Industry insights

How to map MITRE ATT&CK against security controls 

Danny Bradbury
September 27, 2021 by
Danny Bradbury

Created in 2013, the MITRE ATT&CK® framework gave us a clear picture of online attack techniques and tactics. Perhaps for the first time, it shone a light on the behaviors of shadowy attack groups and described them using a framework that is easy to navigate and understand. Now, we have a playbook that shows us how attackers work, from high-level tactics to specific procedures.

That's great, but how can we map that attack information to our defenses?

Security teams deal with vast, complex infrastructures that need sophisticated security controls. The ATT&CK playbook of common techniques, tactics and procedures (TTPs) can help them protect those systems with the most appropriate security controls. When an attack occurs, the TTPs in the ATT&CK matrices can help them to better understand the incident and use that knowledge to improve their security.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

MITRE ATT&CK mapping against security controls

To make these comparisons, security professionals must map the ATT&CK matrices to specific defense frameworks, infrastructure security controls or real-world attack incidents.

As Jon Baker says, that's a daunting prospect. The director of R&D at MITRE's Center for Threat-Informed Defense (CTID) Challenges points out that security control frameworks are complex and adversaries evolve quickly. That makes mappings "often error prone and difficult to maintain," he warns.

The CTID is the research and development arm of MITRE's Engenuity foundation for public good. It has been promoting the adoption of ATT&CK by working with government and private sector organizations to map it against other assets.

Some of the CTID’s work shows just how complex mapping can be. In December, it released mappings between ATT&CK and the National Institute of Standards and Technology (NIST) Special Publication 800-53, a set of general security and privacy controls. There are over 6,300 mappings between ATT&CK's TTPs and the NIST framework.

The NIST document is technology-neutral, but specific products and product categories have their own security controls. Containers — the small-footprint kernel-sharing virtualized environments typically managed by Kubernetes — are a case in point, bringing their own security challenges. The CTID worked with Microsoft and others to launch the MITRE ATT&CK for Containers matrix in April.

Similarly, cloud computing platforms have specific security controls that require their own attack mappings. The CTID worked with partners to create a set of attack mappings relating to security controls in Microsoft's Azure cloud platform in June.

MITRE ATT&CK mapping against security incident reports

Security professionals can also improve their security controls by learning from attackers' actions after real-world security incidents. Mapping ATT&CK against security incident reports is a useful way to extract valuable intelligence that you can use to improve your security.

In June, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a set of best practices for mapping the ATT&CK framework against incident reports. Its advice is helpful whether mapping ATT&CK against incident reports or security control frameworks. It highlights the need for peer review. Mapping is such a complex and subjective process that it pays to have a second set of eyes to verify your findings and catch any relationships you might have missed.

Documenting MITRE ATT&CK mapping with ATT&CK Navigator

Beginning your mapping journey involves using the right tools. One indispensable piece of software is ATT&CK Navigator. This open-source MITRE utility enables you to document correlations between ATT&CK TTPs and other data, including security controls.

The Azure ATT&CK mappings include security control mappings specified in the popular YAML format. An accompanying tool uses the appropriate YAML files for an organization's cloud deployment to create tailored ATT&CK Navigator files.

DIY MITRE ATT&CK mapping

While mapping MITRE ATT&CK to security controls might be a complex undertaking, MITRE offers tooling to help organizations do it themselves. It has published its methodology, which walks organizations through four steps:

  1. Reviewing ATT&CK mitigations
  2. Reviewing ATT&CK techniques the mitigation prevents
  3. Identifying candidate security controls to see how well they match to the mitigation
  4. Creating a mapping between the control and the ATT&CK technique

The Python-based software tools supporting the methodology use the Structured Threat Information Expression (STIX) language to represent both the controls and the mappings. This is an industry-standard format for sharing threat intelligence information. Security professionals can use it to build ATT&CK Navigator layers and exchange their mapping information directly.

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

The industry has accomplished a lot in mapping the ATT&CK framework against security controls, but there is much work yet to do. The mappings so far seem to concentrate on the ATT&CK Enterprise matrix. There's plenty of opportunity to fill out not only this area, but also the Mobile and ICS matrices.

The tooling and methodology to create custom mappings are available for free. Hopefully, organizations will continue to collaborate on a corpus of off-the-shelf mappings that will make MITRE ATT&CK even more useful for defenders and help to encourage widespread adoption.

Sources

Danny Bradbury
Danny Bradbury

Danny Bradbury is a print journalist, editor, documentary filmmaker and podcast presenter. He has edited several magazines on a freelance basis covering software development and IT security. His freelance clients include the National Post (Canada), TechRepublic, the Australian Fairfax media syndicate (including the Sydney Morning Herald), The Independent Newspaper, The Guardian (London), SC Magazine, Computer Weekly, Investment Executive, the Financial Times, specialist cryptocurrency web site Coindesk.com, IT Pro, The Economist Intelligence Unit and Microscope.

For the past few years, he has been a winner at BT's Infosecurity Journalism awards. His documentary film Epicentre, about the cultural history of the nuclear arms race, was entirely self-funded, researched, filmed and produced. It has been successful on the festival circuit.