Google Cloud Platform Capabilities Mapped to MITRE ATT&CK®

Written by Jon Baker, James Ross, and Tiffany Bergeron.

At the Center for Threat-Informed Defense, we have taken another important step towards helping cyber defenders understand how cloud security capabilities can be used to prevent, detect, and respond to prevalent cloud threats by mapping the native security capabilities of the Google Cloud Platform (GCP) to MITRE ATT&CK®. With the addition of GCP, we have now provided a comprehensive set of cloud security capability mappings to ATT&CK for three leading cloud providers, furthering our mission to advance threat-informed defense for the entire community.

Partnering with Center Participants including AttackIQ, Inc., Citigroup Technology, Inc., Google, LLC, HCA-Information Technology & Services, Inc., JPMorgan Chase Bank N.A., and US National Bank Association, we identified and mapped 49 GCP native security controls to ATT&CK. This new set of mappings leverages the same methodology, scoring rubric, data model, and tool set that were created and applied to the Microsoft Azure and Amazon Web Services in 2021. These mappings provide GCP users with a comprehensive view of how native GCP security controls can be used to prevent, detect, and respond to prevalent cloud threats. As a result, GCP users can now evaluate the effectiveness of native security controls against specific ATT&CK techniques.

GCP Security Stack Mappings

This release provides mappings of GCP’s native security controls to ATT&CK techniques. Figures 1 & 2 depict the ATT&CK coverage of all the GCP security controls mapped along with the scoring legend that denotes the category and effectiveness of the coverage provided.

Figure 1: GCP Security Stack Mappings Coverage Overview

Figure 2: GCP Mappings Coverage Scoring Legend

The following scoping decisions influenced the GCP mappings:

• ATT&CK Scope: This work is focused on ATT&CK (sub-) techniques included in the Enterprise domain v10; Mobile techniques are not covered.
• Native Security Controls: This work focused on mapping the security controls produced by Google or offered as Google products. The selected controls are considered native to the platform, i.e., produced by the vendor themselves or third-party controls branded or acquired by the vendor. Third-party security controls offered in cloud marketplaces are considered out of scope and were excluded from analysis.
• Google Cloud Security: Most of the controls included in scope were derived from Google Cloud Security Solutions and our review of GCP security documentation.

We created ATT&CK Navigator layers for each mapped control, enabling the display of the mappings in the context of the ATT&CK Matrix, as shown above. In addition, a Markdown view is provided that enumerates all controls mapped along with the list of ATT&CK techniques mitigated by each control.

By openly documenting our scoping decisions and providing this foundational set of mappings of GCP security controls to ATT&CK, we aim to accelerate community collaboration. Due to the subjective nature of mapping security controls to ATT&CK, we anticipate differences in perspective on overall approach and possibly even the mapping of specific controls to specific techniques. We welcome your feedback and perspectives.

Our Methodology

We used the scoring methodology and artifacts created through our previous work on the Azure and AWS Security Control Mappings, establishing consistency across platforms and forcing us to critically examine the methodology we used before. We are encouraged that the methodology continues to hold up to scrutiny.

The mapping methodology consists of five main steps, each of which incrementally builds understanding and allows an analyst to see the security control under analysis and the ATT&CK (sub-)techniques it mitigates. The five steps are:

1. Identify Platform Security Controls: Research publicly available platform security documentation to identify the set of security controls within scope of analysis.

2. Review Security Controls: For each control, collect and analyze its documentation, identifying key information on its functionality that will enable the selection of the set of ATT&CK (sub-)techniques that it mitigates. Our methodology does not include operational validation of security controls in order to allow for broad coverage of a platform.

3. Identify Mappable ATT&CK (sub-)techniques: Use the information gathered in the previous step to map the control to the set of ATT&CK (sub-)techniques it mitigates.

4. Produce Score Assessments: For each mapped ATT&CK (sub-)technique, utilize the scoring rubric to assess the category and effectiveness of the mitigation provided by the control.

5. Create Mapping Files: Record the data gathered in the previous steps in the mapping file as specified in the mapping format.

Figure 3: Mapping Methodology

Our Data Model & Rubric

We maintain a simple YAML data format to record the mapping information for each control.

Figure 4: YAML Data Format

The following are salient characteristics of the mapping format:

• Mapping file per control: Each mapping file records ATT&CK coverage information for a single security control, resulting in a mapping file per platform security control.
• Self-contained: The format supports the production of mapping files that provide sufficient information (via their description and references fields) to enable their reader to understand, at a high-level, the functionality provided by the control being mapped along with references for additional information.
• Scoring assessment: The format provides support for recording a score of the effectiveness of a security control’s mitigation of an ATT&CK (sub-)technique as well as an optional comment to support the scoring assessment.

In addition to the data format, we employ a scoring rubric that enables the recording of the category of ATT&CK coverage provided by a control (protect, detect, or response) along with an assessment of its effectiveness (minimal, partial or significant). Guidance on the scoring factors considered when assigning a score and additional related documentation is available in the project repository.

Mapping Command-Line Interface (CLI) Tool

We use a CLI tool to facilitate the mapping process itself and maintenance of the GCP platform mappings over time. This tool also enables continued expansion of the mapping of security stacks to other platforms based on the Center’s priorities and community collaboration. This Python-based tool provides the following functionality:

• Syntax Validation: Supports the validation of mapping file syntax, ensuring their conformity to the data format specification and accurate references of the (sub-)techniques from the ATT&CK Enterprise matrix.
• Visualization: Supports the production of the ATT&CK Navigator layers and Markdown Summary visualizations from mapping files.
• Querying: Supports the querying of mapping data by various fields such as ATT&CK tactic or (sub-) technique, score category (protect, detect, respond), score value (Minimal, Partial, Significant). An example is shown in the figure below:

Figure 5: GCP mapping CLI tool output

What’s Next?

We will continue to empower defenders with consistent, independently developed collections of security capability mappings to ATT&CK. The mappings between the Azure security stack and ATT&CK established a foundation for future innovation, which was expanded to include AWS, and has now been expanded to include GCP. We are looking ahead to other platforms such as Windows, Linux, MacOS, and more in future projects.

We are also interested in exploring new ways to visualize and help users understand how their local security capabilities stack up against adversary behaviors. While we have provided ATT&CK Navigator views of our mappings, we recognize that there is an opportunity to do more. We are interested in researching and developing more robust visualization capabilities to help empower defenders to understand their impact on adversary behaviors and make threat-informed decisions.

Getting Involved

There are several ways that you can get involved with this project and help advance threat-informed defense:

• Review the mappings, use them, and tell us what you think. We welcome your review and feedback on the mappings, our methodology, and resources.
• Analyze and map your security capabilities. We encourage organizations to apply our methodology to map the security capabilities of their products and we welcome mapping contributions.
• Help us prioritize additional platforms to map. Let us know what platforms you would like to see mapped to ATT&CK. Your input will help us prioritize how we expand our mappings.
• Share your ideas. We are interested in developing additional tools and resources to help the community understand and make threat-informed decisions in their risk management programs. If you have ideas or suggestions, we will consider them as we explore additional research projects.

You can always contact us at ctid@mitre-engenuity.org or simply file issues on our GitHub repository.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2022 MITRE Engenuity. Approved for Public Release. Document number CT0049.