SECURITY STACK MAPPING METHODOLOGY

Cyber security has emerged as an essential component of technology platforms, and consequently vendors tend to offer a variety of documentation on the security capabilities of their platform. Examine the platform documentation (e.g., security reference architectures, security benchmarks, security documentation of various services) to identify the security capabilities offered by the platform for protecting workloads on the platform. Keep the following in mind while selecting capabilities:

• The scope of the capabilities mapped by this project are technical in nature and do not include administrative or physical control types.
• The selected capabilities should be native to the platform, i.e., produced by the vendor themselves or third-party capabilities branded by the vendor. For example, thirty-party security capabilities offered in cloud marketplaces are considered out of scope.
• Note: The Intel vPro mappings portray defensive capabilities available within enterprise hardware that are integrated with operating system and security software features.
• The security capabilities selected to be mapped tend to be capabilities that are marketed as standalone security products available on the platform. The intent is not to provide a mapping for all settings/features of individual platform services that are security related. This is a non-trivial undertaking that may be explored at a later time.

For each identified security capability, consult the available documentation to understand the mitigation abilities it provides. Gather the following facts about the security capability that will later help in mapping it to the set of ATT&CK techniques and sub-techniques it is able to mitigate:

• Category of security function provided by the control:
  • Protect: reduces the likelihood of the occurrence of a cybersecurity event.
  • Detect: identifies the occurrence of a cybersecurity event.
  • Respond: reduces or remediates the impact of a cybersecurity event.
• The resource type(s) protected by the capability (e.g., identity, storage, network).
• If applicable, the list of operating systems supported by the capability.
• Temporal nature of the capability's operation:
  • Does the capability operate in real-time?
  • Does the capability operate periodically (e.g., hourly, daily, weekly)?
  • Is the capability event triggered? How often do these events occur?
• Specific threats cited in documentation that the capability mitigates.

After understanding the types of mitigation provided by the security capability and gathering the basic facts about its operation, as identified in the previous step, review the ATT&CK matrix and identify the techniques and sub-techniques the capability is able to mitigate.

The following may help with this process:

Identify ATT&CK Tactics in Scope

• The resource type(s) protected by the capability, as identified in the previous step, can help narrow down the ATT&CK tactics which are in scope for this capability.
  • Example: A capability that protects identity related resources can help you focus your attention on ATT&CK tactics relevant to identity, such as: Privilege Escalation and Credential Access.
• ATT&CK's mitigations which describe the configurations, tools or process that can prevent the successful execution of a set of (sub-)techniques, can also be used to identify the ATT&CK tactics that should be reviewed.
  • Identify the ATT&CK mitigations that provide similar capabilities as the security capability. Each mitigation comes with the list of ATT&CK (sub-)techniques that it is able to prevent its successful execution. The ATT&CK tactics associated with these (sub-)techniques should be reviewed.
• Use any examples of threats cited in the capability documentation to also narrow down the ATT&CK tactics to review.

Identify ATT&CK Techniques & Sub-techniques in Scope

• Review the description of each ATT&CK technique to determine if the capability is able to mitigate the adversary behavior described in the technique.
• If the technique contains sub-techniques:
  • For each sub-technique, review its description and procedure examples to determine if the capability is able to mitigate the behavior described.
  • Ensure the capability supports the sub-technique platforms.
  • If this capability is a protective capability, the sub-technique Mitigations section can be especially useful in determining if this sub-technique would be prevented by this capability.
  • If this capability is a detective capability, the sub-technique Detections section can be especially useful in determining if this sub-technique would be detected by this capability.
• ATT&CK currently does not provide guidance on how to respond to (sub-)techniques. Utilize the (sub-)technique description and procedure examples to determine if it should be in scope.

After identifying the techniques and sub-techniques that are mappable to the capability, use the scoring rubricto score the effectiveness of the security function (protect, detect, respond) provided by the capability in mitigating the behavior described by the ATT&CK entity.

The previous steps enabled you to gather the information required to create a mapping for a capability. Use the following guidelines to help you in the process of creating a mapping:

• The mapping format promotes producing mappings that are self-contained, enabling a reader of the mapping file to understand the basic functionality provided by the capability and also the rational for selecting the ATT&CK techniques and sub-techniques it maps. Use the various comment and description fields to communicate this information to readers.
• Populate the comments field with information that will enable understanding of the mapping. The comments field can designate what features of the capability are used, describe how the capability addresses the adversary behavior, and provide justification for the scoring assessment.
• Do not include ATT&CK information in the comments field or as references. This information is already present in the techniques field of the mapping and the website provides grouping of mapped capabilities by ATT&CK (sub-)techniques and links to view the (sub-)techniques in ATT&CK.