MAPPING METHODOLOGY

Cyber security has emerged as an essential component of technology platforms, and consequently vendors tend to offer a variety of documentation on the security capabilities of their platform. Peruse the platform documentation (e.g. security reference architectures, security benchmarks, security documentation of various services, etc.) to identify the security controls offered by the platform for protecting workloads on the platform. Keep the following in mind while selecting controls:

• The scope of the controls mapped by this project are the technical control types and do not include administrative or physical control types.
• The selected controls should be native to the platform, i.e. produced by the vendor themselves or third-party controls branded by the vendor. For example, thirty-party security controls offered in cloud marketplaces are considered out of scope.
• The security controls selected to be mapped as part of this project tend to be controls that are marketed as standalone security products available on the platform. The intent is not to provide a mapping for all settings/features of individual platform services that are security related. This is a non-trivial undertaking that may be explored at a later time.

For each identified security control, consult the available documentation to understand its capabilities. Gather the following facts about the security control that will later help in mapping the control to the set of ATT&CK techniques and sub-techniques it is able to mitigate:

• Category of security function provided by the control:
• Protect: reduces the likelihood of the occurrence of a cybersecurity event.
• Detect: identifies the occurrence of a cybersecurity event.
• Respond: reduces or remediates the impact of a cybersecurity event.
• The resource type(s) protected by the control (e.g. identity, storage, network, etc.).
• If applicable, the list of operating systems supported by the control.
• Temporal nature of the control's operation:
• Does the control operate in real-time?
• Does the control operate periodically (hourly, daily, weekly, etc.)?
• Is the control event triggered? How often do these events occur?
• Specific threats cited in documentation that the control mitigates.

After understanding the capabilities of the security control and gathering the basic facts about its operation, as identified in the previous step, review the ATT&CK matrix and identify the techniques and sub-techniques the control is able to mitigate.

The following may help with this process:

Identify ATT&CK Tactics in Scope

• The resource type(s) protected by the control, as identified in the previous step, can help narrow down the ATT&CK tactics which are in scope for this control.
• Example: A control that protects identity related resources can help you focus your attention on ATT&CK tactics relevant to identity, such as: Privilege Escalation and Credential Access.
• ATT&CK's mitigations which describe the configurations, tools or process that can prevent the successful execution of a set of (sub-)techniques, can also be used to identify the ATT&CK tactics that should be reviewed.
• Identify the ATT&CK mitigations that provide similar capabilities as the security control. Each mitigation comes with the list of ATT&CK (sub-)techniques that it is able to prevent its successful execution. The ATT&CK tactics associated with these (sub-)techniques should be reviewed.
• Use any examples of threats cited in the control documentation to also narrow down the ATT&CK tactics to review.

Identify ATT&CK Techniques & Sub-techniques in Scope

• Review the description of each ATT&CK technique to determine if the control is able to mitigate the adversary behavior described in the technique.
• If the technique contains sub-techniques:
• For each sub-technique, review its description and procedure examples to determine if the control is able to mitigate the behavior described.
• Ensure the control supports the sub-technique platforms.
• If this control is a protective control, the sub-technique Mitigations section can be especially useful in determining if this sub-technique would be prevented by this control.
• If this control is a detective control, the sub-technique Detections section can be especially useful in determining if this sub-technique would be detected by this control.
• ATT&CK currently does not provide guidance on how to respond to (sub-)techniques. Utilize the (sub-)technique description and procedure examples to determine if it should be in scope.

After identifying the techniques and sub-techniques that are mappable to the control, use the scoring rubric to score the effectiveness of the security function (protect, detect, respond) provided by the control in relation to the behavior described by the ATT&CK technique or sub-technique. The scoring rubric provides score values of Minimal, Partial, and Significant based on careful consideration of scoring factors, including the control's ability to mitigate the behavior described, how frequently the control operates, and the fidelity of the capability.

Currently, the cloud security capability mappings provide these scoring assessments.

The previous steps enabled the gathering of information required to create a mapping file for a control according to the mapping data format. Use the following guidelines to help in the process of creating a mapping:

• The mapping format promotes producing mappings that are self-contained, enabling a reader of the mapping file to understand the basic functionality provided by the control and also the rational for selecting the ATT&CK techniques and sub-techniques to which it maps.
• When scoring a control's effectiveness at mitigating a technique or sub-technique, use the comment field to provide an explanation of the assessment.

• CVE: Methodology
• NIST 800-53: Methodology | Scope
• Security Stack Mappings: Methodology
• VERIS: Methodology