks you would like to see mapped to ATT&CK. Your input will help us prioritize how we expand our mappings.

Finally, we are interested developing additional tools and resources to help the community understand and make threat-informed decisions in their risk management programs. Share your ideas and we will consider them as we explore additional research projects.

Questions and Feedback

Please submit issues for any technical questions/concerns or contact [email protected] directly for more general inquiries.

Also see the guidance for contributors if are you interested in contributing or simply reporting issues.

Notice

Copyright 2020-2023 MITRE Engenuity. Approved for public release. Document number CT0011.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use

More Repositories

1

adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
C
995
star
2

attack-flow

Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
TypeScript
340
star
3

attack-workbench-frontend

An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains an Angular-based web application providing the user interface for the ATT&CK Workbench application.
TypeScript
288
star
4

attack_to_cve

A methodology for mapping MITRE ATT&CK techniques to vulnerability records to describe the impact of a vulnerability.
154
star
5

security-stack-mappings

This project empowers defenders with independent data on which native security controls of leading technology platforms are most useful in defending against the adversary TTPs they care about.
Python
148
star
6

tram

TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CK®.
HTML
99
star
7

insider-threat-ttp-kb

The principal objective of this project is to develop a knowledge base of the tactics, techniques, and procedures (TTPs) used by insiders in the IT environment. It will establish an Insider Threat TTP Knowledge Base, built upon data collected on insider threat incidents and lessons learned and experience from the ATT&CK knowledge base.
98
star
8

caldera_pathfinder

Pathfinder is a plugin for mapping network vulnerabilities, scanned by CALDERA or imported by a supported network scanner, and translating those scans into adversaries for network traversal.
Python
77
star
9

top-attack-techniques

Top ATT&CK Techniques provides defenders with a systematic approach to prioritizing ATT&CK techniques.
72
star
10

public-resources

Collection of resources related to the Center for Threat-Informed Defense
70
star
11

attack_to_veris

🚨ATTENTION🚨 The VERIS mappings have migrated to the Center’s Mappings Explorer project. See README below. This repository is kept here as an archive.
Python
69
star
12

attack-powered-suit

ATT&CK Powered Suit is a browser extension that puts the complete MITRE ATT&CK® knowledge base at your fingertips with text search, context menus, and ATT&CK Navigator integration.
JavaScript
63
star
13

attack-workbench-rest-api

An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains the REST API service for storing, querying, and editing ATT&CK objects.
JavaScript
37
star
14

cloud-analytics

Cloud Analytics helps defenders detect attacks to their cloud infrastructure by developing behavioral analytics for cloud platforms as well as a blueprint for how others can create and use cloud analytics effectively.
HCL
27
star
15

sightings_ecosystem

This project aims to fundamentally advance our collective ability to see threat activity across organizational, platform, vendor and geographical boundaries.
Python
22
star
16

attack-workbench-collection-manager

[DEPRECATED] An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains the REST API and services for managing collections, collection indexes, and collection subscriptions.
JavaScript
12
star
17

defending-iaas-with-attack

Defending IaaS with ATT&CK is a project to create a collection of ATT&CK techniques relevant to a Linux IaaS environment, as well as a methodology for creating technique collections.
Makefile
8
star
18

first-ctid-workshop

Python
6
star