Add MITRE ATT&CK Mappings to current SCBs (#1106)

* AAD TTP Mappings * Defender TTP * exo ttp * Update powerbi.md with ttp * Update powerplatform.md with ttp * Update sharepoint.md with ttp * Update teams.md with ttp * Update aad.md updated the mappings to do the following: - add in reference parent ttp mapping - format sub ttp mappings as sub bullets to these parent ttps - added a space after the ":" for each policy * Update defender.md updated the mappings to do the following: - add in reference parent ttp mapping - format sub ttp mappings as sub bullets to these parent ttps - added a space after the ":" for each policy * Update exo.md updated the mappings to do the following: - add in reference parent ttp mapping - format sub ttp mappings as sub bullets to these parent ttps - added a space after the ":" for each policy * Update powerbi.md updated the mappings to do the following: - add in reference parent ttp mapping - format sub ttp mappings as sub bullets to these parent ttps - added a space after the ":" for each policy * Update powerplatform.md updated the mappings to do the following: - add in reference parent ttp mapping - format sub ttp mappings as sub bullets to these parent ttps - added a space after the ":" for each policy * Update sharepoint.md updated the mappings to do the following: - add in reference parent ttp mapping - format sub ttp mappings as sub bullets to these parent ttps - added a space after the ":" for each policy * Update teams.md updated the mappings to do the following: - add in reference parent ttp mapping - format sub ttp mappings as sub bullets to these parent ttps - added a space after the ":" for each policy * Update PowerShell/ScubaGear/baselines/aad.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/aad.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/aad.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/aad.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/aad.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/aad.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/defender.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/defender.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/defender.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/defender.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/exo.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/powerbi.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/powerbi.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/powerbi.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/powerbi.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/powerbi.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/teams.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update PowerShell/ScubaGear/baselines/teams.md Co-authored-by: mitchelbaker-cisa <[email protected]> * Update exo.md with new decoupled policies --------- Co-authored-by: mitchelbaker-cisa <[email protected]>
cisagov · Jul 9, 2024 · af1741f · af1741f
1 parent 4da9c22
commit af1741f
Show file tree

Hide file tree

Showing 7 changed files with 505 additions and 3 deletions.
diff --git a/PowerShell/ScubaGear/baselines/aad.md b/PowerShell/ScubaGear/baselines/aad.md
diff --git a/PowerShell/ScubaGear/baselines/defender.md b/PowerShell/ScubaGear/baselines/defender.md
@@ -78,6 +78,12 @@ The standard and strict preset security policies SHALL be enabled.
 <!--Policy: MS.DEFENDER.1.1v1; Criticality: SHALL -->
 - _Rationale:_ Defender includes a large number of features and settings to protect users against threats. Using the preset security policies, administrators can help ensure all new and existing users automatically have secure defaults applied.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+    - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
+
 
 #### MS.DEFENDER.1.2v1
 All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy.
@@ -89,6 +95,11 @@ All users SHALL be added to Exchange Online Protection in either the standard or
   - The standard and strict preset security policies must be enabled as directed
     by [MS.DEFENDER.1.1v1](#msdefender11v1) for protections to be applied.
   - Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming, as closely as possible to the settings used by the preset policies. See the **Resources** section for more details on configuring policies.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+    - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
 
 #### MS.DEFENDER.1.3v1
 All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.
@@ -100,6 +111,11 @@ All users SHALL be added to Defender for Office 365 protection in either the sta
   - The standard and strict preset security policies must be enabled as directed
     by [MS.DEFENDER.1.1v1](#msdefender11v1) for protections to be applied.
   - Specific user accounts, except for sensitive accounts, MAY be exempt from the preset policies, provided they are added to one or more custom policies offering comparable protection. These users might need flexibility not offered by the preset policies. Their accounts should be added to a custom policy conforming as closely as possible to the settings used by the preset policies. See the **Resources** section for more details on configuring policies.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+    - [T1566.003: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
 
 #### MS.DEFENDER.1.4v1
 Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.
@@ -109,6 +125,10 @@ Sensitive accounts SHALL be added to Exchange Online Protection in the strict pr
 - _Last modified:_ June 2023
 - _Note:_ The strict preset security policy must be enabled to protect
           sensitive accounts.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 #### MS.DEFENDER.1.5v1
 Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.
@@ -118,6 +138,10 @@ Sensitive accounts SHALL be added to Defender for Office 365 protection in the s
 - _Last modified:_ June 2023
 - _Note:_ The strict preset security policy must be enabled to protect
           sensitive accounts.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
 
 ### Resources
 
@@ -226,6 +250,11 @@ User impersonation protection SHOULD be enabled for sensitive accounts in both t
 - _Last modified:_ June 2023
 - _Note:_ The standard and strict preset security policies must be enabled to
           protect accounts.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 #### MS.DEFENDER.2.2v1
 Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.
@@ -235,6 +264,11 @@ Domain impersonation protection SHOULD be enabled for domains owned by the agenc
 - _Last modified:_ June 2023
 - _Note:_ The standard and strict preset security policies must be enabled to
           protect agency domains.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 #### MS.DEFENDER.2.3v1
 Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.
@@ -244,6 +278,11 @@ Domain impersonation protection SHOULD be added for important partners in both t
 - _Last modified:_ June 2023
 - _Note:_ The standard and strict preset security policies must be enabled to
           protect partner domains.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566.002: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/)
 
