feat: implement initial mappings conversion CLI

make/python.mk

@@ -3,7 +3,7 @@
 lint: ## Run ruff, black, and mypy
 	poetry run ruff check src/
 	poetry run black --check src/
-	poetry run mypy --check src/
+	# poetry run mypy --check src/mappings_explorer/
 
 test: ## Run Python tests
 	poetry run pytest --cov=src/ --cov-report=term-missing

mappings/SecurityStack/AWS/AWSArtifact.yaml

@@ -0,0 +1,24 @@
+version: 1
+ATT&CK version: 9
+creation date: 07/15/2021
+name: AWS Artifact
+contact: [email protected]
+organization: Center for Threat Informed Defense (CTID)
+platform: AWS
+tags:
+  - Not Mappable
+description: >-
+  AWS Artifact is a central resource that provides on-demand access to AWS's security and compliance
+  reports and online agreements. Available reports include Service Organization Control (SOC)
+  reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across
+  geographies and compliance verticals that validate the implementation and operating effectiveness
+  of AWS security controls. Agreements available include the Business Associate Addendum (BAA) and
+  the Nondisclosure Agreement (NDA).
+techniques: []
+comments: >-
+  This control was not mapped because AWS Artifact provides access to reports and information but
+  does not protect against any ATT&CK techniques. All protections against ATT&CK techniques are
+  provided by the lower-level services evaluated by and referenced in those reports.
+references:
+  - 'https://aws.amazon.com/artifact'
+  - 'https://docs.aws.amazon.com/artifact'

mappings/SecurityStack/AWS/AWSAuditManager.yaml

@@ -0,0 +1,24 @@
+version: 1
+ATT&CK version: 9
+creation date: 07/15/2021
+name: AWS Audit Manager
+contact: [email protected]
+organization: Center for Threat Informed Defense (CTID)
+platform: AWS
+tags:
+  - Auditing
+  - Reports
+  - Not Mappable
+description: >-
+  AWS Audit Manager automates evidence collection from other services (notably AWS Config, AWS
+  Security Hub, AWS API calls, and AWS CloudTrail) for evaluation against compliance
+  frameworks/regulations and transformation into audit-friendly reports.
+techniques: []
+comments: >-
+  This control was not mapped because AWS Audit Manager is used to aggregate evidence from other
+  services in order to produce audit-ready reports, not provide protection against any ATT&CK
+  techniques or adversary behaviors. All protections against ATT&CK techniques are provided by the
+  lower-level services used for the evidence collection, which are assessed in different mappings.
+references:
+  - 'https://aws.amazon.com/audit-manager'
+  - 'https://docs.aws.amazon.com/audit-manager'

mappings/SecurityStack/AWS/AWSCertificateManager.yaml

@@ -0,0 +1,23 @@
+version: 1
+ATT&CK version: 9
+creation date: 07/15/2021
+name: AWS Certificate Manager
+contact: [email protected]
+organization: Center for Threat Informed Defense (CTID)
+platform: AWS
+tags:
+  - Credentials
+  - Not Mappable
+description: >-
+  AWS Certificate Manager is an Amazon service that supports the creation, storage, and renewal of
+  public and private SSL/TLS X.509 certificates and keys that protect AWS websites and applications.
+techniques: []
+comments: >-
+  This control was not mapped because AWS Certificate Manager simply issues certificates for use in
+  other AWS services such as Elastic Load Balancing, Amazon CloudFront, AWS Elastic Beanstalk,
+  Amazon API Gateway, AWS Nitro Enclaves, and AWS CloudFormation. It does not inherently protect
+  against any ATT&CK techniques as it cannot be used to deploy certificates to other AWS services.
+  That must be done either manually or with services integrated into AWS Certificate Manager.
+references:
+  - https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
+  - https://aws.amazon.com/certificate-manager/faqs/?nc=sn&loc=5

