Updated: Oct 14, 2021
Author Elaine Harrison-Neukirch
This integration of MITRE's ATT&CK Navigator and the NIST 800-53 security controls gives Blue Teamers the ability to visualize the techniques used by attackers and the security controls that mitigate those attacks.
In this blog, you will learn how to use the online version of MITRE’s ATT&CK Navigator and The Center for Threat Informed Defense’s NIST 800-53 R5 Security Control Framework Mappings. This tool is useful for Blue Teams trying to close gaps in defenses and for anyone who works with NIST risk assessments.
How to get started
At first glance, the Github page for the Security Control Framework Mappings to ATT&CK may seem overwhelming. There are several components to this page. The first step is to read the README.md.
The first section of the README.md contains a NIST 800-53 R5 mappings spreadsheet. This document lists the NIST 800-53 controls and maps them to the associated MITRE ATT&CK techniques. The spreadsheet can be a useful tool as a quick reference. The NIST 800-53 R5 spreadsheet can be downloaded here.
The README.md contains a summary of the repository contents:
When I first came upon this Github project, I made it a point to read everything. The information gave me a better understanding of the project and how it can be used. I will not go over every section of the README.md but do want to highlight the Use Cases Section.
The Use Cases section presents scenarios to facilitate the use of the ATT&CK Navigator and the NIST 800-53 R5 mappings. For my example, I am using use case scenario #4. In an attempt to keep my example simple, I will be selecting a Threat Group for the “contextual grouping”.
Use Case #4 states:
“I want to determine what security controls I can use to defend against a given group or software.
Groups and Software in ATT&CK are mapped to techniques. Therefore, this use case can be achieved in the exact manner as use case 3 (above) — determine the set of security controls that mitigate the techniques mapped to the group or software.
The visualization of such a use case could be implemented the same way as in use case 3, except with Groups or Software as the “contextual grouping” instead of mitigations. Such a visualization could be implemented to give the user choice of what type to use for contextual grouping (mitigation, group, software, even tactic) and therefore achieve several use cases with a single implementation.”
NIST 800-53 R5 ATT&CK Navigator Layers
The first step in mapping is to navigate to the frameworks folder. This folder contains JSON files for all of the families and controls. Each family contains multiple controls. It is possible to select a variety of controls from each family, layering each of the JSON files in ATT&CK Navigator. This will take some practice and fine tuning.
For my example, we will use the nist800-53-r5 overview layer. Clicking the view link opens the JSON file into ATT&CK Navigator.
The layer displays MITRE ATT&CK’s techniques and the NIST Controls that map to them (blue boxes). Mousing over a technique shows which NIST controls can be used to mitigate the technique.
In order to set this up using the Use Case #4, there are a couple of changes that have to be made.
1. Under Selection Controls, click the Multiselect button.
2. Click the view link to the right of each group to view the group’s MITRE ATT&CK page.
3. Select the desired threat group.
4. Once the Threat Group has been selected, the techniques used by that group will have a black outline around them. This is difficult to see. Changing the background color of those techniques will help with better visualization.
5. To change the background color, go to technique controls and click the paint can icon. Select the background color.
6. Select Layer Controls> Filter to drill down to specific platforms.
For my example, I selected the following:
Threat Group: Chimera
Background Color: Green
The techniques with a green background are known to be used by Chimera when attacking Windows devices.
Mouse over a technique to see the NIST controls that can be used in mitigation.
The view can be further customized by manipulating the available controls (selection, layer and technique). Additional layers can also be added and customized.
Saving Your Work
The web based version of ATT&CK Navigator does not allow you to save your work online. Mitre did include the option to save the layers as a spreadsheet or JSON file.
The spreadsheet can be used as a reference when working to mitigate the techniques. The .JSON file should be downloaded, to be used again when you want to add additional layers or customize further.
Continued Efforts of The Center for Threat Informed Defense
Recently, The Center for Threat Informed Defense released Azure Security Stack Mappings to MITRE ATT&CK. The GitHub repository for this project can be found here. For more information about the project and the Center for Threat Informed Defense’s involvement, read this article by Nicholas Amon & Jon Baker, Security Control Mappings: A Starting Point for Threat-Informed Defense.
It is my hope that you have found the information in this two part blog both interesting and useful. If you have any questions, feel free to reach out to me on LinkedIn.
About the Author: Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu.