Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
Security control framework mapping is essential when you are dealing with complicated threats, which is why the alignment of NIST 853 and MITRE ATT&CK into a single framework is so important: it is a step toward simplifying the threat and response profiles needed for both sets of data and how they relate to cyber threats. For this reason, the Center for Threat-Informed Defense's recent alignment of MITRE ATT&CK with NIST 800-53 controls is a crucial step that requires deeper study.
This alignment creates a set of mappings that offers resources and supporting documentation for threat analysts to reference easily. With NIST 800-53 mapping, NIST 800-53 security controls mapping and other consolidations. It is far easier for organizations to quickly and easily identify issues and integrate this information into the threat assessment and risk management models.
This helps your team prepare for worst-case scenarios and approach each new threat with facts and useful information about the situation and the impact that it may have on the services and management models being used.
What should you learn next?
Why use mappings?
Perhaps the most valuable part of this mapping is the labor-intensive nature of any comparative framework mapping. Understanding each threat, its scope of impact, and its repercussions is hard enough without having to map these details manually onto an existing framework.
The existence of this mapping eases the burden that your teams would need to shoulder to remain compliant while dealing with a cybersecurity event. There are over 6300 mappings between the two frameworks, making any MITRE ATT&CK vs. NIST-styled comparisons obsolete because they now operate together.
Mappings and benefits
These mappings all use the ATT&CK methods to link the threat actions of a bad actor to the security controls that were designed to deal with each individual threat activity.
The mappings use the step-by-step process outlined below. The basic idea is that each step builds on previous cyber threats and creates a better picture for your team members as they learn more about the ATT&CK methods being carried out and how to neutralize them.
The basic steps are:
- ATT&CK mitigation review — Analyze each mitigation to understand why it was implemented.
- ATT&CK technique review — Look at what the attacker was trying to achieve and what the attack's goal was. This relates to the first step and how the mitigations were implemented.
- Security control review — Look at the mitigations and methods that were deployed and understand how they worked in concert with the security controls that they are mapped to.
- Create a mapping — Once the analyst understands the entire picture, they can create a mapping can be created. This might be done when there was insufficient coverage for existing mappings dealing with new threats.
These steps create a streamlined process that greatly speeds up the threat and control mapping cycle and gives your team a solid foundation to build upon for future threats.
The mapping framework was designed to be customized to each organization’s requirements, making it quite versatile for industries where some technical considerations are weighted above others.
More about mappings to NIST 800-53
Now that we understand the basic steps that analysts use in the framework, we can look at the features that make this a desirable system to implement.
The mapping structure makes it very easy for your teams to quickly assess and rate each threat as it is identified. This is done with a color-coded table that displays the mapping density of the ATT&CK methods.
Each field’s darkness is determined by the number of NIST 800-53 control mappings associated with each method.
For your teams to understand the scope of each scenario properly, we should cover some fundamental principles. The framework has been designed for technical safeguards and counter-measures at a system level relating only to systems and not non-technical methods of mitigation.
Non-technical controls will need to be handled separately because they do not fall within the scope of the framework mapping.
FREE role-guided training plans
Conclusion: Summarizing the project and its objectives
This framework takes the complex and complicated problem of a large data set with complicated threat information and maps it onto a robust framework that is easy to define.
This was done to create an actionable framework that combines NIST 800-53 mapping, NIST 800-53 security controls mapping and your team's response playbooks.
Once implemented, you have an effective process that takes the guesswork out of threat assessments as they relate to the reality of today’s cybersecurity requirements while simultaneously measuring them against the NIST 800-53.
Perhaps the best feature of this mapping implementation is that it was designed to be customizable so that other frameworks and mitigations can be stitched together, giving you more options if you wish to fuse other components together systematically.
Sources:
- https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/blob/main/docs/mapping_methodology.md, the Center for Threat Informed Defense
- https://www.missioncriticalmagazine.com/articles/93451-attackiq-validates-nist-800-53-security-controls-against-mitre-attck, Mission Critical
- https://ctid.mitre-engenuity.org/our-work/nist-800-53-control-mappings/ MITRE
Get unlimited and self-paced training for you or teams in your organization with Infosec Skills.
- 190+ role-guided learning paths
- 100s of hands-on labs & cyber ranges
- Custom certification practice exams
In this Series
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
- I failed my CREST Certified Infrastructure Tester exam: Here’s my story
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity