MITER’s Center for Threat-Informed Defense (CTID) and Microsoft have jointly introduced Security Stack Mappings for Azure to bring the former’s hostile tactics, techniques, and common knowledge (ATT & CK) framework into the latter’s cloud platform – with competing platforms to follow.
MITER’s ATT & CK framework, introduced in 2015, was created to provide companies with “a globally accessible knowledge base of adversarial tactics and techniques based on real-world observations” in the hope of providing a basis for developing threat models.
While access to ATT & CK is free for everyone, MITER wants to increase its usage, hence the Microsoft partnership. The deal made Azure the first cloud platform to actively link with ATT & CK by assigning integrated security controls to the framework.
“The project aims to fill an information gap for organizations seeking proactive security awareness of the area of coverage natively available in Azure,” said Madeline Carmichael, senior threat intelligence librarian at Microsoft’s Threat Intelligence Center (MSTIC).
“The project does this by creating independent data that shows how built-in security controls for a given technology platform, in this case Azure, protect its resources against the adversary’s tactics, techniques, and procedures (TTPs) that are most likely to target it . “
“This release is our first in a collection of native product safety control mappings to ATT & CK based on a common methodology, assessment rubric, data model and toolset,” added Nicholas Amon, MITER senior safety engineer and head of research and development at MSTIC. Jon Baker.
“With these resources, we have laid the foundation for the systematic mapping of security controls to ATT & CK and provided organizations with an important resource for evaluating their Azure security controls against real threats, as described in the ATT & CK knowledge base.”
In the project called Security Stack Mappings, each of the security controls on the Microsoft Azure platform is mapped to ATT&CK threat technologies – in some cases more than one.
It’s already a bit out of date, however: the mappings use the older ATT & CK v8 record, with the plan to upgrade to the April ATT & CK v9 version.
Microsoft’s Azure may be the first cloud platform the MITER project is targeting, but it won’t be the last. “The assignments between the Azure Security Stack and ATT & CK form a basis for future innovations,” confirmed Amon and Baker.
“We expect to refine these resources based on your rating and feedback and expand our mappings to other platforms such as Amazon Web Services (AWS) that we are currently working on.”
“This is a great example of how a collaborative approach can pay off,” Jake Moore, UK cybersecurity expert for ESET, told The Register.
“The information gap is widely noticed when organizations limit the amount of sharing they offer, but as we can see it clearly helps collaboration.
“Combining the framework with Azure gives organizations an extra layer of protection. With Microsoft and the rest of the industry now having a reliable way to add the mapping of built-in security controls repeatedly, it will inevitably help against ATT & CK techniques.”
MITER’s CTID has requested feedback on the project, including suggestions for additional platforms for mapping and other ideas to expand the effort, with interested parties invited to contribute through those of the project GitHub repository, whereby the mapping is published under the permissive Apache License 2.0. ®