This page describes the methodology used to map security controls native to a mapping framework or technology platform to MITRE ATT&CK®. This methodology is based upon our experience mapping frameworks and platforms and aims to provide the community with a reusable method of using ATT&CK to determine the capabilities of security offerings.
ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base represents adversary goals as tactics and the specific behaviors employed by adversaries to achieve those goals (how) as techniques and sub-techniques. The methodology described below, utilizes the information in the ATT&CK knowledge base and its underlying data model to understand, assess and record the real-world threats that security controls native to a technology platform are able to mitigate.
Much like an ATT&CK mitigation, a mapping between a security control and an ATT&CK technique or sub-technique means that the security control may prevent successful execution of the technique or sub-technique. Each security control is examined in the context of ATT&CK mitigations and each specific technique.
The methodology consists of the following steps:
* Scoring assessments have been performed for technology platform capability mappings (e.g., M365) to record the category of ATT&CK coverage provided by a control (protect, detect, or response) along with an assessment of its effectiveness (minimal, partial, or significant). Control effectiveness for security control frameworks (e.g., NIST 800-53) are not defined; controls are either mapped or not mapped as mitigations of a given technique or sub-technique.
Cyber security has emerged as an essential component of technology platforms, and consequently vendors tend to offer a variety of documentation on the security capabilities of their platform. Review the platform documentation (e.g. security reference architectures, security benchmarks, security documentation of various services, etc.) to identify the security controls offered by the platform for protecting workloads on the platform. Keep the following in mind while selecting controls:
For each identified security control, consult the available documentation to understand its capabilities. It is necessary to understand and identify the security concepts and technologies that can be used to prevent a given action from being successfully executed. Examine the context of the mitigation provided by the control.
Gathering the following facts about the security control will later help in mapping the control to the set of ATT&CK techniques and sub-techniques it is able to mitigate:
After understanding the capabilities of the security control and gathering the basic facts about its operation, as identified in the previous step, review the ATT&CK matrix and identify the techniques and sub-techniques the control is able to mitigate.
The following may help with this process:
After identifying the techniques and sub-techniques that are mappable to the control, use the scoring rubric to score the effectiveness of the security function (protect, detect, respond) provided by the control in relation to the behavior described by the ATT&CK technique or sub-technique. The scoring rubric provides score values of Minimal, Partial, and Significant based on careful consideration of scoring factors, including the control's ability to mitigate the behavior described, how frequently the control operates, and the fidelity of the capability.
Currently, AWS, Azure, GCP, Intel vPro, and M365 security capability mappings provide these scoring assessments. Scoring assessments for security control framework mappings (e.g., NIST 800-53, The CRI Profile) are not defined.
The previous steps enabled the gathering of information required to create a mapping file for a control according to the mapping data format. Use the following guidelines to help in the process of creating a mapping: