Microsoft hooks up with MITRE to map Azure's ATT&CK surface for 'proactive security'

Amazon's AWS next cloud platform in line for adversarial tactics framework

MITRE's Centre for Threat-Informed Defence (CTID) and Microsoft have jointly rolled out Security Stack Mappings for Azure, aimed at bringing the former's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework into the latter's cloud platform – with rival platforms to follow.

Launched in 2015, MITRE's ATT&CK framework was created to provide businesses with "a globally accessible knowledge base of adversary tactics and techniques based on real-world observations" in the hopes of building a foundation for threat-model development.

While access to ATT&CK is provided for all at no charge, MITRE is looking to boost its usage, hence the Microsoft partnership. The deal made Azure the first cloud platform to actively link to ATT&CK by mapping in-built security controls to the framework.

"The project aims to fill an information gap for organisations seeking proactive security awareness about the scope of coverage available natively in Azure," said Madeline Carmichael, senior threat intel librarian at Microsoft's Threat Intelligence Centre (MSTIC).

"The project does this by creating independent data showing how built-in security controls for a given technology platform, in this case Azure, secure their assets against the adversary tactics, techniques, and procedures (TTPs) most likely to target them."

"This release represents our first in a collection of mappings of native product security controls to ATT&CK based on a common methodology, scoring rubric, data model, and tool set," added MITRE's lead security engineer Nicholas Amon, and MSTIC director of research and development Jon Baker.

"With these resources we have established the foundation for systematically mapping security controls to ATT&CK and provided a critical resource for organisations to assess their Azure security control coverage against real-world threats as described in the ATT&CK knowledge base."

The project, dubbed Security Stack Mappings, sees each of the security controls provided by Microsoft's Azure platform mapped to ATT&CK threat techniques – in some cases, more than one.

It's already slightly outdated, however: the mappings use the older ATT&CK v8 data set, with a plan in place to update to April's ATT&CK v9 release.

Microsoft's Azure may be the first cloud platform targeted by MITRE's project, but it won't be the last. "The mappings between the Azure security stack and ATT&CK establish a foundation for future innovation," Amon and Baker confirmed.

"We anticipate refining these resources based on your review and feedback, and the expansion of our mappings to include other platforms, such as the Amazon Web Services (AWS), which we are working on now."

"This is an excellent example of how a collaborative approach pays dividends," ESET UK cybersecurity expert Jake Moore told The Register.

"The information gap is widely noted when organisations limit the amount of sharing they offer, but as we can see it clearly helps when working together.

"Combining the framework with Azure serves up an extra layer of protection for organisations. As Microsoft and the rest of the industry now have a reliable way of repeatedly adding on the mapping of built in security controls, it will inevitably help against ATT&CK techniques."

MITRE's CTID has asked for feedback on the project, including suggestions on additional platforms to map and other ideas for expanding the effort, with interested parties asked to collaborate via the project's GitHub repository, where the mapping are published under the permissive Apache Licence 2.0. ®

Broader topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022