Announcing MITRE ATT&CK mappings for Google Cloud security capabilities
Ivan Ninichuck
Solutions Architect
Iman Ghanizada
Global Head of Security Operations Solutions, Google Cloud
The adoption of Autonomic Security Operations (ASO) requires the ability to use threat informed decision making throughout the continuous detection and continuous response (CD/CR) workflow. We are excited to facilitate this process by mapping native security capabilities of Google Cloud to MITRE ATT&CK® through our research partnership with the MITRE Engenuity Center for Threat-Informed Defense.
As a result, Google Cloud users can now evaluate the effectiveness of native security controls against specific ATT&CK® techniques. These mappings can increase your ability to develop better use cases and response playbooks, and identify how to improve security across your Google Cloud workloads. Application of the findings can enhance your ability to use our cloud native tools such as Chronicle, Siemplify, Security Command Center, and VirusTotal to defend your organization. The mappings include 49 Google Cloud security controls following a methodical scoring rubric.
“Applying threat-informed defense is about using cyber threat intelligence to understand, prioritize, and improve our defensive capabilities. Mapping the native security controls of the Google Cloud to MITRE ATT&CK® is a foundational step that empowers defenders with an independent assessment of how Googler Cloud capabilities can defend against ATT&CK® techniques,” said Jon Baker, General Manager and Co-Founder, Center for Threat-Informed Defense.
Mapping methodology
The scoring methodology used is consistent with the Center’s previous work on similar mappings for other leading cloud provider security controls. The graphic below outlines the five main steps followed by the mapping methodology:
- Identify the security controls that would be used and ensure that they are native to the platform.
- Conduct extensive research on the functionality of the control and how that could be applied in ATT&CK.
- Using the analysis conducted in step 2, map the control to an ATT&CK technique that the control mitigates.
- Score the technique based on effectiveness.
- Produce the mapping files.
Scoring Rubric
The scoring rubric is centered around the continuous cycle of Protect, Detect, and Respond. Each control has been applied to one of these functions and a level of coverage. You will notice a commonality between this rubric and the CD/CR workflow of ASO. This is because at the heart of ASO is the ability to bring Cyber Threat Intelligence (CTI) into decisions and provide measurements that can create a feedback loop of improvement. The scoring produced in this project can improve this process for your security operations team.
Google Cloud security stack mappings
This process mapped Google Cloud native security controls to ATT&CK techniques. The graphic below is the ATT&CK Navigator Layer that visualizes these mappings.
Each color represents one of the areas of the rubric and its corresponding level of coverage. The included legend indicates the specific controls. Note that the purple shading represents areas where overlap among rubrics was observed. The layer shown below only shows the techniques, but the mapping also includes techniques when expanded.
In addition to viewing the data as a Navigator layer, there are also yaml files that can provide the complete data structure for each technique. The flow chart of this data structure is included next to the legend, and the source YAML data format can be found for each control.
Next Steps
The Google Cloud ATT&CK Mappings can be a key foundation for your application of ASO and can empower defenders to understand their impact on adversary behaviors and make threat-informed decisions. It is recommended that organizations take the time to assess each phase of the CD/CR pipeline, establish OKRs across core areas, and identify where they can improve the operationalization of ATT&CK mappings across their organizations.
We look forward to our continued investment in research initiatives to help democratize the journey towards Autonomic Security Operations. We will continue supporting community initiatives and cross-industry collaboration to help foster an improved state of security for the community at large. To learn more about the project and how you can get involved, read the MITRE Engenuity Center for Threat-Informed Defense release announcement.