Security Control Mappings: A Starting Point for Threat-Informed Defense

Jon Baker
Published in
7 min readJun 29, 2021

Written by Nicholas Amon and Jon Baker.

Today, the Center for Threat-Informed Defense (Center) is releasing a set of mappings between the security controls native to the Azure Infrastructure as a Service (IaaS) platform and MITRE ATT&CK® with supporting documentation and resources. This release represents our first in a collection of mappings of native product security controls to ATT&CK based on a common methodology, scoring rubric, data model, and tool set. With these resources we have established the foundation for systematically mapping security controls to ATT&CK and provided a critical resource for organizations to assess their Azure security control coverage against real-world threats as described in the ATT&CK knowledge base.

Mapping the security stack of the Azure platform, or any set of platform security controls, to ATT&CK is a labor intensive and often subjective undertaking. Furthermore, due to the large number of security controls in any given security stack and the evolving nature of cyber adversaries, these mappings are often error prone and difficult to maintain. In collaboration with Center Participants (AttackIQ, Ernst & Young U.S., HCA Healthcare, JPMorgan Chase, Microsoft, US National Bank Association, Verizon and one other participant), we recognized that there was not only a need for these mappings, but an opportunity to work collaboratively and advance threat-informed defense with the global community. With over 45 Azure native security controls mapped, we believe that this work will greatly reduce the burden on the community, empowering defenders with independent data on which Azure controls are most useful in defending against the adversary TTPs they care about.

Azure Security Stack Mappings

Today’s release provides mappings of Azure’s native security controls to ATT&CK techniques. Figures 1 & 2 depict the ATT&CK coverage of all the Azure security controls mapped along with the scoring legend that denotes the category and effectiveness of the coverage provided.

Figure 1: Azure Security Stack Mappings Coverage Overview
Figure 2: Azure Mappings Coverage Legend

The following scoping decisions influenced the Azure mappings:

  • ATT&CK Scope: This work is focused on ATT&CK (sub-)techniques included in the Enterprise domain v8; Mobile techniques are not covered. There is a follow-on project that will update the mappings to ATT&CK v9.
  • Native Security Controls: This work focused on mapping the security controls produced by Microsoft or branded as Microsoft products. Third-party security controls available on the platform were excluded from analysis.
  • Azure Security Benchmark: Most of the controls included in scope were derived from Microsoft’s Azure Security Benchmark v2 and our review of Azure security documentation.
  • Azure Defender for servers: This control was excluded from analysis due to its complexity and its inclusion within recent MITRE ATT&CK Evaluations.

We created ATT&CK Navigator layers for each mapped control, enabling the display of the mappings in the context of the ATT&CK Matrix, as shown above. In addition, a Markdown view is provided that enumerates all controls mapped along with the list of ATT&CK techniques mitigated by each control.

By openly documenting our scoping decisions and providing this foundational set of mappings of Azure security controls to ATT&CK, we aim to accelerate community collaboration. Due to the subjective nature of mapping security controls to ATT&CK, we anticipate differences in perspective on overall approach and possibly even the mapping of specific controls to specific techniques. We welcome your feedback and perspectives.

Our Methodology

Though we considered other existing scoring methodologies, ultimately we created our own in order to meet the specific needs of this project. Our methodology and its related artifacts (e.g., data format, scoring rubric) serve as a foundation for the Azure project, as well as subsequent projects aimed at mapping the security capabilities of additional platforms (e.g., AWS, Windows, MacOS, etc.) to ATT&CK. The methodology consists of five main steps, each step incrementally building understanding and allowing the analyst to understand the security control under analysis and the ATT&CK (sub-)techniques it mitigates. The five steps are:

