The Center for Threat-Informed Defense, operated by MITRE EngenuityTM, has released a set of mappings between the security controls native to the Azure Infrastructure as a Service (IaaS) platform and MITRE ATT&CK®. This release represents the first in a collection of mappings of native product security controls to ATT&CK based on a common methodology, scoring rubric, data model, and tool set. With these resources the Center has established the foundation for systematically mapping security controls to ATT&CK and provided a critical resource for organizations to assess their Azure security control coverage against real-world threats as described in the ATT&CK knowledge base.
Mapping the security stack of the Azure platform, or any set of platform security controls, to ATT&CK is a labor intensive and often subjective undertaking. Furthermore, due to the large number of security controls in any given security stack and the evolving nature of cyber adversaries, these mappings are often error prone and difficult to maintain. In collaboration with Center Participants (AttackIQ, Ernst & Young U.S., HCA Healthcare, JPMorgan Chase, Microsoft, US National Bank Association, Verizon and one other participant), the Center recognized that there was not only a need for these mappings, but an opportunity to work collaboratively and advance threat-informed defense with the global community. With over 45 Azure native security controls mapped, the Center believes that this work will greatly reduce the burden on the community, empowering defenders with independent data on which Azure controls are most useful in defending against the adversary TTPs they care about.
A new blog post by Nicholas Amon and Jon Baker describes the work in detail.