Methodology Overview

This page describes the methodology used to map security controls native to a technology platform to MITRE ATT&CK® and aims to provide the community a reusable method of using ATT&CK to determine the capabilities of a platform's security offerings.

ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base represents adversary goals as tactics and the specific behaviors employed by adversaries to achieve those goals (how) as techniques and sub-techniques. The methodology described below, utilizes the information in the ATT&CK knowledge base and its underlying data model to understand, assess and record the real-world threats that security controls native to a technology platform are able to mitigate.

The methodology consists of the following steps:

  1. Identify Platform Security Controls

    - Identify the native security controls available on the platform.
  2. Security Control Review

    - For each identified control, understand the security capabilities it provides.
  3. Identify Mappable ATT&CK Techniques & Sub-techniques

    - Identify the ATT&CK techniques and sub-techniques mappable to the control.
  4. Score Assessment

    - Assess the effectiveness of the type of protection the control provides for the identified ATT&CK techniques and sub-techniques.*
  5. Create a Mapping

    - Creating a mapping based on the information gathered from the previous steps.

* Scoring assessments have been performed for cloud security capability mappings to record the category of ATT&CK coverage provided by a control (protect, detect, or response) along with an assessment of its effectiveness (minimal, partial, or significant).

Step 1: Identify Platform Security Controls

Cyber security has emerged as an essential component of technology platforms, and consequently vendors tend to offer a variety of documentation on the security capabilities of their platform. Peruse the platform documentation (e.g. security reference architectures, security benchmarks, security documentation of various services, etc.) to identify the security controls offered by the platform for protecting workloads on the platform. Keep the following in mind while selecting controls:

Step 2: Security Control Review

For each identified security control, consult the available documentation to understand its capabilities. Gather the following facts about the security control that will later help in mapping the control to the set of ATT&CK techniques and sub-techniques it is able to mitigate:

Step 3: Identify Mappable ATT&CK Techniques & Sub-techniques

After understanding the capabilities of the security control and gathering the basic facts about its operation, as identified in the previous step, review the ATT&CK matrix and identify the techniques and sub-techniques the control is able to mitigate.

The following may help with this process:

Identify ATT&CK Tactics in Scope

Identify ATT&CK Techniques & Sub-techniques in Scope

Step 4: Score Assessments

After identifying the techniques and sub-techniques that are mappable to the control, use the scoring rubric to score the effectiveness of the security function (protect, detect, respond) provided by the control in relation to the behavior described by the ATT&CK technique or sub-technique. The scoring rubric provides score values of Minimal, Partial, and Significant based on careful consideration of scoring factors, including the control's ability to mitigate the behavior described, how frequently the control operates, and the fidelity of the capability.

Currently, the cloud security capability mappings provide these scoring assessments.

Step 5: Create A Mapping

The previous steps enabled the gathering of information required to create a mapping file for a control according to the mapping data format. Use the following guidelines to help in the process of creating a mapping:

Additional Resources