Written by Tiffany Bergeron and Jon Baker.
Today, the Center for Threat-Informed Defense (Center) is releasing a set of mappings between MITRE ATT&CK® and NIST Special Publication 800–53 with supporting documentation and resources. These mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT&CK knowledge base and provide a foundation for integrating ATT&CK-based threat information into the risk management process.
Mapping NIST 800–53, or any security control framework, to ATT&CK is a labor intensive and often subjective undertaking. Furthermore, due to the large number of security controls in any given framework and the evolving nature of cyber adversaries, these mappings are often error prone and difficult to maintain. In collaboration with Center Participants, AttackIQ, the Center for Internet Security, and JPMorgan Chase, we recognized that there was not only a need for mapping NIST 800–53, but an opportunity to work collaboratively and advance threat-informed defense with the global community. With over 6,300 individual mappings between NIST 800–53 and ATT&CK, we believe that this work will greatly reduce the burden on the community — allowing organizations to focus their limited time and resources on understanding how controls map to threats in their specific environment.
Along with our mappings to NIST 800–53, we documented our methodology and the scoping decisions that guided us, and we created a set of tools and resources to enable others to both understand our work and build upon it. Our goal was to establish a home for curated security control framework mappings to ATT&CK techniques and related resources to empower the community. We believe that we have created a scalable model that can be applied to both refine NIST 800–53 mappings to ATT&CK and to expand coverage to include mappings to other security control frameworks.
Mappings to NIST 800–53
The release today provides mappings of the NIST 800–53 Revision 4 and Revision 5 control frameworks to MITRE ATT&CK Techniques. As an example, Figure 1 depicts the NIST 800–53 Rev. 4 mapping coverage of all ATT&CK techniques — the darker the technique is, the more NIST 800–53 controls map to that technique.
We document our scoping decisions for mapping NIST 800–53 controls as included in the ReadMe files for both Rev. 4 and Rev. 5. These scoping decisions are important to understanding security control coverage and the selection process to develop this repository of mappings. Examples of our scoping decisions include:
- ATT&CK Scope: This work is focused on ATT&CK techniques included in the Enterprise domain; Mobile techniques are not covered.
- Controls vs. Control Enhancements: Mappings are done at the security control level and not to specific control enhancements.
- Policy & Procedure Controls: Controls associated solely with policy and procedure are out of scope as the focus is on the technical and operational elements of NIST 800–53.
- Technical in Focus: Mappings are done for system-specific technical safeguards and countermeasures (e.g., block USB devices) and not for non-technical methods of mitigation (e.g., protection of physical space).
This repository includes several ways to visualize the mappings. ATT&CK Navigator layers are provided to display the mappings in the context of the ATT&CK Matrix, as shown above. These navigator layers are based upon a STIX representation of the controls and mappings.
By openly documenting our scoping decisions and providing this foundational set of mappings to NIST 800–53, we aim to accelerate community collaboration. Due to the subjective nature of mapping security framework controls to ATT&CK, we anticipate differences in perspective on overall approach and possibly even the mapping of specific techniques to specific controls. We welcome your feedback and perspectives.
ATT&CK’s mitigations are at the core of our methodology and act as a bridge helping us to connect adversary behavior (tactics and techniques) to the security controls that may mitigate those behaviors. The methodology defines an iterative process that consists of four main steps. Each step incrementally builds understanding allowing the analyst to understand ATT&CK techniques and sub-techniques in the context of a mitigation and then select relevant security controls to map. The four steps are:
- ATT&CK Mitigation Review: Reviewing and analyzing each mitigation.
- ATT&CK Technique Review: Understanding adversary objectives and goals a technique or sub-technique is designed to carry out.
- Security Control Review: Examining security controls in the context of the mitigation and specific techniques.
- Create a Mapping: Identifying and creating security control mappings to ATT&CK techniques and sub-techniques.
Much like an ATT&CK mitigation, a mapping between a security control and an ATT&CK technique or sub-technique means that the security control may prevent successful execution of the technique or sub-technique. Controls are either mapped or not mapped to a given technique or sub-technique. This methodology does not define degrees of mapping or control effectiveness. In this way the mappings provide an easily understood foundational resource that is intended to inform risk management decisions.
Supporting Tools & Resources
We took a forward-looking approach and provided a set of tools and resources that will allow us to sustain the mappings to NIST 800–53 over time and expand to other security control frameworks based on Center priorities and community collaboration. We started with a flexible and extensible data model for expressing security control framework mappings to ATT&CK. To help support adoption and usage by the community, we developed a collection of open-source tools and resources to simplify the process of creating and using security control framework mappings to ATT&CK.
Our data model is based on STIX 2.0 JSON. This provides a consistent and machine-readable format for information sharing and allows for easy integration with ATT&CK and its tools and resources. Basing our data model off of STIX allows for that flexibility and extensibility to other security control frameworks.
A set of Python tools support data manipulation, including the creation of new mappings and the customization of existing mappings. Users can easily refine and extend the mappings for their needs and locally rebuild the full set of supporting artifacts.
Our STIX 2.0 representation allows us to easily generate different mappings visualizations and representations. Our build process creates ATT&CK Navigator layers to help users easily understand a given security control framework’s coverage of ATT&CK. Excel spreadsheets are also generated, listing all of the mappings for each framework in a tabular format.
We are committed to advancing threat-informed defense and see the integration of ATT&CK-based threat intelligence into the risk management process as an important step to bring security operations teams and risk management teams together. The mappings between ATT&CK and NIST 800–53 should establish a foundation for future innovation. We anticipate refining what we have published based on your review and feedback and expanding our mappings to include other frameworks. As an example, we are working with the Center for Internet Security to apply this methodology to the CIS Controls.
We are also interested in exploring new ways to visualize and help users understand how their risk management decisions impact adversary behaviors. While we have provided ATT&CK Navigator views of our mappings, we recognize that there is also an opportunity to do more. We are interested in researching and developing more robust visualization capabilities to help risk management programs better understand how their decisions impact adversary behaviors and empower them to make threat-informed decisions.
There are several ways that you can get involved with this project and help advance threat-informed defense.
First, review the mappings, use them, and tell us what you think. We welcome your review and feedback on the NIST 800–53 mappings, our methodology, and resources.
Second, we are interested in applying our methodology to other security control frameworks. Let us know what frameworks you would like to see mapped to ATT&CK. Your input will help us prioritize how we expand our mappings.
Finally, we are interested in developing additional tools and resources to help the community understand and make threat-informed decisions in their risk management programs. Share your ideas and we will consider them as we explore additional research projects.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Currently comprised of 24 Participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2020 MITRE Engenuity. Approved for Public Release. Document number CT0011.