Fun with MITRE ATT&CK

Navigator & NIST 800-53

ELAINE HARRISON-NEUKIRCH
About Me

► I lead the Customer Support Program at SCYTHE

► Blue Team
► Network Security Engineer in the healthcare sector
► Network Administrator in fincance
► Education Lead at CSNP.org (Cyber Security Non Profit).
► Mom of 3 awesome young women and a bearded dragon

@rubysgeekymom
Today’s Topics
• How I stumbled upon these tools.
• What are MITRE ATT&CK, ATT&CK
Navigator and NIST 800-53?
• How can Defenders use these tools to their
advantage?
Not another boring slideshow
How I stumbled upon this tool

► SCYTHE’s reporting capabilities include NIST SP 800-53 summaries are available to use
in ATT&CK Navigator
► I was not familiar with these tools = RESEARCH
► Research led me to testing the SCYTHE summaries in the Navigator
► I thought they were cool and a two part blog for CSNP
MITRE ATT&CK

► Open source collaboration - information collected by Red & Blue teams

► Free and available to all
► Knowledge base containing adversary groups, their tactics and the techniques they use
► Interactive
► Focus is on Enterprise, Mobile devices and Industrial Control Systems (ICS)

https://attack.mitre.org/
MITRE ATT&CK & The Blue Team

► Gather Cyber Threat Intelligence

► Research Adversary groups most likely to attack their
sector
► Visualize how an attacker will gain entry & execute their
attack.

“The more moves we can predict, the more chances we have

to win. ”

https://www.scythe.io/library/simplifying-the-mitre-att-ck-framework
ATT&CK Navigator

► ATT&CK Navigator is a Github project created by MITRE ATT&CK

► Enables users to manipulate MITRE ATT&CK matrices in a visual format
► Customizable
ATT&CK Navigator Layers

► Create your own layer or use files created by others.

► This is a layer created by Matt Graeber to help Blue Teams with application security.
NIST Special Publication 800-53

► NIST SP 800-53, Security and Privacy Controls for Information Systems and
Organizations
► Describes families of security controls
► Created as a guide for Federal and Critical Infrastructure Information Systems
► Used by many other sectors for risk assessments and creating defense in depth
► NIST SP 800-53 Revision 5
Center for Threat-Informed Defense

► December 2020 the Center for Threat-Informed Defense released a set of mappings
between MITRE ATT&CK and the NIST SP 800-53
► Focus is to enable users to easily map threats, that are specific to their organization, to
NIST controls
► Contributes to more effective security and closing gaps.

https://medium.com/mitre-engenuity/security-control-mappings-a-bridge-to-threat-informed-defense-2e42a074f64a
ATT&CK Navigator & NIST SP 800-53

► The Attack-Control-Framework-Mappings README.md file contains the following:

• NIST 800-53 Revision 5 Control Mappings
• Extended Fields
• Mapping NIST 800-53 revision 5 to ATT&CK
• General Scoping Decisions
• Control Family Scoping Decisions

https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings
Getting Started

► A LOT of information – read the README.md first

► The README.md contains a summary of the repository contents:
• Frameworks
• Mapping Methodology
• Tooling
• Use Cases
• STIX Format
• Visualizations
• Contributing
• Changelog
Export NIST SP 800-53 Mappings

► The README.MD contains links to download the NIST to MITRE mappings in Excel
format.
► Useful for quick lookup when reviewing the ATT&CK Navigator layer.
Using the Navigator Tool

For my demo, I am using Use Case #4

I want to determine what security controls I can use to defend against a given group or
software.
Groups and Software in ATT&CK are mapped to techniques. Therefore, this use case can be
achieved in the exact manner as use case 3 (above) — determine the set of security controls
that mitigate the techniques mapped to the group or software.
In an attempt to keep my example simple, I will be selecting a Threat Group for the
“contextual grouping”.
Step 1 – Open the Overview Layer

► Frameworks Folder – ATT&CK Version 9

► I will use the NIST800-53-r5 Overview layer
► Each family contains multiple overview & mapping layers
► Download the JSON file for the layer you are using
► Go to the ATT&CK Navigator & upload the file
Step 2 - Customize Layer For Threat Group

► In order to set this up using the Use Case #4, there are a couple of changes that have to be
made.
► 1. Under Selection Controls, click the Multi Select button.
► 2. Click the view link to the right of each group to view the group’s MITRE ATT&CK
page.
► 3. Select the desired threat group.
Step 3 -Background Color and Filters

► 4. Techniques used by that group are outlined in black. Changing the background to a
color for better visualization.
► 5. To change the background color, go to technique controls and click the paint can icon.
Select the background color.
► 6. Select Layer Controls> Filter to drill down to specific platforms.
Use Case 4

► I selected the following:

• Threat Group: Chimera
• Background Color: Purple
• Filter: Windows
► Purple techniques are used by Chimera when
attacking Windows devices.
NIST 800-53 r5 Controls

► Hover over each technique:

► Mitre Att&ck ID
► NIST controls that mitigate the technique.
► Score = number of mitigation controls that apply
Blue Team Defenders For the Win

► Scores can be added to prioritize the higher risk gaps

► Blue Teams can use the information to review the NIST Controls for each technique
identified.
► Identify gaps and tools available for mitigation
► Security controls can be added or tweaked to detect/ alert/ block
► As gaps are removed, the layer can be updated to show progress.
► Technical information can be reported to non technical groups using visualization (colors
and layering tools)
CSNP Blogs
Two part blog series
Fun with MITRE ATT&CK Navigat
or and NIST SP 800-53
More Fun with MITRE ATT&CK Na
vigator and NIST SP 800-53
Questions?