mappings/SecurityStack/AWS/AWSCloudEndure.yaml

@@ -0,0 +1,131 @@
+version: 1
+ATT&CK version: 9
+creation date: 06/21/2021
+name: AWS CloudEndure Disaster Recovery
+contact: [email protected]
+organization: Center for Threat Informed Defense (CTID)
+platform: AWS
+tags:
+description: >+
+  AWS CloudEndure Disaster Recovery enables the replication and recovery of physical, virtual, and
+  cloud-based servers into AWS Cloud including public regions, AWS GovCloud, and AWS Outposts. AWS
+  CloudEndure continuously replicates servers and can launch fully provisioned machines within
+  minutes in the event that a disaster such as data center failures, server corruption, or cyber
+  attacks occur.
+
+techniques:
+  - id: T1190
+    name: Exploit Public-Facing Application
+    technique-scores:
+      - category: Respond
+        value: Significant
+        comments: >-
+          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS
+          Cloud. In the event that a public-facing application or server is compromised, AWS
+          CloudEndure can be used to provision an instance of the server from a previous point in
+          time within minutes. As a result, this mapping is given a score of Significant.
+  - id: T1485
+    name: Data Destruction
+    technique-scores:
+      - category: Respond
+        value: Significant
+        comments: >-
+          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS
+          Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to
+          provision an instance of the server from a previous point in time within minutes. As a
+          result, this mapping is given a score of Significant.
+  - id: T1486
+    name: Data Encrypted for Impact
+    technique-scores:
+      - category: Respond
+        value: Significant
+        comments: >
+          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS
+          Cloud. In the event that data on servers is encrypted (e.g., ransomware), AWS CloudEndure can be used to
+          provision an instance of the server from a previous point in time within minutes. As a
+          result, this mapping is given a score of Significant.
+  - id: T1565
+    name: Data Manipulation
+    technique-scores:
+      - category: Respond
+        value: Minimal
+        comments: >
+          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS
+          Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to
+          provision an instance of the server from a previous point in time within minutes. This
+          mapping is given a score of Minimal because it only supports a subset (1 of 3) of the
+          sub-techniques.
+    sub-techniques-scores:
+      - sub-techniques:
+          - id: T1565.001
+            name: Stored Data Manipulation
+        scores:
+          - category: Respond
+            value: Significant
+            comments: >-
+              AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into
+              AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be
+              used to provision an instance of the server from a previous point in time within
+              minutes. As a result, this mapping is given a score of Significant.
+  - id: T1491
+    name: Defacement
+    technique-scores:
+      - category: Respond
+        value: Significant
+        comments: >-
+          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS
+          Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an
+          instance of the server from a previous point in time within minutes. This mapping is given
+          a score of Significant because it supports all of the sub-techniques (2 of 2).
+    sub-techniques-scores:
+      - sub-techniques:
+          - id: T1491.001
+            name: Internal Defacement
+          - id: T1491.002
+            name: External Defacement
+        scores:
+          - category: Respond
+            value: Significant
+            comments: >-
+              AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into
+              AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to
+              provision an instance of the server from a previous point in time within minutes. As a
+              result, this mapping is given a score of Significant.
+  - id: T1561
+    name: Disk Wipe
+    technique-scores:
+      - category: Respond
+        value: Significant
+        comments: >-
+          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS
+          Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision
+          an instance of the server from a previous point in time within minutes. This mapping is
+          given a score of Significant because it supports all of the sub-techniques (2 of 2).
+    sub-techniques-scores:
+      - sub-techniques:
+          - id: T1561.001
+            name: Disk Content Wipe
+          - id: T1561.002
+            name: Disk Structure Wipe
+        scores:
+          - category: Respond
+            value: Significant
+            comments: >-
+              AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into
+              AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to
+              provision an instance of the server from a previous point in time within minutes. As a
+              result, this mapping is given a score of Significant.
+  - id: T1490
+    name: Inhibit System Recovery
+    technique-scores:
+      - category: Respond
+        value: Significant
+        comments: >-
+          AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS
+          Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be
+          used to provision an instance of the server from a previous point in time within minutes.
+          As a result, this mapping is given a score of Significant.
+references:
+  - 'https://aws.amazon.com/cloudendure-disaster-recovery/'
+  - >-
+    https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm

