Aligning Microsoft 365 Security to ATT&CK

Written by Tiffany Bergeron and Adrian Garcia Gonzalez

Organizations across the globe rely on cloud computing services to securely provide access to sensitive data, yet the risk and the security capabilities to mitigate that risk aren’t well understood. The Center for Threat-Informed Defense (Center) has mapped cloud security capabilities to MITRE ATT&CK® to empower the global security community with independent threat-informed data. We are pleased to announce Microsoft 365 (M365) has now joined this collection.

Partnering with the Center Members including AttackIQ, Inc., Center for Internet Security, Citigroup, JPMorgan Chase Bank N.A., and Verizon Business, we identified four core M365 product areas and mapped 34 native security capabilities to ATT&CK, resulting in 518 mappings of native M365 capabilities to adversary behaviors. M365 users now have a collection of independent assessments and a comprehensive view of how M365 security capabilities can be used to mitigate real-world threats. This information is critical in evaluating the effectiveness of security capabilities, and understanding how security capabilities affect adversary behaviors is foundational to threat-informed defense.

M365 project resources — including the mappings, ATT&CK Navigator layers, and the mapping methodology — are all available in Mappings Explorer. Mappings Explorer allows cyber defenders to easily access and explore the Center’s mapped security capabilities, bridging the gap between the threat-informed approach to cybersecurity and the traditional perspective of security controls.

Project Scope

Setting the project scope involved determining which M365 product areas were within the boundary of M365’s SaaS environment and which product capabilities would be mapped and why. The product areas and security capabilities included in scope were derived from our review of Microsoft 365 Documentation. This review and analysis resulted in scoping this project to cover the following product areas:

• Microsoft 365 Defender (XDR, Office365, Cloud, Identity): An enterprise defense suite that natively coordinates detection, prevention, investigation, and response across identities, email, and applications.
• Microsoft Entra ID (formerly Azure AD): An identity and access management service that enables organizations to manage user access to SaaS resources.
• Exchange Online Protection (EOP): Security capabilities that further protect organizations against spam, malware, phishing, and other threats.
• Microsoft Purview (formerly Azure Purview): A data governance tool that helps manage risk and regulatory compliance.

For each M365 product area, the product’s capabilities were considered in scope if they are:

• technical in nature (versus administrative or physical);
• included as part of the product’s native security offering;
• providing protection from, detection of, or response to adversary behaviors described in ATT&CK v14.1; and
• technically documented, e.g. list of capabilities for each product and security information for each capability

Methodology

We applied the methodology and scoring approach developed through our previous work mapping the security capabilities of Azure, Amazon Web Services, and Google Cloud Platform, providing consistency across platforms. The methodology utilizes the information in the ATT&CK knowledge base and its underlying data model to understand, assess, and record the real-world threats that security controls can potentially mitigate.

The methodology consists of the following main steps:

1. Identify M365 security capabilities in scope. Identify the M365 product areas to be mapped and the native security capabilities of each to be mapped.

2. Review M365 security capability documentation. For each in-scope capability, evaluate the mitigating security capabilities provided from adversarial threats.

3. Identify mappable ATT&CK v14.1 Techniques & Sub-techniques. Identify the ATT&CK techniques and sub-techniques mappable to the control.

4. Score the effectiveness of the capability for the adversary behavior. Assess the effectiveness of the type of capability provided for the identified ATT&CK techniques and sub-techniques.

• Protect: capability limits or contains the impact of a (sub-)technique
• Detect: capability identifies the potential occurrence of a (sub-)technique
• Respond: capability provides actions to take for detected (sub-)technique.

5. Create a mapping of M365 capability to ATT&CK (sub-)technique. Creating a mapping based on the information gathered from the previous steps.

By openly documenting our scoping decisions and methodology, we aim to accelerate community collaboration. Due to the subjective nature of mapping security controls to ATT&CK, we anticipate differences in perspective on overall approach and possibly even the mapping of specific controls to specific techniques. We welcome your feedback and perspectives.

Mapping Outcomes

The four M365 product areas and 34 associated security capabilities in-scope are shown in the image below. These mappings empower the security community with threat-informed data that can be used to understand how M365 security can be used to protect from, detect, or respond to specific adversary (sub-)techniques.

M365 Security Capabilities by Product Area

The mapping for Microsoft Defender’s Secure Score is a notable example. This detection capability assesses the overall security posture in the M365 tenant or instance and provides a score based on the system settings and other security related measurements. This real-time assessment score represents the extent to which security configurations are enabled in the environment. Due to its ability to assess over 60 aspects of the M365 tenant, this control was determined to provide detection for 48 different ATT&CK (sub-)techniques. This is the type of specific information that the cyber community can use to align their defensive measures with real cyber threats and evolve their cybersecurity programs.

M365 Defender’s Security Score Capability mapped to 48 ATT&CK (sub-)techniques

Mappings Explorer Integration

The M365 mapping resources are hosted in Mappings Explorer. The M365 data is now part of this centralized collection of all the Center mappings, providing threat and mitigation data in easily accessible, searchable, and customizable ways. Cyber defenders can use these resources to improve defenses and evolve their security programs by visualizing and assessing security capability coverage of real-world adversary behavior.

M365 Mappings Project Main Page on Mappings Explorer

Downloadable M365 project artifacts include the mappings in JSON, YAML, CSV, and Excel formats. STIX bundles and ATT&CK Navigator layers are also provided for the complete M365 mapping collection. M365 E3 and E5 Navigator layers are available for visualization and understanding of mappings associated with the security features of each of these enterprise plans. In addition, the Center for Internet Security (CIS) Microsoft 365 Benchmark is also accessible from this project page to provide users with prescriptive guidance for establishing a secure configuration posture for M365 cloud offerings running on any operating system.

Get Involved

We welcome your feedback and contributions to continue to advance the M365 Mapping project. There are several ways that you can get involved with this and other mapping projects to help advance threat-informed defense:

• Review the mappings, use them, and tell us what you think. We welcome your review and feedback on the M365 mappings, our methodology, and resources.
• Analyze and map your security capabilities. We encourage use of our methodology to map security capabilities of additional products and we welcome mapping contributions.
• Help us prioritize additional platforms to map. Let us know what platforms you would like to see mapped to ATT&CK. Your input will help us prioritize how we expand our mappings.
• Share your ideas. Share your ideas or suggestions for additional tools and resources for helping the community to understand and make threat-informed decisions.

You are also welcome to submit issues for any technical questions/concerns or contact the Center directly for more general inquiries.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2024 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0108.