Microsoft is currently leveraging the MITRE ATT&CK framework within Microsoft Sentinel. This capability is provided to help you view threats already detected and to help you understand how your environment maps to the tactics and techniques of the MITRE ATT&CK framework. Whereas these activities are primarily aligned to the Operational Security Assurance side of the house, threat modeling is part of the Security Development Lifecycle practices of Secure DevOps. This article will describe how to create a template that aligns to the tactics and techniques of the MITRE ATT&CK framework. In the past I have created threat models that lean on the techniques of the ATT&CK framework, but were aligned to the STRIDE model. This template will be aligned to the MITRE ATT&CK framework.
I will work forward, making decisions and testing the expected results, and go back and adjust as needed. The primary goal is that during the SDL process, to leverage the Microsoft Threat Modeling tool to drive design and engineering decisions, and to test these results with the simulation outputs from Microsoft Sentinel.
The first step is to create a model that represents how the ATT&CK framework will be aligned to the features of the Microsoft Threat Modeling tool.
The ATT&CK Object Model has the following relationships:
ATT&CK Mitigations will be a property of the threat as shown below. These and other threat properties are defined in the Microsoft Threat Modeling Tool's template editor.
We will define the data sources as stencils and derive stencils will be the actual implementation of the data source. For example, the data source Cloud Storage will be the Stencil and Azure Storage will be the derived stencil as shown below.
This gives us a good foundation for laying out the MITRE Tactics and Techniques.
Now that we have the MITRE ATT&CK knowledge base aligned to the features of the Microsoft Threat Modeling Tool, we can start the mapping of Techniques and Sub-Techniques to Threat Types. There are currently
576 Techniques and Sub-Techniques with 11,449 defined relationships to targets (data sources) in the 11.3 version of the ENTERPRISE MITRE ATT&CK knowledge base. The first template that I am working on is for Azure hybrid cloud scenarios. The goal is to start out slow by creating some samples that are aligned to simple designs to ensure that the tool is providing the expected results. We will expand that model and then continue to add to the template as we verify and validate the results.
In the next part of this blog series, we will outline the initial scenarios and provide the samples and outcomes. Stay Tuned!