mappings/SecurityStack/AWS/AWSCloudHSM.yaml

@@ -0,0 +1,87 @@
+version: 1
+ATT&CK version: 9
+creation date: 07/26/2021
+name: AWS CloudHSM
+contact: [email protected]
+organization: Center for Threat Informed Defense (CTID)
+platform: AWS
+tags:
+  - Credentials
+description: >-
+  AWS CloudHSM provides hardware security modules (HSM) in the AWS Cloud.  Using this service allows
+  generating, storing, importing, exporting, and managing cryptographic keys, including symmetric keys
+  and asymmetric key pairs.
+techniques:
+  - id: T1552
+    name: Unsecured Credentials
+    technique-scores:
+      - category: Protect
+        value: Minimal
+        comments: >-
+          This control's protection is specific to a minority of this technique's sub-techniques and
+          procedure examples resulting in a Minimal Coverage score and consequently an overall score
+          of Minimal.
+    sub-techniques-scores:
+      - sub-techniques:
+          - id: T1552.001
+            name: Credentials In Files
+        scores:
+          - category: Protect
+            value: Partial
+            comments: >-
+              This service provides a more secure alternative to storing encryption keys in the file system.
+              As a result of this service only supporting cryptographic keys and not other types of credentials,
+              the coverage score is assessed as Partial resulting in an overall Partial score.
+      - sub-techniques:
+          - id: T1552.004
+            name: Private Keys
+        scores:
+          - category: Protect
+            value: Significant
+            comments: >-
+              This service allows for securely storing encryption keys and enforcing fine-grained access to the keys.
+              The service does not allow anyone access to retrieve plaintext keys from the service.
+  - id: T1588
+    name: Obtain Capabilities
+    technique-scores:
+      - category: Protect
+        value: Partial
+        comments: >-
+          This service provides protection against sub-techniques involved with stealing credentials,
+          certificates, keys from the organization.
+    sub-techniques-scores:
+      - sub-techniques:
+          - id: T1588.004
+            name: Digital Certificates
+          - id: T1588.003
+            name: Code Signing Certificates
+        scores:
+          - category: Protect
+            value: Partial
+            comments: >-
+              Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and
+              threat from these sub-techniques.
+  - id: T1553
+    name: Subvert Trust Controls
+    technique-scores:
+      - category: Protect
+        value: Partial
+        comments: >-
+          This service provides protection against sub-techniques involved with stealing credentials, certificates,
+          and keys from the organization.
+    sub-techniques-scores:
+      - sub-techniques:
+          - id: T1553.004
+            name: Install Root Certificate
+          - id: T1553.002
+            name: Code Signing
+        scores:
+          - category: Protect
+            value: Partial
+            comments: >-
+              Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces
+              the attack surface and threat from these sub-techniques.
+references:
+  - 'https://aws.amazon.com/cloudhsm/'
+  - 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html'
+  - 'https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html'

mappings/SecurityStack/AWS/AWSCloudTrail.yaml

@@ -0,0 +1,20 @@
+version: 1
+ATT&CK version: 9
+creation date: 08/02/2021
+name: AWS CloudTrail
+contact: [email protected]
+organization: Center for Threat Informed Defense (CTID)
+platform: AWS
+tags:
+  - Not Mappable
+description: >-
+  AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and
+  risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded
+  as events in CloudTrail.
+techniques: []
+comments: >-
+  This control is not mappable because it does not provide any detection of malicious techniques. It
+  primarily provides a way to log and record events within AWS which then can be piped to other
+  security controls to determine if malicious activity has occurred.
+references:
+  - 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html'