Announcing MITRE ATT&CK mappings for Google Cloud security capabilities

The adoption of Autonomic Security Operations (ASO) requires the ability to use threat informed decision making throughout the continuous detection and continuous response (CD/CR) workflow. We are excited to facilitate this process by mapping native security capabilities of Google Cloud to MITRE ATT&CK® through our research partnership with the MITRE Engenuity Center for Threat-Informed Defense. 

As a result, Google Cloud users can now evaluate the effectiveness of native security controls against specific ATT&CK® techniques. These mappings can increase your ability to develop better use cases and response playbooks, and identify how to improve security across your Google Cloud workloads. Application of the findings can enhance your ability to use our cloud native tools such as Chronicle, Siemplify, Security Command Center, and VirusTotal to defend your organization. The mappings include 49 Google Cloud security controls following a methodical scoring rubric.

“Applying threat-informed defense is about using cyber threat intelligence to understand, prioritize, and improve our defensive capabilities. Mapping the native security controls of the Google Cloud to MITRE ATT&CK® is a foundational step that empowers defenders with an independent assessment of how Googler Cloud capabilities can defend against ATT&CK® techniques,” said Jon Baker, General Manager and Co-Founder, Center for Threat-Informed Defense.

Mapping methodology

The scoring methodology used is consistent with the Center’s previous work on similar mappings for other leading cloud provider security controls. The graphic below outlines the five main steps followed by the mapping methodology: 

1. Identify the security controls that would be used and ensure that they are native to the platform. 
2. Conduct extensive research on the functionality of the control and how that could be applied in ATT&CK. 
3. Using the analysis conducted in step 2, map the control to an ATT&CK technique that the control mitigates. 
4. Score the technique based on effectiveness.
5. Produce the mapping files.

 Scoring Rubric

Google Cloud security stack mappings

This process mapped Google Cloud native security controls to ATT&CK techniques. The graphic below is the ATT&CK Navigator Layer that visualizes these mappings. 

Each color represents one of the areas of the rubric and its corresponding level of coverage. The included legend indicates the specific controls. Note that the purple shading represents areas where overlap among rubrics was observed. The layer shown below only shows the techniques, but the mapping also includes techniques when expanded. 

In addition to viewing the data as a Navigator layer, there are also yaml files that can provide the complete data structure for each technique. The flow chart of this data structure is included next to the legend, and the source YAML data format can be found for each control.

Next Steps

The Google Cloud ATT&CK Mappings can be a key foundation for your application of ASO and can empower defenders to understand their impact on adversary behaviors and make threat-informed decisions. It is recommended that organizations take the time to assess each phase of the CD/CR pipeline, establish OKRs across core areas, and identify where they can improve the operationalization of ATT&CK mappings across their organizations. 

We look forward to our continued investment in research initiatives to help democratize the journey towards Autonomic Security Operations. We will continue supporting community initiatives and cross-industry collaboration to help foster an improved state of security for the community at large. To learn more about the project and how you can get involved, read the MITRE Engenuity Center for Threat-Informed Defense release announcement.