Updated: May 11
Part 1 of a 2 part blog
Author Elaine Harrison-Neukirch
I recently left the Security Analyst world and now work in the Adversary Emulation world. With this move, I have been learning about Threat Intelligence and the MITRE ATT&CK Matrices. I wish I had more knowledge about MITRE ATT&CK when I was an analyst. It would have been very useful to me as a Blue team member.
Go Blue Team!
A Blue team is a team of security professionals who work to assure that their organization’s network, information systems, data and assets are safe from threats and attackers. They are the defenders. They must mitigate any gaps in the organization’s defense and continuously assess for new gaps.
While researching MITRE ATT&CK, I came across the ATT&CK Navigator and the NIST ATT&CK Navigator.
MITRE ATT&CK is a knowledge base of built on different adversary groups, their tactics and techniques. It’s goal is to enable cybersecurity professionals to gather information and understand the actions behind different attacks. This will also provide resources when planning mitigation strategies against specific attacks.
MITRE AT&CK has interactive matrices that focus on Enterprise, Mobile and ICS. Each matrice contains TTPs (Tactics, Techniques & Procedures) used by different adversary groups. By selecting a group or tactic, the user can drill down into the many techniques used for a specific threat or by a specific group. Each technique and sub technique is correlated with a mitigation.
For example, if I search Brute Force in MITRE ATT&CK, a summary shows with the Technique ID (T1110) and the Mitigation ID (M1018). I can then drill down into those for more details.
In December 2020, The Center for Threat-Informed Defense (Center) released a set of mappings between MITRE ATT&CK and NIST SP 800-53. The goal of this mapping is to enable people to easily map threats that are specific to their organization, to NIST controls. This ability to visualize threats and the NIST controls associated with them, will contribute to more efficient planning of closing security gaps.
NIST Special Publication 800-53
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, is a detailed document that describes multiple security and privacy controls. These are controls that should be in place to protect both the Federal Government and Critical Infrastructure Information Systems. Many other sectors also use these guidelines in an effort to protect their systems from threats. Risk Assessments incorporate the NIST SP 800-53 because it is so detailed and covers many of the security domains. The most current version is NIST SP 800-53 Revision 5. These guidelines are used by Blue Teams and those who perform risk assessments.
ATT&CK Navigator and NIST
ATT&CK Navigator is a Github project created by MITRE ATT&CK. The goal of this tool is to enable users to manipulate the MITRE ATT&CK matrices in a visual format. The Blue Team will find this information useful. The team will be able to visualize the gaps in their defenses and design a mitigation plan.
ATT&CK Navigator is customizable. Multiple layers of the ATT&CK knowledge base can be added to build out specific adversary techniques and tactics.
ATT&CK Navigator is hosted on Github. There is also an option to host on premises if that is preferred. Instructions are listed in the README.md
The integration of MITRE’s ATT&CK Navigator and the NIST SP 800-53 is a found as a Github project. The Attack-Control-Framework-Mappings is made up of many files and folders. As with most Github projects, you should review the README.md file first. The README.md usually gives an overview of the project as well as additional details on how to utilize the resources.
The Attack-Control-Framework-Mappings README.md file contains information on the following:
NIST 800-53 Revision 5 Control Mappings
Mapping NIST 800-53 revision 5 to ATT&CK
General Scoping Decisions
Control Family Scoping Decisions
Part 2 of this blog will discuss how to utilize the Attack-Control-Framework-Mappings with the ATT&CK Navigator.
About the Author: Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu.