diff --git a/docs/use-cases.md b/docs/use-cases.md index 9b388fa0..8c252085 100644 --- a/docs/use-cases.md +++ b/docs/use-cases.md @@ -18,7 +18,7 @@ Because techniques can map to multiple controls, it is likely that there will be ### 3. I want to determine what security controls I should use to implement a given ATT&CK mitigation -Mitigations in ATT&CK are mapped to techniques, and this proejct maps techniques to security controls. One possible interpretation of “implementing” a mitigation may be finding the set of security controls that mitigates the techniques that are mapped to the mitigation. This then resolves to an extension of [use case 2](#2-i-want-to-know-what-security-controls-to-selectimplement-in-order-to-mitigate-a-specific-set-of-techniques), where the set of techniques is those associated with the ATT&CK Mitigation. +Mitigations in ATT&CK are mapped to techniques, and this project maps techniques to security controls. One possible interpretation of “implementing” a mitigation may be finding the set of security controls that mitigates the techniques that are mapped to the mitigation. This then resolves to an extension of [use case 2](#2-i-want-to-know-what-security-controls-to-selectimplement-in-order-to-mitigate-a-specific-set-of-techniques), where the set of techniques is those associated with the ATT&CK Mitigation. Visualization of this indirect mapping should be undertaken with care. It should not be implied that a security control maps directly to a mitigation or vice versa, since that is firstly inaccurate to the data model and some of those derived “mappings” could be confusing in certain cases. The intermediate step of the technique must therefore always be shown in visualizations of these two-step mappings. ATT&CK Mitigations should be interpreted as a “contextual grouping” of techniques, and the visualization should convey that the actual mappings happen with the contextually-grouped techniques, not the mitigation or other grouping object.