Map your mitigation coverage to a technique
-
- UpdatedFeb 1, 2024
- 3 minutes to read
- Washington DC
- Threat Intelligence
Map your mitigation coverage with the technique that enables you to detect your organization's overall mitigation strategy.
Before you begin
- Role required: sn_ti.admin, sn_si.admin: write, delete access
- Role required: sn_ti.read: read access
About this task
Mitigations enable you to prevent an adversary from successfully executing techniques or sub-techniques against your organization. Each MITRE-ATT&CK technique contains mitigations that you can deploy in your organization to reduce the chance of being attacked. You can use the mitigation coverage to get an overview of your organization's overall mitigation strategy. For example, if an adversary is attacking your organization, you see the kind of coverage that you have to mitigate the attacker's techniques.
The technique, and mitigation information are automatically populated for all the collections and techniques that you have activated. The mitigation coverage definition that you have defined are available for you to select in the technique mitigation coverage.
You can identify mitigations that are relevant to your organization. If a mitigation is relevant, then you can define if the mitigation strategies have been deployed. You can specify if the strategies are applied as part of your organization's SOC Policy. You can also identify if your organization has preventive tools in place to mitigate an attacker's techniques and you can map any security controls that your organization has deployed to minimize security risks. Populate the mitigation coverage (percentage) for each of the records.
After mapping the information for each of the techniques, the mitigation coverage calculator auto populates the Calculated Technique Mitigation Coverage. To calculate the overall mitigation coverage for any technique, the technique mitigation mapping records must be active and relevant to the organization. The records which are inactive and not relevant are not considered for calculating the overall technique mitigation coverage. Based on the values in the Calculated Technique Mitigation Coverage and the mitigation coverage definition, your Overall Technique Mitigation Coverage (Calculated) is populated.
The customizations that you make to the coverage types, colors, or percentages are used in the mitigation coverage mapping and also in the heat map.
Procedure
-
Review each technique to mitigation mapping and update the
Mitigation Coverage (Percentage) to calculate your
organization's coverage availability.
In this illustration, you see that the technique Valid Accounts has five mitigations associated, each with a mitigation coverage of 16 for user training, 92 for application developer guidance, and 16 for password policies, 91 for privileged account management, and 14 for valid accounts mitigation. The calculated technique mitigation coverage is 45.8 percent.
Related Content
- Get started with MITRE-ATT&CK framework
Review the following information before you start setting up your MITRE-ATT&CK framework.
- Understand the MITRE to STIX data model
Review the terminology used by MITRE and STIX to efficiently use and understand the MITRE-ATT&CK framework in the ServiceNow AI Platform.
- Domain separation and MITRE-ATT&CK
This domain separation overview pertains to MITRE-ATT&CK. Domain separation allows you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.
- Set up the MITRE-ATT&CK framework
Activate the MITRE-ATT&CK profile, and set up a scheduled job so that you can set up MITRE-ATT&CK collections for threat detection in your organization.
- Manage matrices
Manage the matrices that have been imported from the MITRE TAXII collections. Matrices are a collection of tactics and techniques. You can view the matrices to review if your collections are available in the MITRE-ATT&CK repository.
- Manage techniques
Manage the techniques that have been imported from the MITRE TAXII collections. The techniques contain various ways attackers have developed to employ a given tactic. You can review and deactivate techniques that are not relevant to your organization. In STIX, techniques are known as attack patterns.
- Manage mitigations
Manage the mitigations that have been imported from the MITRE TAXII collections. Mitigations enable you to prevent an adversary from successfully executing techniques or sub-techniques against your organization. In STIX, mitigations are known as course of actions.
- Manage groups
Manage the groups that have been imported from the MITRE TAXII collections. Groups are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. In STIX, groups are known as intrusion sets.
- Manage malware
Manage the malware information that you imported from the MITRE TAXII collections. Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. The intent of a malware is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS).
- Manage tools
Manage the tools information that you imported from the MITRE TAXII collections. Tools are legitimate software that are used by threat actors to perform attacks.
- Manage MITRE relationships
Manage the MITRE relationships information that you imported from the MITRE TAXII collections.
- Manage CVE and technique mapping
Manage the CVE and technique information that is mapped after you import the MITRE TAXII collections.
- Extend the MITRE-ATT&CK data
Extend the MITRE-ATT&CK repository data in the ServiceNow AI Platform by enriching it.
- Define the data source and detection tool mapping
Define the data source and detection tool mapping for MITRE-ATT&CK tactics and techniques. The data source mapping provides you with insight into the relevance and availability of the data sources and the detection tools for monitoring the data sources in your environment.
- Define the data source and data component mapping
Use the Data Component Mapping if you are using the latest TAXII collections, and you want to maintain a relationship between the data sources, data components, and the various techniques. Map the data sources with the additional context of data components that provides an extra sublayer of context to data sources that enable you to understand adversary behaviors in MITRE-ATT&CK better.
- Define the technique detection coverage
Define the technique detection coverage that your organization must measure and detect specific adversary techniques.
- Map your technique detection coverage to a technique
Map your overall technique detection coverage with the technique that enables your organization to detect specific adversary techniques.
- Define the mitigation coverage
Define the mitigation coverage for each mitigation that is associated with a technique so that you gain visibility into how well your organization can prevent the attacks that happen due to a particular technique.
- Create and map detection rules
Create detection rules and map them against the tactics and techniques. With this mapping, you can see the coverage for the detection rules in your organization.
- Auto-extract technique rules for importing MITRE-ATT&CK information
Use the base system auto-extraction rules to import the MITRE-ATT&CK information from any existing third-party integrations.
- Review threat group and MITRE-ATT&CK techniques mapping
Review the threat group and techniques object to object relationship mapping information that is imported from the MITRE TAXII collections. This mapping enables you to view the technique group and the corresponding technique mapping.
- Threat group to technique heatmap definition
Define the threat group to technique heatmap definition so that on the heatmap you can measure and detect the attack patterns that threat groups are using to attack your organization. The probability of an attack using a particular technique increases when you have a high number of attackers.
- Review the MITRE-ATT&CK system properties
Review the MITRE-ATT&CK system property values.