This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #78 from center-for-threat-informed-defense/attack…
…_v10 ATT&CK v10 update
- Loading branch information
Showing
287 changed files
with
965,641 additions
and
25,646 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| ## How to Update the NIST 800-53 Mappings | ||
| This document is intended for developers who wish to update the mappings | ||
|
|
||
| Instructions to do a release with new NIST 800-53 mappings | ||
|
|
||
| ### Preconditions | ||
| 1. Mapping team has created two spreadsheets; one for NIST 800-53 r4 and r5 | ||
|
|
||
|
|
||
| ### Steps: | ||
| 1. Set up a new folder (e.g., ATT&CK-v400.0). Its contents should look like this: | ||
| ``` | ||
| frameworks/ | ||
| ├── ATT&CK-v10.1/ <--- Existing folder (not expanded) | ||
| └── ATT&CK-vX.Y/ <--- New Folder Structure | ||
| ├── nist800-53-r4/ | ||
| │ ├── input/ | ||
| │ ├── layers/ | ||
| │ └── stix/ | ||
| └── nist800-53-r5/ | ||
| ├── input/ | ||
| ├── layers/ | ||
| └── stix/ | ||
| ``` | ||
| 2. Populate the NIST 800-53 r4 folder: | ||
| 1. Copy the 800-53-r4 spreadsheet to `frameworks/ATT&CK-vX.Y/nist800-53-r4/nist800-53-r4-mappings.xlsx` | ||
| 2. Copy a prior version readme file to `frameworks/ATT&CK-vX.Y/nist800-53-r4/README.md` and perform the following edits: | ||
| 1. Line 3: Change the ATT&CK version to the correct one | ||
| 2. Line 7: Change mappings version to 1.0 | ||
| 3. Line 7: Change last updated to today's date (e.g., 22 December 2021) | ||
| 4. Line 7: Change the ATT&CK version to the correct one | ||
| 3. Copy a prior version parse.py file to `frameworks/ATT&CK-vX.Y/nist800-53-r4/parse.py` and do not make any edits | ||
| 4. Copy a prior version parse_controls.py file to `frameworks/ATT&CK-vX.Y/nist800-53-r4/parse_controls.py` and do not make any edits | ||
| 5. Copy a prior version parse_mappings.py file to `frameworks/ATT&CK-vX.Y/nist800-53-r4/parse_mappings.py` and do not make any edits | ||
| 6. Copy a prior version nist800-53-r4-controls.tsv to `frameworks/ATT&CK-vX.Y/nist800-53-r4/input/nist800-53-r4-controls.tsv` and do not make any edits | ||
| 7. Save a copy of `frameworks/ATT&CK-vX.Y/nist800-53-r4/nist800-53-r4-mappings.xlsx` as a tab separated format in `frameworks/ATT&CK-vX.Y/nist800-53-r4/input/nist800-53-r4-mappings.tsv` | ||
| 1. Depending on your setup, you may have to save the file as .txt and then rename to .tsv | ||
| 8. Copy a prior version `input/README.md` to `frameworks/ATT&CK-vX.Y/nist800-53-r4/input/README.md` and do not make any edits | ||
| 9. Copy a prior version `input/config.json` to `frameworks/ATT&CK-vX.Y/nist800-53-r4/input/config.json` and make the following changes: | ||
| 1. Line 4: Change the ATT&CK version to be correct | ||
| 2. Line 5: Change the mappings_version to be `1.0` | ||
| 3. Repeat the prior steps for NIST 800-53 r5 | ||
| 4. Set up and activate the project’s virtual environment | ||
| ``` | ||
| virtualenv venv | ||
| source venv/bin/activate | ||
| pip install -r requirements/requirements.txt | ||
| ``` | ||
| 5. Edit src/make.py: | ||
| 1. Append "vX.Y" to the ATT&CK version list on line 18 | ||
| 6. Run python src/make.py | ||
| 1. Error Q&A: | ||
| 1. NOTE WELL: Any changes to the spreadsheet will require re-creating the .tsv file | ||
| 2. ERROR: cannot find techniqueID T1547(.\011) | ||
| - Answer: A regex in the spreadsheet did not match an ATT&CK technique. In the above case, the regex was incorrect (should have been "\.011") and the spreadsheet needed to be corrected |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # NIST Special Publication 800-53 Revision 4 Control Mappings | ||
|
|
||
| This folder contains mappings of NIST Special Publication (SP) 800-53 Revision 4 to MITRE ATT&CK v10.1 along with parsers and supporting data. | ||
|
|
||
| | Mappings Version | Last Updated | ATT&CK Version | ATT&CK Domain | | ||
| |---|---|---|---| | ||
| | 1.0 | 03 January 2022 | [ATT&CK-v10.1](https://attack.mitre.org/versions/v10/) | Enterprise | | ||
|
|
||
| | Data || | ||
| |---|---| | ||
| | [spreadsheet](nist800-53-r4-mappings.xlsx) | Lists all of the mappings for this control framework. | ||
| | [layers](layers) | [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator) layers showing the mappings in the context of the ATT&CK Matrix. | | ||
| | [stix](stix) | Output STIX 2.0 json data. See the README in that folder for more information. | | ||
| | [input](input) | Input spreadsheets from which the STIX is built. To rebuild the STIX data from the input spreadsheets, run `python3 parse.py`.See the README in that folder for more information. | | ||
|
|
||
|
|
||
