Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MITRE ATT&CK Mappings to current SCBs #1106

Merged
merged 35 commits into from
Jul 9, 2024
Merged

Add MITRE ATT&CK Mappings to current SCBs #1106

merged 35 commits into from
Jul 9, 2024

Conversation

ahuynhMITRE
Copy link
Collaborator

@ahuynhMITRE ahuynhMITRE commented May 18, 2024
edited by schrolla
Loading

🗣 Description

Added MITRE's ATT&CK TTP mappings and links to applicable security control baselines (SCBs) policies matching the format seen in GWS' SCBs

💭 Motivation and context

This update to the SCBs is required because it provides additional context into the tactics, techniques, and protocols the policies are attempting to harden against. This will also align the M365 SCBs with the GWS SCBs that currently have the mappings.

Closes #937

🧪 Testing

  • check if the formatting is consistent across all of the added TTP mappings
  • check if the correct TTP mappings are aligned to each policy. Spreadsheet has been sent to @mitchelbaker-cisa for dissemination.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • All future TODOs are captured in issues, which are referenced in code comments.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant repo and/or project documentation updated to reflect these changes.
  • Unit tests added/updated to cover PowerShell and Rego changes.
  • Functional tests added/updated to cover PowerShell and Rego changes.
  • All relevant functional tests passed.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • Feature branch has been rebased against changes from parent branch, as needed

    Use Rebase branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch

  • Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

@ahuynhMITRE ahuynhMITRE added the baseline-document Issues relating to the text in the baseline documents themselves label May 18, 2024
@ahuynhMITRE ahuynhMITRE added this to the Halibut milestone May 18, 2024
@ahuynhMITRE ahuynhMITRE self-assigned this May 18, 2024
@ahuynhMITRE ahuynhMITRE linked an issue May 18, 2024 that may be closed by this pull request
Add MITRE ATT&CK TTP Mappings to M365 SCBs #937
Closed
9 tasks
@rgbrow1949 rgbrow1949 self-requested a review May 23, 2024 17:04
@rmoffitt-m rmoffitt-m self-requested a review May 23, 2024 17:05
mitchelbaker-cisa
mitchelbaker-cisa requested changes May 28, 2024
View reviewed changes
Copy link
Collaborator

@mitchelbaker-cisa mitchelbaker-cisa left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main formatting considerations:

Bullets should start with the parent technique. If there are sub-techniques then list these as sub bullets for each baseline.

The techniques are formatted as [T1566:Phishing]. Let's add a space after the colon for all, [T1566: Phishing].

For consistency with GWS let's be sure to reference the parent technique for any sub-techniques.

PowerShell/ScubaGear/baselines/defender.md Outdated Show resolved Hide resolved
PowerShell/ScubaGear/baselines/defender.md Outdated Show resolved Hide resolved
PowerShell/ScubaGear/baselines/defender.md Show resolved Hide resolved
PowerShell/ScubaGear/baselines/defender.md Outdated Show resolved Hide resolved
PowerShell/ScubaGear/baselines/defender.md Outdated Show resolved Hide resolved
PowerShell/ScubaGear/baselines/defender.md Show resolved Hide resolved
PowerShell/ScubaGear/baselines/aad.md Outdated Show resolved Hide resolved
PowerShell/ScubaGear/baselines/exo.md Outdated Show resolved Hide resolved
PowerShell/ScubaGear/baselines/exo.md Outdated Show resolved Hide resolved
PowerShell/ScubaGear/baselines/teams.md Outdated Show resolved Hide resolved
@schrolla schrolla modified the milestones: Halibut, Iceberg May 30, 2024
@ahuynhMITRE
Update aad.md
b60e00f 
updated the mappings to do the following:

- add in reference parent ttp mapping
- format sub ttp mappings as sub bullets to these parent ttps
- added a space after the ":" for each policy
@ahuynhMITRE
Update defender.md
11c2467 
updated the mappings to do the following:

- add in reference parent ttp mapping
- format sub ttp mappings as sub bullets to these parent ttps
- added a space after the ":" for each policy
@ahuynhMITRE
Update exo.md
25a7dbb 
updated the mappings to do the following:

- add in reference parent ttp mapping
- format sub ttp mappings as sub bullets to these parent ttps
- added a space after the ":" for each policy
@ahuynhMITRE
Update powerbi.md
a451480 
updated the mappings to do the following:

- add in reference parent ttp mapping
- format sub ttp mappings as sub bullets to these parent ttps
- added a space after the ":" for each policy
@ahuynhMITRE
Update powerplatform.md
7fda781 
updated the mappings to do the following:

- add in reference parent ttp mapping
- format sub ttp mappings as sub bullets to these parent ttps
- added a space after the ":" for each policy
@ahuynhMITRE
Update sharepoint.md
51604be 
updated the mappings to do the following:

- add in reference parent ttp mapping
- format sub ttp mappings as sub bullets to these parent ttps
- added a space after the ":" for each policy
@ahuynhMITRE
Update teams.md
56f8a91 
updated the mappings to do the following:

- add in reference parent ttp mapping
- format sub ttp mappings as sub bullets to these parent ttps
- added a space after the ":" for each policy
@ahuynhMITRE
Copy link
Collaborator Author

thanks @mitchelbaker-cisa updated the mappings to do the following:

  • add in reference parent ttp mapping
  • format sub ttp mappings as sub bullets to these parent ttps
  • added a space after the ":" for each policy

mitchelbaker-cisa
mitchelbaker-cisa approved these changes Jun 18, 2024
View reviewed changes
Copy link
Collaborator

@mitchelbaker-cisa mitchelbaker-cisa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Andrew, looks good!

@ahuynhMITRE
Copy link
Collaborator Author

@nanda-katikaneni good to merge!

@nanda-katikaneni nanda-katikaneni merged commit af1741f into main Jul 9, 2024
15 checks passed
@nanda-katikaneni nanda-katikaneni deleted the 937-add-mitre-attck-ttp-mappings-to-current-baselines branch July 9, 2024 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mitchelbaker-cisa mitchelbaker-cisa mitchelbaker-cisa approved these changes

@rmoffitt-m rmoffitt-m rmoffitt-m approved these changes

@rgbrow1949 rgbrow1949 Awaiting requested review from rgbrow1949

Assignees

@ahuynhMITRE ahuynhMITRE

Labels
baseline-document Issues relating to the text in the baseline documents themselves
Projects
None yet
Milestone
Iceberg
Development

Successfully merging this pull request may close these issues.

Add MITRE ATT&CK TTP Mappings to M365 SCBs
5 participants
@ahuynhMITRE @rmoffitt-m @mitchelbaker-cisa @nanda-katikaneni @schrolla