MITRE ATT&CK with the Microsoft Threat Modeling Tool Part 1

Microsoft is currently leveraging the MITRE ATT&CK framework within Microsoft Sentinel. This capability is provided to help you view threats already detected and to help you understand how your environment maps to the tactics and techniques of the MITRE ATT&CK framework. Whereas these activities are primarily aligned to the Operational Security Assurance side of the house, threat modeling is part of the Security Development Lifecycle practices of Secure DevOps. This article will describe how to create a template that aligns to the tactics and techniques of the MITRE ATT&CK framework. In the past I have created threat models that lean on the techniques of the ATT&CK framework, but were aligned to the STRIDE model. This template will be aligned to the MITRE ATT&CK framework. 
I will work forward, making decisions and testing the expected results, and go back and adjust as needed. The primary goal is that during the SDL process, to leverage the Microsoft Threat Modeling tool to drive design and engineering decisions, and to test these results with the simulation outputs from Microsoft Sentinel.
The first step is to create a model that represents how the ATT&CK framework will be aligned to the features of the Microsoft Threat Modeling tool. 

The ATT&CK Object Model has the following relationships:

For our template, we will use the Threat Model Category to align to MITRE ATT&CK Tactic and we will align the Threat Type to the MITRE ATT&CK Technique.

ATT&CK Mitigations will be a property of the threat as shown below. These and other threat properties are defined in the Microsoft Threat Modeling Tool's template editor.

We will define the data sources as stencils and derive stencils will be the actual implementation of the data source. For example, the data source Cloud Storage will be the Stencil and Azure Storage will be the derived stencil as shown below.

This gives us a good foundation for laying out the MITRE Tactics and Techniques. 

Now that we have the MITRE ATT&CK knowledge base aligned to the features of the Microsoft Threat Modeling Tool, we can start the mapping of Techniques and Sub-Techniques to Threat Types. There are currently 576 Techniques and Sub-Techniques with 11,449 defined relationships to targets (data sources) in the 11.3 version of the ENTERPRISE MITRE ATT&CK knowledge base. The first template that I am working on is for Azure hybrid cloud scenarios. The goal is to start out slow by creating some samples that are aligned to simple designs to ensure that the tool is providing the expected results. We will expand that model and then continue to add to the template as we verify and validate the results. 

The template and samples will be provided on Github @ Security-Threat-Models

In the next part of this blog series, we will outline the initial scenarios and provide the samples and outcomes. Stay Tuned!

Decomposing an Architecture Description

I am often involved in Architecture Design Sessions (ADS) with the primary outcome of having a clear vision for a problem we are trying to solve. We spend time primarily on whiteboarding and discussions over what is the right approach and technology that can or should be leveraged to meet our objectives. The Architecture Description is our communication vehicle for describing what is going to be delivered, what components and or services comprise the solution as well as what dependencies the architecture has on external assets. Over the next several months, I am going to decompose an Architecture Description and provide details on my approach, related artifacts and describe why it is we even do this. Because my focus is primarily around data services (it's all about the data anyway) I will leverage most of my examples around Information Architectures and Modern Data Platforms that I spend most of my time on these days. As this series of blog posts evolve, we will also explore artifacts such as the briefing master document that provides an easy way for non-technical individuals to stay apprised of what is detailed in the architecture description. The briefing master is the presentation vehicle for the architecture description. Other artifacts that are leveraged during the ADS and then by the architecture description are listed below. Over time I will decompose these artifacts as well. I fully expect this list to change and evolve as I get more into the details.

• Strategic Vision & Plan
• Information/Data Strategy
• Security Threat Model
• Services Strategy
• Information Assurance Policy
• Information Sharing Strategy
• NetOps Strategic Vision
• Capabilities Description
• Capability Taxonomy
• Services Context Description
• Services Functionality Description
• Service Mapping
• Capability to Services Mapping
• Capability to Operational Activities Mapping
• Standards Profile
• Use Cases

In my next post I will describe the purpose of the Architecture Design session and walk through the various sections of the Architecture Description.