1. Home
  2. About
  3. Use Cases

MAPPINGS USE CASES

Mappings Explorer is valuable to a broad range of cyber professionals, through customizable understanding of how security controls and capabilities map onto the adversary behaviors catalogued in the MITRE ATT&CK® knowledge base. These users encompass many roles and responsibilities associated with organizational cyber defense, risk management, threat prevention and detection, and incident response. These roles and responsibilities include:.

INCIDENT RESPONDER (IR)

Responsible for response, management, and coordination, and remediation activities for cyber incidents such as malware infections, data theft, ransomware encryption, denial of service, and control systems intrusions.

CHIEF INFORMATION SECURITY OFFICER (CISO)

Responsible for carrying out information security policies, procedures, and controls, and providing primary interface between senior managers and information system owners.

INFORMATION SYSTEM SECURITY OFFICER (ISSO)

Responsibilities include ensuring the appropriate operational security posture is maintained for information systems or programs.

SECURITY OPERATIONS CENTER ANALYST (SOC)

Responsibilities include monitoring an organization’s networks and systems to detect threats and investigating potential security incidents.

SECURITY ENGINEER (SE)

Responsibilities include developing and implementing security controls and solutions to protect networks and systems from unauthorized access and attacks.

VULNERABILITY RESEARCHER (VR)

Responsibilities include identifying and studying security vulnerabilities in systems or software to identify weaknesses and improve security.

CYBER THREAT INTEL ANALYST (CTI)

Responsibilities include collecting data and information from various sources across the threat landscape to identify, assess, and recommend countermeasures for cyber threats.

Usage

The Mappings Explorer website enables the following essential abilities:

  1. Understand and visualize security control and capability coverage for techniques of interest (SE, ISSO).
  2. Assess how applying security controls and security capabilities can protect, detect, and respond to specific adversary behaviors of interest (SE, ISSO)
  3. Expanded vocabulary for describing adversary behaviors in an incident to leverage ATT&CK’s full range of TTPs when describing adversary activities during a security event. (IR, ISSO)
  4. Enhanced analysis of adversary behaviors through customized control selection for the protection from, detection of, and response to adversary activities and historical incident information. (CISO, ISSO, SOC, SE)
  5. Enable alignment of policies/controls/governance with defenses against adversary behaviors; leveraging incident information and adversary behavior to provide a holistic view from detailed descriptions in ATT&CK. (CISO, SOC)
  6. Streamline integration of threat-informed defense and incident reports into security operations. Use the ATT&CK framework to describe adversary behaviors that are known to be occurring or related to a specific incident, easily leveraging incident information to inform operations. (SOC).
  7. Usage of the ATT&CK framework to describe the impact of unmitigated vulnerabilities when exploited and convey that information to others. (VR).
  8. Determine the set of security controls that mitigate the techniques mapped to the group or software. (CISO, SOC)

User Stories

This section describes user stories for the Mappings Explorer website based on the roles identified above. These user stories are expressed as the who, what, and why, with a short exploration of how a user story may be achieved. This is not meant to be a comprehensive list, but rather examples to demonstrate how Mappings Explorer could be used.

Use Mappings Explorer as a joint framework to comprehensively describe security events at a flexible level. At a very low level, the ATT&CK mappings allow incident response professionals to understand the details of adversary activities, thus creating a fingerprint of the event. This fingerprint can provide an analysis of the attacker’s tactics, techniques, and procedures (TTPs), which can assist in real-time decision making and activating responsive functionality in existing tools. Additionally, such an analysis can assist responders in looking for additional TTP artifacts that may typically coexist with currently observed activity.

Use the mapped security controls and capabilities to determine which mitigation strategies are most effective against techniques associated with adversarial activities, and which protective security controls or cyber solutions are needed to improve cyber defense. While individual mappings can assist in the prevention of attack recurrence based on similar TTPs, this collection of mappings can be used to guide strategic direction. The mappings repository provides a guide for an organization’s security program to use to be effective in the current threat landscape. Gaps in process or governance can then be addressed, and continuous monitoring activities can then be implemented or improved commensurate with the gaps and risks in security control coverage.

The ATT&CK Navigator visualization of security capability mapping resources can be customized to give the user choice of contextual grouping (group, software, even tactic) and then used to identify security controls that provide protection from adversarial techniques associated with specific real-world threats and adversary behaviors. Determine which mitigation strategies are most effective, identify residual risks, and develop and implement compensating controls to improve cyber defense and protect from the most damaging attacks.

With control mappings implemented at a technique level, a mapping from a security control or capability to a technique conveys at least partial protection from, detection of, or response to the given technique. Alongside organizational controls the mappings provide an understanding of which security controls to consider selecting to protect systems against specific threats; and in turn support the SE, system developers, and information system owner’s selection and implementation of security controls that secure systems and mitigate cyber attacks.

Following the mappings to the associated techniques can provide context for which security controls and capabilities provide mitigation or protection from those techniques. In the context of this website, mapped “coverage” of a set of techniques does not mean complete protection, but rather that the given controls provide some mitigation against the successful execution of the mapped techniques. The mappings support the CISO/ISSM in reviewing the adequacy of risk and gaps in overall threat defense; and identify which additional security controls are needed to mitigate cyber attacks.

The mappings provide an overview of existing cyber defensive coverage of categorized against adversarial behaviors. Gaps in security capability coverage and entry points can then be measured and assessed to determine what additional coverage is needed to mitigate threats. This in turn is used to inform the design, build, and implementation of appropriate cyber defenses for the organization’s systems and networks.

Gaps in cyber defense coverage and entry points can be visualized through the ATT&CK Navigator. View the set(s) of security capabilities mapped to techniques and then use “contextual grouping” to filter for the Groups or Software of interest. Analysts and defenders can better identify and understand protections available for common software usage or behaviors across multiple groups to map defenses more effectively. In addition, understanding how multiple groups use the same technique behavior allows analysts to focus on developing impactful defenses that span many types of threats and address adversaries’ evolving capabilities.

Mappings define a relationship between a security control or capability to a technique, and address how they offer protection from, detection of, or response to a given adversary behavior. Use the customizable searches to identify security controls and capabilities mapped to threats of interest, and what adversary behaviors can be mitigated by implementing those controls. Apply that information and work with the ISSO to understand residual risk in security control coverage to better align cyber defense to address adversary behaviors through the selection and tailoring of suitable controls for a given information system.

Compare the collection of security control and capability mappings with an organization’s vulnerability reports tied to adversary behaviors to identify unmitigated TTP artifacts and establish an understanding of the current threat landscape. Analyze and convey detailed threat and vulnerability information to develop playbooks for adversary emulation and defensive cyber operations teams. Use the common taxonomy of the ATT&CK framework and mapped security information as a tool to describe the effects of unmitigated vulnerabilities in terms of risks to the organization to inform risk mitigation decisions.

Customizing control mappings to align with organizational security posture exposes gaps in protection, detection, or response to adversary behaviors, and represents an overall understanding of organizational security posture. Use the ATT&CK framework to understand what indicators and behaviors correspond to threat actors and groups to visualize and track changes in the threat landscape. Understand what adversary behaviors (ATT&CK techniques) are mitigated by reviewing the mapped security capabilities and sharing those findings and recommendations with security teams, towards implementing a customized set of security controls to counteract specific threats and address gaps in defensive coverage.