Mapping the ATT&CK Framework to CIS Controls

For the better part of a decade, I have spent a good amount of time analyzing security and compliance frameworks. There is beauty to be found in every one of them. Some are very high level and leave the organization to interpret how to implement the various controls, such as the CIS Critical Security Controls. Others are incredibly prescriptive and provide step-by-step instructions on how to enable or disable various settings, such as the hardening benchmarks from CIS or DIS.

Most fall somewhere in between, which dictate what should be done without providing technical implementation steps.

I have talked with a lot of folks who are already implementing a compliance framework, such as PCI or NIST SP800-53, and are looking where to start on implementing the Critical Security Controls. When this happens, I often refer to an excellent poster which was made available from CIS. This mapped some of the more popular compliance frameworks to the twenty Critical Controls. (I am hoping that now that version 7 of the Critical Security Controls has been released, we will see an updated poster from CIS in the coming months.)

Beginning last year, the MITRE ATT&CK Framework has gained a lot of recognition around the industry. This framework splits out 10 tactics into hundreds of techniques. What I particularly love about it is that each technique lists out mitigation and detection mechanisms you can put in place.

Additionally, each technique has real-world examples of threat actors or malware campaigns that have used the technique. ATT&CK is an incredible repository of actionable information.

What I wanted to see was a mapping of the Critical Security Controls to ATT&CK. I couldn’t find anything available on the Internet, so I went about it myself.

Last month, I went through and reviewed each individual (Read more...)