| ## Extended Fields | ||
|
|
||
| The NIST SP 800-53 Rev. 4 STIX data extends the [general controls format](/docs/stix_format.md) with the following properties: | ||
|
|
||
| | STIX field | type | description | | ||
| |:---|:---|:---| | ||
| | `x_mitre_impact` | list of strings | the baseline-impact of the control or enhancement. Values include `"LOW"`, `"MODERATE"`, `"HIGH"`. | | ||
| | `x_mitre_family` | string | The family to which the control belongs. | | ||
| | `x_mitre_priority` | string | The priority of the control. Control enhancements inherit this value from their parent control. | | ||
|
|
||
| ## Mapping NIST 800-53 Revision 4 to ATT&CK | ||
|
|
||
| Scoping decisions and mapping methodology for NIST 800-53 Rev. 4 controls are documented below. The mapping methodology for NIST 800-53 Rev. 4 controls builds upon and refines the overall [security control framework mapping methodology](/docs/mapping_methodology.md). | ||
|
|
||
| ### General Scoping Decisions | ||
| | Item | Scoping Decision | | ||
| |---|---| | ||
| | Operational vs. Policy and Procedural Controls | This effort is focused on the technical and operational elements of NIST 800-53 and did not take into account the management elements that are often focused on organization specific policies and procedures. This decision was made because management specific controls are policy-based, and the intent of this effort was focusing on technical and operation controls that correlate to ATT&CK mitigations, techniques, and sub-techniques. | | ||
| | Mitigation vs. Monitoring | Controls that may only monitor adversary behaviors are out of scope. The focus of this effort is on technical controls that mitigate adversary techniques and sub-techniques. For example, IR-5 Incident Monitoring would be out-of-scope as this does not serve as a mitigation, but rather detection of security incident occurrence. However, RA-4 Vulnerability Scanning is in scope as it can lead to findings which allow for remediation prior to exploitation (e.g., apply patches, remove vulnerable software) thereby mitigating attacks. Consideration is not given for the potential that an adversary might be dissuaded or change their tactics to try and avoid detection if they thought activity was being monitored. | | ||
| | Controls vs. Control Enhancements | This effort maps at the control level and does not map to specific control enhancements. | | ||
| | Implicit vs. Explicit Mitigation | This effort focuses on system-specific technical mitigations (e.g., block USB devices, perform data backups) and controls that support those mitigations rather than other, non-technical methods of mitigation (e.g., put system in a locked room, write a backup policy).| | ||
| | Network Infrastructure Devices | [ATT&CK v8](https://attack.mitre.org/resources/versions/) released on October 27, 2020, introduces techniques for adversary behavior on Network Infrastructure Devices, such as switches and routers. These have not been included in the control mappings. | | ||
| | [Pre-compromise Mitigation](https://attack.mitre.org/mitigations/M1056/) | Those techniques only associated with the Pre-compromise Mitigation are excluded. These apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques, and are considered out of scope. | | ||
|
|
||
| ### Control Family Scoping Decisions | ||
| NIST 800-53 revision 4 control families are listed below with links to the control family on the NIST web site and our rational for a given control family being in or out of scope: | ||
|
|
||
| | Control Family | In Scope | Rationale | | ||
| |---|---|---| | ||
| | AC - [Access Control](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=AC)| Yes | Access Control family is in scope as it provides technical and operational controls for the control and enforcement of system access, accounts, and information. | | ||
| | AT - [Awareness and Training](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=AT) | No | Awareness and Training controls are not applicable as they are for general security awareness training and not specific threat mitigations.| | ||
| | AU - [Audit and Accountability](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=AU) | No | Audit and Accountability controls are not applicable as they do not provide mitigations of specific threats, but instead detect successful attacks. | | ||
| | CA - [Security Assessment and Authorization](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=CA) | Yes | Security Assessment and Authorization controls are in scope as they provide technical and operational controls and techniques for monitoring and assessing security at the system level. | | ||