 ### Resources
 
@@ -331,6 +370,12 @@ Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams
 <!--Policy: MS.DEFENDER.3.1v1; Criticality: SHOULD -->
 - _Rationale:_ Clicking malicious links makes users vulnerable to attacks, and this danger is not limited to links in emails. Other Microsoft products, such as Microsoft Teams, can be used to present users with malicious links. As such, it is important to protect users on these other Microsoft products as well.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566.001: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+  - [T1204.001: User Execution](https://attack.mitre.org/techniques/T1204/)
+    - [T1204.001: Malicious Link](https://attack.mitre.org/techniques/T1204/001/)
+    - [T1204.002: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
 
 ### Resources
 
@@ -391,6 +436,10 @@ A custom policy SHALL be configured to protect PII and sensitive information, as
                provide a way for agencies to detect and prevent
                unauthorized disclosures.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
 
 #### MS.DEFENDER.4.2v1
 The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.
@@ -402,6 +451,12 @@ The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams cha
 - _Last modified:_ June 2023
 - _Note:_ The custom policy referenced here is the same policy
           configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
+    - [T1213.002: Sharepoint](https://attack.mitre.org/techniques/T1213.002/)
+
 #### MS.DEFENDER.4.3v1
 The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.
 
@@ -412,6 +467,10 @@ The action for the custom policy SHOULD be set to block sharing sensitive inform
 - _Last modified:_ June 2023
 - _Note:_ The custom policy referenced here is the same policy
           configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/)
 
 #### MS.DEFENDER.4.4v1
 Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.
@@ -425,6 +484,7 @@ Notifications to inform users and help educate them on the proper use of sensiti
 - _Note:_ The custom policy referenced here is the same policy
           configured in [MS.DEFENDER.4.1v1](#msdefender41v1).
 
+
 #### MS.DEFENDER.4.5v1
 A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.
 
@@ -435,6 +495,10 @@ A list of apps that are restricted from accessing files protected by DLP policy
                possible to use DLP policies to restrict those apps' access
                to sensitive information on endpoints using Defender.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+  - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 #### MS.DEFENDER.4.6v1
 The custom policy SHOULD include an action to block access to sensitive
@@ -454,6 +518,11 @@ information by restricted apps and unwanted Bluetooth applications.
   - This action can only be included if at least one device is onboarded
     to the agency tenant. Otherwise, the option to block restricted apps will
     not be available.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1565: Data Manipulation](https://attack.mitre.org/techniques/T1565/)
+  - [T1485: Data Destruction](https://attack.mitre.org/techniques/T1485/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1486: Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/)
 
 ### Resources
 
@@ -644,13 +713,19 @@ At a minimum, the alerts required by the CISA M365 Security Configuration Baseli
 <!--Policy: MS.DEFENDER.5.1v1; Criticality: SHALL -->
 - _Rationale:_ Potentially malicious or service-impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to the list of events linked above draws attention to them to minimize any impact to users and the agency.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
 
 #### MS.DEFENDER.5.2v1
 The alerts SHOULD be sent to a monitored address or incorporated into a SIEM.
 
 <!--Policy: MS.DEFENDER.5.2v1; Criticality: SHOULD -->
 - _Rationale:_ Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or Security Information and Event Management (SIEM) system helps ensure events are acted upon in a timely manner to limit overall impact.
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.006: Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)
 
 ### Resources
 
@@ -730,6 +805,10 @@ Microsoft Purview Audit (Standard) logging SHALL be enabled.
 <!--Policy: MS.DEFENDER.6.1v1; Criticality: SHALL -->
 - _Rationale:_ Responding to incidents without detailed information about activities that took place slows response actions. Enabling Microsoft Purview Audit (Standard) helps ensure agencies have visibility into user actions. Furthermore, enabling the unified audit log is required for government agencies by OMB M-21-31 (referred to therein by its former name, Unified Audit Logs).
 - _Last modified:_ June 2023
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1562: Impair Defenses](https://attack.mitre.org/techniques/T1562/)
+    - [T1562.008: Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008/)
+
 
 #### MS.DEFENDER.6.2v1
 Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.
@@ -743,6 +822,8 @@ Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.
           Audit (Standard) subscribers. After rollout of changes are complete,
           Purview (Standard) may be sufficient for agencies to meet basic
           logging requirements.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
 
 #### MS.DEFENDER.6.3v1
 Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.
@@ -756,6 +837,9 @@ Audit logs SHALL be maintained for at least the minimum duration dictated by OMB
           Additional record types require custom audit retention policies.
           Agencies may also consider alternate storage locations and services
           to meet audit log retention needs.
+- _MITRE ATT&CK TTP Mapping:_
+  - [T1070: Indicator Removal](https://attack.mitre.org/techniques/T1070/)
+
 
 ### Resources