MITRE’s Centre for Threat-Informed Defence (CTID) and Microsoft have jointly rolled out Security Stack Mappings for Azure, aimed at bringing the former’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework into the latter’s cloud platform – with rival platforms to follow.
Launched in 2015, MITRE’s ATT&CK framework was created to provide businesses with “a globally accessible knowledge base of adversary tactics and techniques based on real-world observations” in the hopes of building a foundation for threat-model development.
While access to ATT&CK is provided for all at no charge, MITRE is looking to boost its usage, hence the Microsoft partnership. The deal made Azure the first cloud platform to actively link to ATT&CK by mapping in-built security controls to the framework.
“The project aims to fill an information gap for organisations seeking proactive security awareness about the scope of coverage available natively in Azure,” said Madeline Carmichael, senior threat intel librarian at Microsoft’s Threat Intelligence Centre (MSTIC).
“The project does this by creating independent data showing how built-in security controls for a given technology platform, in this case Azure, secure their assets against the adversary tactics, techniques, and procedures (TTPs) most likely to target them.”
“This release represents our first in a collection of mappings of native product security controls to ATT&CK based on a common methodology, scoring rubric, data model, and tool set,” added MITRE’s lead security engineer Nicholas Amon, and MSTIC director of research and development Jon Baker.
“With these resources we have established the foundation for systematically mapping security controls to ATT&CK and provided a critical resource for organisations to assess their Azure security control coverage against real-world threats as described in the ATT&CK knowledge base.”
The project, dubbed Security Stack Mappings, sees each of the security controls provided by Microsoft’s Azure platform mapped to ATT&CK threat techniques – in some cases, more than one.
It’s already slightly outdated, however: the mappings use the older ATT&CK v8 data set, with a plan in place to update to April’s ATT&CK v9 release.
Microsoft’s Azure may be the first cloud platform targeted by MITRE’s project, but it won’t be the last. “The mappings between the Azure security stack and ATT&CK establish a foundation for future innovation,” Amon and Baker confirmed.
“We anticipate refining these resources based on your review and feedback, and the expansion of our mappings to include other platforms, such as the Amazon Web Services (AWS), which we are working on now.”
“This is an excellent example of how a collaborative approach pays dividends,” ESET UK cybersecurity expert Jake Moore told The Register.
“The information gap is widely noted when organisations limit the amount of sharing they offer, but as we can see it clearly helps when working together.
“Combining the framework with Azure serves up an extra layer of protection for organisations. As Microsoft and the rest of the industry now have a reliable way of repeatedly adding on the mapping of built in security controls, it will inevitably help against ATT&CK techniques.”
MITRE’s CTID has asked for feedback on the project, including suggestions on additional platforms to map and other ideas for expanding the effort, with interested parties asked to collaborate via the project’s GitHub repository, where the mapping are published under the permissive Apache Licence 2.0. ®