Google Cloud Platform (GCP) recently announced the MITRE ATT&CK Mappings to improve security controls across the Google Cloud workloads. The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics & techniques based on real-world observations. The mappings will empower Google Cloud users to assess the GCP controls against adversary tactics, techniques and procedures(TTPs).
Ivan Ninichuck, solutions architect and Iman Ghanizada, global head of autonomic security operations at Google elaborated on the announcement in a blog post. MITRE is a non-profit organization that manages federally funded research & development centers. ATT&CK is an acronym for Adversarial Tactics, Techniques and Common Knowledge.
The mappings include 49 Google Cloud security controls that leverage a systematic scoring rubric. MITRE ATT&CK mappings are the outcome of GCP’s research partnership with MITRE Engenuity Center for Threat-Informed Defense (CTID).
GCP follows the MITRE Engenuity Center’s mapping methodology, scoring rubric, data model and tool-set consistent with Microsoft Azure and Amazon Web Services. The below diagram outlines the mapping methodology that allows a security analyst to see the security control being analyzed and corresponding mitigation using ATT&CK technique.
Source: Announcing MITRE ATT&CK mappings for Google Cloud security capabilities
The scoring rubric categorizes the effectiveness of a security control in three different categories - protect, detect and respond. Ninichuck and Ghanizada highlighted the similarity between the scoring rubric and Google ASO’s continuous detection & continuous response (CD/CR) workflow.
In the diagram below, we can see the ATT&CK Navigation Layer, which visualizes Google Cloud native security controls mapping to ATT&CK techniques.
Source: Announcing MITRE ATT&CK mappings for Google Cloud security capabilities
Each color corresponds to one of the areas of scoring rubric, and the respective level of coverage. The purple color represents areas of overlap among the rubrics. A Python based CLI tool creates the above visualization, in addition to facilitating the mapping process and maintenance of the GCP platform. The tool also supports validation of mapping file syntax and querying of mapping data by different fields. A similar announcement from The Center for Threat-Informed Defense discussed the tool and the data model further.
Jon Baker, general manager and co-founder at Center for Threat-Informed Defense, said,
Applying threat-informed defense is about using cyber threat intelligence to understand, prioritize, and improve our defensive capabilities. Mapping the native security controls of the Google Cloud to MITRE ATT&CK® is a foundational step that empowers defenders with an independent assessment of how Googler Cloud capabilities can defend against ATT&CK® techniques.
Ninichuck and Ghanizada recommended that organizations should take their time to assess each phase of the CD/CR workflow and identify where they can employ ATT&CK mappings across their organizations. Our readers can get involved by contacting the CTID at ctid@mitre-engenuity.org or log issues on their GitHub repository.