center-for-threat-informed-defense/security-stack-mappings center-for-threat-informed-defense/security-stack-mappings

  • Stars
    star
    148
  • Rank 248,475 (Top 5 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 4 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
center-for-threat-informed-defense/security-stack-mappings
github

center-for-threat-informed-defense

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This project empowers defenders with independent data on which native security controls of leading technology platforms are most useful in defending against the adversary TTPs they care about.

Security Stack Mappings

This repository contains a collection of native security controls mapped to MITRE ATT&CK® based on a common methodology and tool set. We aim to empower organizations with independent data on which native security controls are most useful in defending against the adversary TTPs that they care about and establish a foundation for systematically mapping product security controls to ATT&CK. These mappings will allow organizations to make threat-informed decisions when selecting which native security capabilities to use.

Get the Mappings

This project has produced mapping files for the following technology platforms, with more on the roadmap:

Microsoft Azure

HTML Summary YAML Mappings ATT&CK Navigator Layers

Released on June 29, 2021, these mappings cover the native security controls of Microsoft Azure Infrastructure as a Services for version 8.2 of MITRE ATT&CK. The following scoping decisions influenced the Azure mappings:

  • ATT&CK Scope: This work is focused on ATT&CK (sub-)techniques included in the Enterprise domain v8; Mobile techniques are not covered. There is a follow-on project that will update the mappings to ATT&CK v9.
  • Native Security Controls: This work focused on mapping the security controls produced by Microsoft or branded as Microsoft products. Third-party security controls available on the platform were excluded from analysis.
  • Azure Security Benchmark: Most of the controls included in scope were derived from Microsoft’s Azure Security Benchmark v2 and our review of Azure security documentation.
  • Azure Defender for servers: This control was excluded from analysis due to its complexity and its inclusion within recent MITRE ATT&CK Evaluations.

Amazon Web Services

HTML Summary YAML Mappings ATT&CK Navigator Layers

Released on September 21, 2021, these mappings cover the native security controls of Amazon Web Services for version 9.0 of MITRE ATT&CK. The following scoping decisions influenced the AWS mappings:

  • ATT&CK Scope: This work is focused on ATT&CK techniques and sub-techniques included in ATT&CK for Enterprise v9; Mobile techniques are not covered.
  • Native Security Controls: This work focused on mapping the security controls produced by AWS or branded as AWS products. Third-party security controls available on the platform were excluded from analysis.
  • The AWS Security, Identity, & Compliance products page was used to source the list of controls included within scope of this mapping.
  • Driven by Center participant interest, this effort also included mappings of security features of select, non-security services such as VPC, RDS, and S3.

Google Cloud Platform

HTML Summary YAML Mappings ATT&CK Navigator Layers

Released on June 28, 2022, these mappings cover the native security controls of Google Cloud Platform (GCP) for version 10 of MITRE ATT&CK. The following scoping decisions influenced the GCP mappings:

  • ATT&CK Scope: This work is focused on ATT&CK (sub-)techniques included in the Enterprise domain v10; mobile techniques are not covered.
  • Native Security Controls: This work focused on mapping the security controls produced by Google or offered as Google products. The selected controls are considered native to the platform, i.e., produced by the vendor themselves or third-party controls branded or acquired by the vendor. Third-party security controls offered in cloud marketplaces are considered out of scope and were excluded from analysis.
  • Google Cloud Security: Most of the controls included in scope were derived from Google Cloud Security Solutions and our review of GCP security documentation.

Supporting Resources

This project provides the following supporting resources:

  • Use Cases - There are several use cases for applying the mapping files to advance the state-of-the-art and the state-of-the-practice in threat-informed defense.
  • Methodology – A methodology for using the mapping data format and scoring rubric to produce mapping files for security controls native to a technology platform. By providing a methodology, we hope to encourage a consistent, best-practice approach to performing mappings that will make mappings more comparable to each other. It also encourages community mappings to be developed – including, potentially, by security vendors themselves.
  • Scoring Rubric - A scoring rubric that enables assessing the effectiveness of a security control native to a technology platform in mitigating the set of ATT&CK techniques that it has been mapped to. This scoring rubric enables providing a score for each (sub-)technique included in a security control's mapping file.
  • Mapping Data Format - The specification of a YAML file that captures the mapping of a security control native to a technology platform to the set of ATT&CK techniques that it mitigates.
  • Mapping Tool – A Python-based tool that enables validating and producing ATT&CK Navigator layers for mapping files.
  • Releases - A list of updates to this repository.