| | CM - [Configuration Management](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=CM) | Yes | Configuration Management controls are in scope as they maintain technical and operational controls for maintaining secure configuration of information systems. | | ||
| | CP - [Contingency Planning](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=CP) | Yes | Contingency Planning controls are in scope as they provide operational and technical controls for information protection at the system level.| | ||
| | IA - [Identification and Authentication](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=IA) | Yes | Identification and Authentication controls are in scope as they provide operational and technical controls for managing and enforcing identification and authentication of network and system users and devices.| | ||
| | IR - [Incident Response](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=IR) | No | Incident Response controls are not applicable as they do not provide mitigations of specific threats but rather provide detection of security incident occurrences. | | ||
| | MA - [Maintenance](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=MA) | No | Maintenance controls are not applicable as they are related to the procedural management of information system maintenance and are not threat-specific. | | ||
| | MP - [Media Protection](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=MP) | Yes | Media Protection family is in scope as it provides technical and operational controls for the control and access of digital system media.| | ||
| | PE - [Physical and Environmental Protection](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=PE) | No | Physical and Environmental Protection controls are not applicable as they are related to the management and protection of physical space. | | ||
| | PL - [Planning](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=PL) | No | Planning controls are not applicable as they focus on high-level system security plans and are not threat-specific.| | ||
| | PM - [Program Management](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=PM) | No | Program Management controls are not applicable as they focus on programmatic, organization-wide information security requirements for managing information security programs.| | ||
| | PS - [Personnel Security](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=PS) | No | Personnel security controls are not applicable as they are related to the procedural management of individuals. | | ||
| | RA - [Risk Assessment](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=RA) | Yes | Risk Assessment controls are in scope as they provide technical and operational controls and techniques for risk and vulnerability management and maintaining security at the system level. | | ||
| | SA - [System and Services Acquisition](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=SA) | Yes | System and Services Acquisition are in scope as they provide technical and operational controls for security testing and evaluation of the system development life cycle and supply chain risk management. | | ||
| | SC - [System and Communications Protection](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=SC) | Yes | System and Communications Protection controls are in scope as they provide technical and operational controls for the separation and protection of systems and information. | | ||
| | SI - [System and Information Integrity](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=4.0&family=SI) | Yes | System and Information Integrity controls are in scope as they provide technical and operational controls and techniques for protecting and analyzing the integrity of software, firmware, and information. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| | file | about | | ||
| |:-----|:------| | ||
| | nist800-53-r4-controls.tsv | NIST 800-53 revision 4 controls expressed in tab separated values, as distributed by NIST. | | ||
| | nist800-53-r4-mappings.tsv | tab separated values expressing relationships between NIST 800-53 revision 4 controls and ATT&CK Techniques. The techniqueID and controlID columns are regular expressions, which allows for easier mapping to control families and sub-techniques. | | ||
| | config.json | Identifies the control framework, ATT&CK domain and version in a machine-readable way. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| { | ||
| "framework_id": "NIST 800-53 Revision 4", | ||
| "attack_domain": "enterprise-attack", | ||
| "attack_version": "v10.1", | ||
| "mappings_version": "v1.0" | ||
| } |
Oops, something went wrong.