center-for-threat-informed-defense / attack-control-framework-mappings Goto Github PK

The readme files for rev 4 and rev 5 say that the PL family is not in scope. However, PL-8 is mapped to T1078 via M1013 and T1482 via M1047.

When Right-Click on technique and unannotated is selecton it doesnt apply to all unannoated techniques.n How do i resolve this issues.

As a visitor to the control mappings project repository, I want to be able to find out:

• What the high level objective of this project is/was?
• What STIX is and where I can read more about it?
• Why the python scripts exist if the data is also on the repository (e.g, why I might want to extend the mappings)?

As a user of the ATT&CK control framework mappings, I want to know which version of ATT&CK the mappings were built for.

Output spreadsheet contains duplicate technique to control mappings.

I am seeing the error below. I ran the maky.py first and know the documents are there.

1. Ran make.py
2. Ran listMappings.py

(venv) josebarajas@Joses-MacBook-Pro attack-control-framework-mappings-master % python util/listMappings.py downloading ATT&CK data... /Users/josebarajas/git/aiqlabs/attack-control-framework-mappings-master/venv/lib/python3.8/site-packages/urllib3/connectionpool.py:979: InsecureRequestWarning: Unverified HTTPS request is being made to host 'raw.githubusercontent.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn( done loading controls framework... done loading mappings... Traceback (most recent call last): File "util/listMappings.py", line 81, in <module> df = mappingsToDF(attackdata, controls, mappings) File "util/listMappings.py", line 18, in mappingsToDF technique = attackbundle.get(mapping.target_ref)[0] TypeError: 'NoneType' object is not subscriptable

I noticed that the Rev 5 mappings are missing the extended properties that indicate what baseline the particular control is used in. There are available in the Rev 4 mappings. Upon closer examination, I noticed that the nist800-53-r5-controls.tsv document doesn't contain the column that list the security baselines in which the controls are part.

while I know that the security & privacy controls were moved from the NIST 800-53 Rev 5 document to the new NIST 800-53B document, they are still part of the spec. So, it seems they are not produced because the source document doesn't contain them (and the code to handle them has been removed).

Is there any plan to incorporate them back into this mapping?

make.py should be modified to work on windows machines.

In searching the frameworks/nist800-53-r5/stix/nist800-53-r5-mappings.json I don't see any relationships defined between the control and the control's enhancements. For example, there is no subcontrol-of relationship between the course-of-action object representing the AC-2 "Account Management" control and its control enhancement AC-2(1) "Account Management | Automated System Account Management".

Is this a known limitation?

As a developer of controls mappings, I want to be able to execute QA/QC processes on the full list of mappings — the regex-ified mappings, while useful for quick addition of new mappings, is not easy to read or comment on during QA/QC processes.

Build a script which will expand the regex-ified mappings into a full mapping spreadsheet. E.g:

controlID    techniqueID
AC-(1|2|3)    T1024

would expand into:

controlID    techniqueID
AC-1    T1024
AC-2    T1024
AC-3    T1024

Currently, SSL verification is disabled for python requests.get() invocations to avoid firewall problems. SSL cert verification should be enabled before the public release of this repository.

Hello,
First thank you for this work which is both needed and significant. I have two questions regarding the Mapping Description column in the speadsheets (r4 and r5):

• What does it mean when it is empty?
• The content otherwise seems to be the concatenation of the applicable SP 800-53 controls description. However in r5 i find "security assessment" which does not correspond to any control description. Is this a typo?

Thank you
Slim Bentami

As a user of the control mappings repository, I want to be able to click a link to open any of the generated layer files in the navigator.

Generate a markdown list of generated layer files, where each item in the list is a link to the layer in the Navigator using the Navigator's Layer Link functionality.

Hi Team,
I noticed that the current R5 .xlsx file is missing all the mapping descriptions. Would we be able to reinstate? Thank you so much!

MA-5 Maintenance Personnel is mapped to T1606 Forge Web Credentials in in the ATT&CK v10.1 mapping to 800-53 v5. MA controls are out of scope.

As a user of the ATT&CK control framework mappings, I want to learn about how the mappings were developed.

Fill out the mapping methodology section for each control framework:

• NIST 800-53-r4
• NIST 800-53-r5

The “Substituting Controls for ATT&CK Mitigations” link on this page is broken:
https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/master/frameworks/nist800-53-r4/stix

The current link is:
/docs/visualizations.md#substituting-controls-for-attck-mitigation

The correct link is:
/docs/visualization.md#substituting-controls-for-attck-mitigations

Reported by external user.

You get the following message when using a layer file from the attack-control-framework-mappings on the navigator.

We need to update the MITRE ATT&CK mappings to v12.1

• https://github.com/mitre/cti/releases/tag/ATT%26CK-v12.1
• https://github.com/mitre/cti/tree/ATT%26CK-v12.1/enterprise-attack
• https://github.com/mitre/cti/blob/ATT%26CK-v12.1/enterprise-attack/enterprise-attack.json

Participant feedback pointed out the importance of not omitting cyber hygiene related controls. I believe that we decided to address this with a statement in the methodology section for these two frameworks indicating the importance of these controls and explaining why they are not included in our mappings.

Download links are not working (404) on any of the ATT&CK Navigator Layers pages, and View produces errors for retrieval:

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/blob/main/frameworks/attack_10_1/nist800_53_r5/layers/README.md

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main/frameworks/attack_10_1/nist800_53_r4/layers

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main/frameworks/attack_9_0/nist800_53_r5/layers

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main/frameworks/attack_9_0/nist800_53_r4/layers

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main/frameworks/attack_8_2/nist800_53_r5/layers

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/tree/main/frameworks/attack_8_2/nist800_53_r4/layers

As a user of the ATT&CK control framework mappings, I want to know how I can contact the team with feedback or questions about the methodology.