Getting Involved

There are several ways that you can get involved with this project and help advance threat-informed defense:

  • Review the mappings, use them, and tell us what you think. We welcome your review and feedback on the mappings, our methodology, and resources.
  • Apply the methodology and share your security capability mappings. We encourage organizations to apply our methodology to map the security capabilities of their products and we welcome mapping contributions.
  • Help us prioritize additional platforms to map. Let us know what platforms you would like to see mapped to ATT&CK. Your input will help us prioritize how we expand our mappings.
  • Share your ideas. We are interested in developing additional tools and resources to help the community understand and make threat-informed decisions in their risk management programs. If you have ideas or suggestions, we consider them as explore additional research projects.

Questions and Feedback

Please submit issues for any technical questions/concerns or contact [email protected] directly for more general inquiries.

Notice

Copyright 2021 MITRE Engenuity. Approved for public release. Document number CT0019

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use

More Repositories

1

adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
C
995
star
2

attack-control-framework-mappings

Security control framework mappings to MITRE ATT&CK provide a critically important resource for organizations to assess their security control coverage against real-world threats and provide a bridge for integrating ATT&CK-based threat information into the risk management process.
Python
362
star
3

attack-flow

Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
TypeScript
340
star
4

attack-workbench-frontend

An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains an Angular-based web application providing the user interface for the ATT&CK Workbench application.
TypeScript
288
star
5

attack_to_cve

A methodology for mapping MITRE ATT&CK techniques to vulnerability records to describe the impact of a vulnerability.
154
star
6

tram

TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CK®.
HTML
99
star
7

insider-threat-ttp-kb

The principal objective of this project is to develop a knowledge base of the tactics, techniques, and procedures (TTPs) used by insiders in the IT environment. It will establish an Insider Threat TTP Knowledge Base, built upon data collected on insider threat incidents and lessons learned and experience from the ATT&CK knowledge base.
98
star
8

caldera_pathfinder

Pathfinder is a plugin for mapping network vulnerabilities, scanned by CALDERA or imported by a supported network scanner, and translating those scans into adversaries for network traversal.
Python
77
star
9

top-attack-techniques

Top ATT&CK Techniques provides defenders with a systematic approach to prioritizing ATT&CK techniques.
72
star
10

public-resources

Collection of resources related to the Center for Threat-Informed Defense
70
star
11

attack_to_veris

🚨ATTENTION🚨 The VERIS mappings have migrated to the Center’s Mappings Explorer project. See README below. This repository is kept here as an archive.
Python
69
star
12

attack-powered-suit

ATT&CK Powered Suit is a browser extension that puts the complete MITRE ATT&CK® knowledge base at your fingertips with text search, context menus, and ATT&CK Navigator integration.
JavaScript
63
star
13

attack-workbench-rest-api

An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains the REST API service for storing, querying, and editing ATT&CK objects.
JavaScript
37
star
14

cloud-analytics

Cloud Analytics helps defenders detect attacks to their cloud infrastructure by developing behavioral analytics for cloud platforms as well as a blueprint for how others can create and use cloud analytics effectively.
HCL
27
star
15

sightings_ecosystem

This project aims to fundamentally advance our collective ability to see threat activity across organizational, platform, vendor and geographical boundaries.
Python
22
star
16

attack-workbench-collection-manager

[DEPRECATED] An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains the REST API and services for managing collections, collection indexes, and collection subscriptions.
JavaScript
12
star
17

defending-iaas-with-attack

Defending IaaS with ATT&CK is a project to create a collection of ATT&CK techniques relevant to a Linux IaaS environment, as well as a methodology for creating technique collections.
Makefile
8
star
18

first-ctid-workshop

Python
6
star