More Fun with MITRE ATT&CK Navigator and NIST SP 800-53
Updated: Oct 14, 2021
Author Elaine Harrison-Neukirch
In part 1 of Fun with MITRE ATT&CK Navigator and NIST SP 800-53, I introduced MITRE ATT&CK, ATT&CK Navigator, NIST SP 800-53 R5 and the Attack-Control-Framework-Mappings GitHub project.
This integration of MITRE's ATT&CK Navigator and the NIST 800-53 security controls gives Blue Teamers the ability to visualize the techniques used by attackers and the security controls that mitigate those attacks.
In this blog, you will learn how to use the online version of MITRE’s ATT&CK Navigator and The Center for Threat Informed Defense’s NIST 800-53 R5 Security Control Framework Mappings. This tool is useful for Blue Teams trying to close gaps in defenses and for anyone who works with NIST risk assessments.
How to get started
At first glance, the Github page for the Security Control Framework Mappings to ATT&CK may seem overwhelming. There are several components to this page. The first step is to read the README.md.
The first section of the README.md contains a NIST 800-53 R5 mappings spreadsheet. This document lists the NIST 800-53 controls and maps them to the associated MITRE ATT&CK techniques. The spreadsheet can be a useful tool as a quick reference. The NIST 800-53 R5 spreadsheet can be downloaded here.
The README.md contains a summary of the repository contents:
When I first came upon this Github project, I made it a point to read everything. The information gave me a better understanding of the project and how it can be used. I will not go over every section of the README.md but do want to highlight the Use Cases Section.
The Use Cases section presents scenarios to facilitate the use of the ATT&CK Navigator and the NIST 800-53 R5 mappings. For my example, I am using use case scenario #4. In an attempt to keep my example simple, I will be selecting a Threat Group for the “contextual grouping”.
Use Case #4 states:
“I want to determine what security controls I can use to defend against a given group or software.
Groups and Software in ATT&CK are mapped to techniques. Therefore, this use case can be achieved in the exact manner as use case 3 (above) — determine the set of security controls that mitigate the techniques mapped to the group or software.
The visualization of such a use case could be implemented the same way as in use case 3, except with Groups or Software as the “contextual grouping” instead of mitigations. Such a visualization could be implemented to give the user choice of what type to use for contextual grouping (mitigation, group, software, even tactic) and therefore achieve several use cases with a single implementation.”
NIST 800-53 R5 ATT&CK Navigator Layers
The first step in mapping is to navigate to the frameworks folder. This folder contains JSON files for all of the families and controls. Each family contains multiple controls. It is possible to select a variety of controls from each family, layering each of the JSON files in ATT&CK Navigator. This will take some practice and fine tuning.
For my example, we will use the nist800-53-r5 overview layer. Clicking the view link opens the JSON file into ATT&CK Navigator.
The layer displays MITRE ATT&CK’s techniques and the NIST Controls that map to them (blue boxes). Mousing over a technique shows which NIST controls can be used to mitigate the technique.
In order to set this up using the Use Case #4, there are a couple of changes that have to be made.
1. Under Selection Controls, click the Multiselect button.
2. Click the view link to the right of each group to view the group’s MITRE ATT&CK page.
3. Select the desired threat group.
4. Once the Threat Group has been selected, the techniques used by that group will have a black outline around them. This is difficult to see. Changing the background color of those techniques will help with better visualization.
5. To change the background color, go to technique controls and click the paint can icon. Select the background color.
6. Select Layer Controls> Filter to drill down to specific platforms.
For my example, I selected the following:
Threat Group: Chimera
Background Color: Green
The techniques with a green background are known to be used by Chimera when attacking Windows devices.