The Best Defense is a Security Capability Mapped to ATT&CK

By Tiffany Bergeron • December 13, 2024

Preventing adversary behaviors can seem like an impossible task, particularly when advanced persistent threats (APTs) are again in the news with another high-profile attack. If an adversary can breach a Fortune 500 company, what chance do you have? With the Center for Threat-Informed Defense (Center) security capability mappings, you will improve your odds.

Most organizations have access to security control frameworks, either through native controls, e.g. Microsoft Windows security feature, or vendor-provided controls, e.g. AWS Security. When we draw a clear path from a security control to an adversary tactic, technique, or procedure (TTP), you can see their defensive power. The Center created the standard to illuminate a clear path, or mapping, from control to TTP.

These mappings are a transparent way for defenders to apply MITRE ATT&CK® in their environments. However, ATT&CK updates twice a year which means the techniques advance while the control mappings are left behind. Security control frameworks are also updated, furthering the divide. As a result, the capabilities contained in each mappings project at their time of publication do not reflect recent adversary techniques or defensive measures. When the mappings are out of sync with a version of ATT&CK, they lose: a version 8 defense may not protect against a version 12 adversary. Keeping an organization’s mappings current with recent versions of ATT&CK is a good practice, but ad hoc updates of mappings to ATT&CK are costly. In partnership with Center members Center for Internet Security, Citigroup, HCA Healthcare, JPMorgan Chase Bank N.A., Lloyds Banking Group, Microsoft Corporation, and Verizon Business, we have committed to an enduring effort that will update and share mappings on a regular cadence, keeping in sync with ATT&CK. Organizations will be able to choose the version of mappings that best meets the needs of their own, unique cybersecurity programs.

Three years of defense in under six weeks

We launched this project on November 1 and have completed our first update: AWS to ATT&CK v16! AWS was originally mapped to ATT&CK v9, over 3 years ago. You’ll find this update, all our existing mappings, and our upcoming releases in the our Mappings Explorer. Since v9 was released, 107 techniques have been added and 480 have been modified (we figured out those numbers using ATT&CK Sync, which shows you all changes in ATT&CK from any version to another).

What’s on the horizon?

We are updating all our existing security capability mappings. You can expect a new mapping release every six weeks. The mappings we have scheduled, and the current version to which they are mapped, are the following:

• AWS (currently mapped to ATT&CK version 9.0) COMPLETED!
• Azure (currently mapped to ATT&CK version 8.2)
• Google Cloud Platform (currently mapped to ATT&CK version 10.0)
• VERIS (currently mapped to ATT&CK versions 12.1, 9.0)
• NIST 800–53 (currently mapped to ATT&CK versions 14.1, 12.1, 10.1, 9.0, 8.2)
• M365 (currently mapped to ATT&CK version 14.1)
• CVE (currently mapped to ATT&CK version 9.0; upcoming mappings to 15.1)

We will also improve the mappings user experience. Mappings Explorer will include new data formats that expand the scope of our mappings. We will bring ATT&CK Sync into the Mappings Editor, providing a one-stop shop for all the mappings work. We are currently researching how Intel vPro processors can be used to enhance software security. This is a new area for our mappings program so we had to rethink our data model and how we present the information in Mappings Explorer.

Along with our Mappings Explorer update, we are updating our Mappings Editor. This freely available tool is what our team uses to perform our mappings. Mappings Editor moves the community from spreadsheets to a polished interface that reduces your time to identify a path from control to technique. Please check out Mappings Editor for your internal use cases, share your successes, and how we can improve it.

Defend Yourself

Through this Center work, each of our mappings will be current with the latest adversary TTPs, ensuring that you can defend against the latest threats. This is a low-cost opportunity to improve your defenses by fully using the features already available to you, so use these resources. We believe that a rising tide lifts all boats and there’s no easier way to raise the tide than to enable native security controls that directly protect, detect, or respond to adversary threats.

We welcome your feedback and contributions to continue to advance our work. If you have any feedback, technical questions, concerns, or contributions you’d like to make to the project, use the Contact Us form or submit an issue on Github.

© 2024 MITRE. Approved for Public Release. Document number CT0136.

---