creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/mapping-mitre-attack-techniques/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

158 lines
7.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
name: mapping-mitre-attack-techniques
description: 'Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques
to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging
SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives.
Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
'
domain: cybersecurity
subdomain: threat-intelligence
tags:
- MITRE-ATT&CK
- ATT&CK-Navigator
- Sigma
- D3FEND
- TTP
- detection-engineering
- NIST-CSF
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
---
# Mapping MITRE ATT&CK Techniques
## When to Use
Use this skill when:
- Generating an ATT&CK coverage heatmap to show which techniques your detection stack addresses
- Tagging existing SIEM use cases or Sigma rules with ATT&CK technique IDs for structured reporting
- Aligning your security program roadmap to specific adversary groups known to target your sector
**Do not use** this skill for real-time incident triage — ATT&CK mapping is an analytical activity best performed post-detection or during threat hunting planning.
## Prerequisites
- Access to MITRE ATT&CK knowledge base (https://attack.mitre.org) or local ATT&CK STIX data bundle
- ATT&CK Navigator web app or local installation (https://mitre-attack.github.io/attack-navigator/)
- Inventory of existing detection rules (Sigma, Splunk, Sentinel KQL) to assess current coverage
- ATT&CK Python library: `pip install mitreattack-python`
## Workflow
### Step 1: Obtain Current ATT&CK Data
Download the latest ATT&CK STIX bundle for the relevant matrix (Enterprise, Mobile, ICS):
```bash
curl -o enterprise-attack.json \
https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
```
Use the mitreattack-python library to query techniques programmatically:
```python
from mitreattack.stix20 import MitreAttackData
mitre = MitreAttackData("enterprise-attack.json")
techniques = mitre.get_techniques(remove_revoked_deprecated=True)
for t in techniques[:5]:
print(t["external_references"][0]["external_id"], t["name"])
```
### Step 2: Map Existing Detections to Techniques
For each SIEM rule or Sigma file, assign ATT&CK technique IDs. Sigma rules support native ATT&CK tagging:
```yaml
tags:
- attack.execution
- attack.t1059.001 # PowerShell
- attack.t1059.003 # Windows Command Shell
```
Create a coverage matrix: list each technique ID and mark as: Detected (alert fires), Logged (data present but no alert), Blind (no data source).
### Step 3: Prioritize Coverage Gaps Using Threat Intelligence
Cross-reference coverage gaps with adversary groups targeting your sector. Use ATT&CK Groups data:
```python
groups = mitre.get_groups()
apt29 = mitre.get_object_by_attack_id("G0016", "groups")
apt29_techniques = mitre.get_techniques_used_by_group(apt29)
for t in apt29_techniques:
print(t["object"]["external_references"][0]["external_id"])
```
Prioritize adding detection for techniques used by high-priority threat groups where your coverage is blind.
### Step 4: Build Navigator Heatmap
Export coverage scores as ATT&CK Navigator JSON layer:
```python
import json
layer = {
"name": "SOC Detection Coverage Q1 2025",
"versions": {"attack": "14", "navigator": "4.9", "layer": "4.5"},
"domain": "enterprise-attack",
"techniques": [
{"techniqueID": "T1059.001", "score": 100, "comment": "Splunk rule: PS_Encoded_Command"},
{"techniqueID": "T1071.001", "score": 50, "comment": "Logged only, no alert"},
{"techniqueID": "T1055", "score": 0, "comment": "No coverage — blind spot"}
],
"gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}
}
with open("coverage_layer.json", "w") as f:
json.dump(layer, f)
```
Import layer into ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) for visualization.
### Step 5: Generate Executive Coverage Report
Summarize coverage by tactic category (Initial Access, Execution, Persistence, etc.) with counts and percentages. Provide a risk-ranked list of top 10 blind-spot techniques based on adversary group usage frequency. Recommend data source additions (e.g., "Enable PowerShell Script Block Logging to address 12 Execution sub-technique gaps").
## Key Concepts
| Term | Definition |
|------|-----------|
| **ATT&CK Technique** | Specific adversary method identified by T-number (e.g., T1059 = Command and Scripting Interpreter) |
| **Sub-technique** | More granular variant of a technique (e.g., T1059.001 = PowerShell, T1059.003 = Windows Command Shell) |
| **Tactic** | Adversary goal category in ATT&CK: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C&C, Exfiltration, Impact |
| **Data Source** | ATT&CK v10+ component identifying telemetry required to detect a technique (e.g., Process Creation, Network Traffic) |
| **Coverage Score** | Numeric (0100) representing detection completeness for a technique: 0=blind, 50=logged only, 100=alerted |
| **MITRE D3FEND** | Defensive countermeasure ontology complementing ATT&CK — maps defensive techniques to attack techniques they mitigate |
## Tools & Systems
- **ATT&CK Navigator**: Browser-based heatmap visualization tool for layering coverage scores and annotations on the ATT&CK matrix
- **mitreattack-python**: Official MITRE Python library for programmatic access to ATT&CK STIX data (techniques, groups, software, mitigations)
- **Atomic Red Team**: MITRE-aligned test library providing atomic test cases to validate detection for each technique
- **Sigma**: Detection rule format with ATT&CK tagging support; translatable to Splunk, Sentinel, QRadar, Elastic
- **ATT&CK Workbench**: Self-hosted ATT&CK knowledge base for organizations maintaining custom technique extensions
## Common Pitfalls
- **Over-claiming coverage**: Logging a data source (e.g., process creation events) does not mean the associated technique is detected — a rule must actually fire on malicious patterns.
- **Mapping at tactic level only**: Tagging a rule as "attack.execution" without a specific technique ID prevents granular gap analysis.
- **Ignoring sub-techniques**: Many adversaries use specific sub-techniques. Coverage of T1059 (parent) doesn't imply coverage of T1059.005 (Visual Basic).
- **Static mapping without updates**: ATT&CK releases major versions annually. Coverage maps go stale as techniques are added, revised, or deprecated.
- **Not mapping to adversary groups**: Generic coverage maps don't distinguish between techniques used by APTs targeting your sector vs. commodity malware.
Reference in New Issue View Git Blame Copy Permalink