For AWS, Azure, GCP, and M365 mapping frameworks.

Mapping Methodology

This document describes the methodology used to map security controls native to a technology platform to ATT&CK; and aims to provide the community a reusable method of using ATT&CK to determine the capabilities of a platform's security offerings.

ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base represents adversary goals as tactics and the specific behaviors employed by adversaries to achieve those goals (how) as techniques and sub-techniques. The methodology described below, utilizes the information in the ATT&CK knowledge base and its underlying data model to understand, assess and record the real-world threats that security controls native to a technology platform are able to mitigate.

The methodology consists of the following steps:

  1. Identify Platform Security Controls
  2. - Identify the native security controls available on the platform.
  3. Security Control Review
  4. - For each identified control, understand the security capabilities it provides.
  5. Identify Mappable ATT&CK Techniques & Sub-techniques
  6. - Identify the ATT&CK techniques and sub-techniques mappable to the control.
  7. Score Assessment
  8. - Assess the effectiveness of the type of protection the control provides for the identified ATT&CK techniques and sub-techniques.
  9. Create a Mapping
  10. - Creating a mapping based on the information gathered from the previous steps.

Step 1: Identify Platform Security Controls

Cyber security has emerged as an essential component of technology platforms, and consequently vendors tend to offer a variety of documentation on the security capabilities of their platform. Peruse the platform documentation (e.g. security reference architectures, security benchmarks, security documentation of various services, etc.) to identify the security controls offered by the platform for protecting workloads on the platform. Keep the following in mind while selecting controls:

Step 2: Security Control Review

TFor each identified security control, consult the available documentation to understand its capabilities. Gather the following facts about the security control that will later help in mapping the control to the set of ATT&CK techniques and sub-techniques it is able to mitigate:

Step 3: Identify Mappable ATT&CK Techniques & Sub-techniques

After understanding the capabilities of the security control and gathering the basic facts about its operation, as identified in the previous step, review the ATT&CK matrix and identify the techniques and sub-techniques the control is able to mitigate.

The following may help with this process:

Identify ATT&CK Tactics in Scope

Identify ATT&CK Techniques & Sub-techniques in Scope

Step 4: Score Assessments

After identifying the techniques and sub-techniques that are mappable to the control, use the scoring rubric to score the effectiveness of the security function (protect, detect, respond) provided by the control in mitigating the behavior described by the ATT&CK entity.

Step 5: Create a Mapping

The previous steps enabled you to gather the information required to create a mapping for a control. Use the following guidelines to help you in the process of creating a mapping: