search

center-for-threat-informed-defense / security-stack-mappings

🚨ATTENTION🚨 The Security Stack Mappings have migrated to the Center’s Mappings Explorer project. See README below. This repository is kept here as an archive.
https://center-for-threat-informed-defense.github.io/mappings-explorer/
Apache License 2.0
379 stars 64 forks source link

Not all of the finding types in AWS GuardDuty are currently mapped. #177

Open pengfei093 opened 1 year ago

pengfei093 commented 1 year ago

While AWS GuardDuty has 116 finding types, the current Mitre TTP mapping only covers 68 of them. To address this gap, I have created a spreadsheet for further analysis and welcome others to join and contribute. You can access the spreadsheet here: https://docs.google.com/spreadsheets/d/1zUkAopFpIEngz_u9qFfNy457vYPiVj73CMb_KRn81kA/edit#gid=0.

For reference, you can find the complete list of AWS GuardDuty finding types here: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html

tiffb commented 1 year ago

Hi pengfei093, Thank you for sharing your input and mappings with the Center towards expanding the current AWS to ATT&CK mapping repository. We’re always interested in providing additional resources to help the community make threat-informed decisions and appreciate your submission. We plan to review your contributions in relation to the project methodology and scoping decisions, in consideration for inclusion in the Center’s mapping repository.

pengfei093 commented 1 year ago

Hi Tiffany,

Thank you for taking the time to review my mappings. I have a question: Does Mitre have any open-source projects that can assist with this task? For instance, are there any existing tools or libraries that can automate this mapping process using NLP methods? If not, do you have plans to develop one in the future? I believe such an initiative would be valuable for the security field.

Thank you, Best regards, Peng Fei

On Wed, Mar 1, 2023 at 2:51 PM Tiffany Bergeron @.***> wrote:

Hi pengfei093, Thank you for sharing your input and mappings with the Center towards expanding the current AWS to ATT&CK mapping repository. We’re always interested in providing additional resources to help the community make threat-informed decisions and appreciate your submission. We plan to review your contributions in relation to the project methodology and scoping decisions, in consideration for inclusion in the Center’s mapping repository.

— Reply to this email directly, view it on GitHub https://github.com/center-for-threat-informed-defense/security-stack-mappings/issues/177#issuecomment-1450972977, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUZKZNWICPWSBMHO3EMOZ5LWZ7HI3ANCNFSM6AAAAAAVLMWRQY . You are receiving this because you authored the thread.Message ID: <center-for-threat-informed-defense/security-stack-mappings/issues/177/1450972977 @github.com>

tiffb commented 1 year ago

While we certainly see the value in NLP, that is not in scope at this time. On the surface the Center's security capability mapping work may seem like a simple effort, but in reality the investment is not insignificant. The mapping work involves carefully analyzing the details of the each capability or control to determine the associated ATT&CK techniques in order to provide a curated knowledge base of mappings between them.