The guidance should be added in this section of the CONTRIBUTE document.

As a user of the control mappings, I want to be able to read about how I can go about submitting additional mappings to an existing framework.

The guidance should be added in this section of the CONTRIBUTE document.

Collapse all of the AUDIT controls in the mappings to ==> "all AUDIT controls"

Here are a few examples:

T1110(.001|.003|.004)?
T1021(.005|.002)
T1003(.006|.005)?

I believe that each '.' needs to be escaped

I have a issue with getting to view and download different jasons from the categories separated. I still have the issue today with them
https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-control-framework-mappings/main/frameworks/ATT&CK-v10.1/nist800-53-r5/layers/by_family/CM/CM-8.json

Some of the regex mappings for both Revision 4 and Revision 5 are formatted such that they accidentally map to control enhancements when they should not.

For instance, AC-6|CM-7 will map to all control enhancements of AC-6 because the parser will match the AC-6 side to AC-6 (1), AC-6 (2), and so on. The parser usually avoids this by automatically putting start and end-of-string markers (^ and $ respectively) around the expression. However, in cases where an OR is specified such as the example above it will still match on substrings, causing bugs such as the mapping of enhancements.

The fix in this case is to surround all of ORs like the one above in parentheses so that the start and end-of-string markers apply as intended to the whole expression.

The following are the affected lines for Revision 4 and Revision 5:

attack-control-framework-mappings/frameworks/nist800-53-r4/input/nist800-53-r4-mappings.tsv

| LINE# | REGEX 
|-------|--------------
| 1205  | CM-2|AC-4
| 1206  | CM-2|AC-4
| 1217  | IA-9|SC-20|CM-10
| 1221  | AC-17|CM-7
| 1222  | AC-17|CM-7
| 1223  | AC-6|CM-7
| 1224  | AC-6|SI-7
| 1225  | AC-6|CM-5
| 1227  | AC-6|SI-7
| 1233  | AC-6|CM-5
| 1234  | AC-6|CM-5

attack-control-framework-mappings/frameworks/nist800-53-r5/input/nist800-53-r5-mappings.tsv

| LINE# | REGEX 
|-------|--------------
| 296   | AC-17|CM-7
| 297   | AC-17|CM-7
| 298   | AC-6|CM-7
| 299   | AC-6|SI-7
| 300   | AC-6|CM-5
| 302   | AC-6|SI-7
| 308   | AC-6|CM-5
| 309   | AC-6|CM-5
| 1188  | CM-2|AC-4
| 1189  | CM-2|AC-4
| 1220  | IA-9|SC-20|CM-10

As a user, I want to know how to integrate the control mappings into the ATT&CK Navigator such that the multiselect interface allows the selection of controls.

Hello,

Is the set of NIST controls mitigating a given technique/sub technique to be understood as equivalent to the set of MITRE mitigations mitigating the same technique/sub technique?

I have so far assumed that the set of MITRE mitigations mitigating a given technique/sub technique when implemented will effectively mitigate it as best possible. So my question is really about figuring out if the same is true if one implements the set of NIST controls instead.

Have you considered mapping control to control instead which would help somewhat with this question?

Many thanks in advance,

Slim

Instead of specifying stix2.Bundle(relationships, spec_version="2.0"), import the entire stix2 library as from stix2.v20 import Bundle. This will allow us to upgrade to STIX2.1 by simply changing v20 to v21.

Currently, make.py builds everything using the default arguments, which therefore requires that all control framework mappings apply to the the same domain and ATT&CK version. We should add a file to each framework (required by make.py) called config.json which defines the following:

• The control framework identifier (for the source_name field of external references)
• The ATT&CK domain
• The ATT&CK version

This will also increase the machine-readability and organization of the contents of this repository, and help fulfill #14.

The readme for each framework needs to include basic status information like:

• version / last updated info
• scope of the mappings - is this a complete mapping or partial. if partial, why is it partial. Details of this can be explained in the methodology as it is applied to the framework.

I am trying to install whatever I need to run listMappings.py on my Mac. I seem to be stuck (please keep in mind I don't so this much so I could be messing something up). I followed the Install instruction as best I could but when I run python3 make.py. I get the following (it seems to be complaining about something called "pandas" and "stix2" where do I get these):

Traceback (most recent call last):
  File "parse.py", line 4, in <module>
    from parse_controls import parse_controls
  File "/Users/admin/0-Files/CTID/frameworks/nist800-53-r4/parse_controls.py", line 1, in <module>
    import pandas as pd
ModuleNotFoundError: No module named 'pandas'
Traceback (most recent call last):
  File "mappingsToHeatmaps.py", line 3, in <module>
    from stix2 import Filter, MemoryStore
ModuleNotFoundError: No module named 'stix2'
Traceback (most recent call last):
  File "substitute.py", line 1, in <module>
    from stix2.v20 import Bundle
ModuleNotFoundError: No module named 'stix2'
Traceback (most recent call last):
  File "parse.py", line 4, in <module>
    from parse_controls import parse_controls
  File "/Users/admin/0-Files/CTID/frameworks/nist800-53-r5/parse_controls.py", line 1, in <module>
    import pandas as pd
ModuleNotFoundError: No module named 'pandas'
Traceback (most recent call last):
  File "mappingsToHeatmaps.py", line 3, in <module>
    from stix2 import Filter, MemoryStore
ModuleNotFoundError: No module named 'stix2'
Traceback (most recent call last):
  File "substitute.py", line 1, in <module>
    from stix2.v20 import Bundle
ModuleNotFoundError: No module named 'stix2'