  1. Identify Platform Security Controls: Research available platform security documentation to identify the set of security controls within scope of analysis.
  2. Security Control Review: For each control, collect and analyze its documentation, identifying key information on its functionality that will enable selecting the set of ATT&CK (sub-)techniques that it mitigates. Our methodology does not include operational validation of security controls in order to allow for broad coverage of a platform.
  3. Identify Mappable ATT&CK (sub-)techniques: Use the information gathered in the previous step to map the control to the set of ATT&CK (sub-)techniques it mitigates.
  4. Produce Score Assessments: For each mapped ATT&CK (sub-)technique, utilize the scoring rubric to assess the category and effectiveness of the mitigation provided by the control.
  5. Create Mapping Files: Record the data gathered in the previous steps in the mapping file as specified in the mapping format.
Figure 3: Mapping Methodology

Our Data Model & Rubric

In order to record the mapping information for a particular control, we developed a YAML data format, modeled below.

Figure 4: YAML Data Format

The following are salient properties of the mapping format:

  • Mapping file per control: Each mapping file records ATT&CK coverage information for a single security control, resulting in a mapping file per platform security control.
  • Self-contained: The format supports producing mapping files that provide sufficient information (via its description and references fields) to enable its reader to understand, at a high-level, the functionality provided by the control being mapped along with references for additional information.
  • Scoring assessment: The format provides support for recording a score of the effectiveness of a security control’s mitigation of an ATT&CK (sub-)technique as well as an optional comment to support the scoring assessment.

In addition to the data format, we created a scoring rubric that enables recording the category of ATT&CK coverage provided by a control (protect, detect and/or response) along with an assessment of its effectiveness (Minimal, Partial or Significant). Guidance on the scoring factors considered when assigning a score and additional related documentation is available in the project repository.

Mapping CLI Tool

We took a forward-looking approach resulting in the development of a CLI tool that facilitates the mapping process and will allow the Center to sustain the Azure platform mappings over time. This will also enable further expanding the mapping of security stacks to other platforms based on the Center’s priorities and community collaboration. This Python-based tool provides the following functionality:

  • Syntax Validation: supports validating mapping file syntax, ensuring their conformity to the data format specification and accurate references of the (sub-)techniques from the ATT&CK Enterprise matrix.
  • Visualization: supports producing the ATT&CK Navigator layers and Markdown Summary visualizations from mapping files.
  • Querying: supports querying the mapping data by various fields such as ATT&CK tactic or (sub-) technique, score category (protect, detect, respond), score value (Minimal, Partial, Significant), etc. An example is shown in the figure below:
Figure 5: Querying mapping data by category using the CLI tool

What’s Next?

We aim to empower defenders with a consistent, independently developed collection of security capability mappings to ATT&CK. The mappings between the Azure security stack and ATT&CK establish a foundation for future innovation. We anticipate refining these resources based on your review and feedback, and the expansion of our mappings to include other platforms, such as the Amazon Web Services (AWS), which we are working on now.

We are also interested in exploring new ways to visualize and help users understand how their local security capabilities stack up against adversary behaviors. While we have provided ATT&CK Navigator views of our mappings, we recognize that there is an opportunity to do more. We are interested in researching and developing more robust visualization capabilities to help empower defenders to understand their impact on adversary behaviors and make threat-informed decisions.

Getting Involved

There are several ways that you can get involved with this project and help advance threat-informed defense:

  • Review the mappings, use them, and tell us what you think. We welcome your review and feedback on the mappings, our methodology, and resources.
  • Apply the methodology and share your security capability mappings. We encourage organizations to apply our methodology to map the security capabilities of their products and we welcome mapping contributions.
  • Help us prioritize additional platforms to map. Let us know what platforms you would like to see mapped to ATT&CK. Your input will help us prioritize how we expand our mappings.
  • Share your ideas. We are interested in developing additional tools and resources to help the community understand and make threat-informed decisions in their risk management programs. If you have ideas or suggestions, we consider them as explore additional research projects.

You can always contact us at or simply file issues on our GitHub repository.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2021 MITRE Engenuity. Approved for Public Release. Document number CT0019.



Jon Baker

Director and co-Founder, Center for Threat-Informed Defense