Enriching Threat Intelligence with Mappings
Written by Maggie MacAlpine.
Collecting and analyzing cyber threat intelligence (CTI) is a key activity within a cybersecurity program. However, the value of CTI is severely diminished if there’s no way to act on it. At the Center for Threat-Informed Defense (Center), we aim to continually advance the community-wide understanding of adversary behaviors and make it much easier for security teams to operationalize that information. CTI often lacks a straightforward way to translate threat information into clear, actionable guidance to inform and advise stakeholders across an organization.
Since its founding, the Center has undertaken a series of mappings projects like NIST 800–53 Control Mappings, Security Stack Mappings — Google Cloud Platform, and Security Stack Mappings — Amazon Web Services to help make CTI actionable. Mappings projects like these were designed with the goal to make it easier for defenders to link adversary behavior to known mitigations and security controls. We hope to enable the community to identify and focus on threats of interest to their organization, with the mappings projects easing the way towards detecting and mitigating those threats.
But how do these mappings projects work? And how can defenders apply these resources to enrich their threat intelligence with actionable guidance?
What Are Mappings?
Our mappings projects systematically link the adversary behaviors described in MITRE ATT&CK® to publicly documented security capabilities and controls. They assist defenders in employing a threat-informed defense by empowering them with independent data on which native security controls are most useful in defending against the adversary TTPs that they care about. The mappings also establish a foundation for systematically associating security controls and frameworks to ATT&CK. Mappings will allow organizations to make threat-informed decisions when selecting which native security capabilities to use.
It’s important to note, that these mappings are not a standardization method or meant to generate a new standard. Rather, in the broadest sense, they are meant to expedite and facilitate a defender’s efforts to connect threat to a known mitigation.
How To Apply Mappings
CISA’s report provides a list of known ATT&CK tactics and techniques used by the adversary, as well as mitigation recommendations. Where Center mappings projects come in handy is in enriching the actionability of those recommendations and expanding defenders’ ability to understand which security controls and capabilities could be applicable or available to them for TTPs included in the advisory. One can easily take the techniques listed in the advisory and compare those to our mapping repositories.
NIST 800–53
Take NIST 800–53, for example. The NIST 800–53 Controls to ATT&CK Mapping provides an opportunity to connect to risk management, security architects, and other network defenders. In the AvosLocker Ransomware report, the Initial Access Technique is listed as External Remote Services (T1133). When you visit the 800–53 ATT&CK Navigator overview (for NIST 800–53 Rev. 5), you will find mitigations listed for that particular technique for the 800–53 standards, in this case, AC-17, AC-20, AC-23, AC-3, AC-4, AC-6, AC-7, CM-2, CM-6, CM-7, CM-8, IA-2, IA-5, RA-5, SC-46, SC-7, SI-4, SI-7. The mitigation employed depends on the needs of the organization and may require more than one. Which ones they apply would depend on their risk posture and an assessment of the threats/risks to the organization, as well as the systems they are protecting.
Google Cloud Platform (GCP) Security Stack Mappings
Google Cloud Platform users can leverage the Google Cloud Platform (GCP) Security Stack Mappings to enrich CTI. Here too we can address T1133 with recommendations for the Advanced Protection Program for mitigations in GCP environments. This mapping shows that the MFA aspects of this particular security capability can be enabled to provide some mitigation of an adversary successfully employing technique T1133. Note that an adversary would need to have access to a Valid Account in order to this capability to provide mitigation for this particular technique.
These mappings of the Amazon Web Services (AWS) security controls to ATT&CK are empower organizations with independent data on which native AWS security controls are most useful in defending against the adversary TTPs that they care about in AWS environments. In the case of T1133, we find controls to mitigate it through multiple AWS features, in one instance through the AWS Network Firewall, which provides a partial protection.
However, we can also find protections against T1133 under the AWS Single Sign-On Service (SSO), applicable only to SSO environments, which provides more robust mitigations.
How Not To Use Mappings
The Center’s mappings provide a linkage between an ATT&CK technique and a set of known security controls with an open, well-documented methodology. The mappings are not intended to aid in comparing the capabilities of various cloud platforms to each other or the effectiveness any given security framework compared to another framework. The mappings simply allow for an easy association between a specific adversary behavior and a documented control. Understanding control effectiveness and continual control validation in your environment is critical.
Future Work
Driven by community-wide demand, we are actively expanding the collection of mappings and working to make them significantly easier to apply.
- Mappings Explorer: Mappings Explorer will provide a single web interface for easy access to all security controls — allowing defenders to explore mappings from the perspective of the techniques they mitigate.
- M365 Security Stack Mappings: M365 Security Stack Mappings will map M365 security controls to techniques in ATT&CK. It will help users of M365 better understand which security capabilities are available to them and how those security capabilities defend against the adversary behaviors described in ATT&CK.
Follow the Center for Threat-Informed Defense on LinkedIn to stay up to date with all project releases.
Call to Action
Mappings projects are developed with the community in mind, meant to save defenders time by allowing analysts to focus on their analysis, and to facilitate the sharing of clear, actionable intelligence with decision-makers. However, the list of potential mappings projects is long and those that already exist require regular maintenance to keep them up to date.
The library of Center mappings projects is available on GitHub along with use case and methodology documentation, and python scripts for manipulating and generating different representations of the mappings. We encourage you to review the mappings, use them, and tell us what you think.
Your usage and feedback will help drive our next mappings projects.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0096
