Control Validation Compass

Pointing cybersecurity teams to 9,000+ publicly-accessible technical and policy controls and 2,100+ offensive security tests, aligned with over 500 common attacker techniques


Big updates have landed for the Resources section! Select resources now point directly to the latest detection rules, tests, or control mappings, and more updates are coming soon. Jump directly into the new content by browsing the new Resources folder.

This page was last updated in April 2022

What is Control Validation Compass?

Control Validation Compass ("CVC") is an open source tool and dataset designed to speed the process of a) identifying security control gaps and b) closing those gaps by pointing teams to relevant detections. CVC promotes a control validation or "purple team" approach and mindset by also pointing teams to relevant offensive security tests, so they can immediately validate the effectiveness of new (or existing) controls.

Anticipated Uses

Intelligence Teams: CVC was built with intelligence teams in mind. These teams identify threats to the organizations they support, but often have less immediate visibility into their internal controls landscape (or may have little/no visibility into detection capabilities if using a managed service). CVC puts more resources and potential context directly into these teams' hands.

Defenders / Blue Teams: The Threat Alignment page provides a quick & easy way for any team to instantly identify potential gaps in control coverage that should be filled with new detections and then tested. If new detections must be created, each page of CVC points teams to many resources with potentially relevant logic.

Offensive Security / Red Teams: Red teams can use CVC to identify where control coverage may be lighter, and build simulation/emulation exercises around this knowledge. CVC's author used the tool to identify many cases where detection logic exists around a given technique, yet no offensive tests exist yet (publicly) - this led to quick new development of tests that were published in the resources below!

The CVC dataset could be analyzed at a higher level to see if commonalities or trends exist among techniques with the highest or lowest volumes of detections or tests, within certain ATT&CK Tactic categories, or for techniques visible through certain types of data sources.

Limitations

CVC simply points teams to relevant detections and tests - it does not centrally compile or host the detections/tests. The structure of and ATT&CK-mapping formats contained within the source repositories differ widely. The details below offer guidance on how to surface detections/tests within each repository. Teams seeking faster navigation are highly encouraged to download the repositories locally and update them over time where relevant. Internal- or non-public data/mappings/etc could also be added for internal use.

Resources included in CVC provide "out-of-the-box" detection capabilities for the tools they cover. The detections activated by default will vary depending on the tool, and many teams may have added supplemental capabilities. CVC should not be considered a replacement for a more comprehensive, validated internal control "mapping" exercise, although it may serve as a great starting point.


The Lowest Level checkbox on the Lookup by Controls and Threat Alignment pages refers to ATT&CK sub-techniques, and to ATT&CK techniques for which no sub-techniques exist. In contrast, T1001 is not considered a "lowest level" technique since it contains sub-techniques. This label was created to describe techniques that the author generally finds to have the highest amount of detail or granularity in their description. The label is not formalized within MITRE ATT&CK (or, to the author's knowledge, within the wider community).

Policy & Process Control Resources

MITRE ATT&CK Mitigations

URL: https://attack.mitre.org/mitigations/enterprise/

Repository last updated: November 2021

Last accessed by CVC: March 11, 2022

Overview: Per the link above, "Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed."

How to navigate: ATT&CK technique/sub-technique mappings can be surfaced by navigating into a particular mitigation's dedicated page.

NIST 800-53 Revision 5 Control Mappings

URL: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings/blob/main/frameworks/attack_9_0/nist800_53_r5/layers/nist800-53-r5-overview.json

Repository last updated: January 2022

Last accessed by CVC: September 26, 2021

Overview: A comprehensive, community-sourced set of mappings of the NIST Special Publication (SP) 800-53 Revision 5 security and policy controls to MITRE ATT&CK v9.0.

How to navigate: Mappings between NIST controls and ATT&CK can be found in the linked json file or spreadsheet format here.

CIS Controls v8 ATT&CK Mappings

URL: https://www.cisecurity.org/controls/cis-controls-navigator/

Repository last updated: April 2021

Last accessed by CVC: September 25, 2021

Overview: Per the CIS site, "CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks".

How to navigate: Mappings to ATT&CK v8.2 can be surfaced by adding/checking the appropriate box in the linked Navigator tool (Add > Select MITRE Enterprise ATT&CK v8.2 > Apply Mappings).

MITRE D3FEND

URL: https://d3fend.mitre.org/tools/attack-mapper

Repository last updated: June 2021

Last accessed by CVC: April 1, 2022

Overview: MITRE D3FEND is a framework/knowledge base of encoded cybersecurity countermeasure components and capabilities.

How to navigate: Surface ATT&CK mappings by adding techniques/sub-techniques in the linked tool and running it.

MITRE Engage

URL: https://github.com/mitre/engage/blob/main/Data/json/attack_mapping.json

Repository last updated: February 2022

Last accessed by CVC: April 1, 2022

Overview: Per its website, MITRE Engage "is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals." The framework is organized into "Adversary Vulnerabilities" and defender "Engagement Activities", which are mapped to MITRE ATT&CK.

How to navigate: Mappings to Adversary Vulnerabilities (eav) and Engagement Activities (eac) are contained in the linked json file.

Detection & Test Resources

Splunk

URL: https://github.com/splunk/security_content/tree/develop/detections

Repository last updated: March 2022

Last accessed by CVC: January 10, 2022

Overview: Splunk's "Security Content" repository containing a library of publicly accessible detection searches for Splunk SIEM. New detection searches are added regularly.

How to navigate: Navigate into each folder contained within the detections folder linked above to access Splunk searches saved individually in YAML format. ATT&CK technique mappings are contained in each YAML file's mitre_attack_id tag. A map of all the detections' ATT&CK technique tags can be found here.

ThreatHunting Splunk app

URL: https://github.com/olafhartong/ThreatHunting/blob/master/default/savedsearches.conf

Repository last updated: May 2019

Last accessed by CVC: January 10, 2022

Description: A Splunk app containing ATT&CK-focused dashboards and a series of Splunk searches mapped to ATT&CK. A map of the full set of searches can be found here.

Navigation: Each block of search query language within the page linked above begins with a header containing its ATT&CK mapping.

Elastic Stack

URL: https://github.com/elastic/detection-rules/tree/main/rules

Repository last updated: March 2022

Last accessed by CVC: January 16, 2022

Description: A repository of out-of-the-box detection rules for the Elastic Security capability. New rules are added regularly.

Navigation: The linked rules folder contains .toml files, each containing logic for an Elastic search. The searches are organized into sub-folders per platform (e.g. Windows, Linux, etc). Rules mapped to ATT&CK techniques will contain ATT&CK identifiers under the rule.threat.technique and rule.threat.subtechnique tags.

EQL Analytics Library

URL: https://eqllib.readthedocs.io/en/latest/analytics.html

Repository last updated: February 2020

Last accessed by CVC: January 12, 2022

Description: A repository of event-based analytics written in Elastic Event Query Language (EQL).

Navigation: Surface rules by searching for ATT&CK techniques in the far-right column of the table on the page linked above.

Azure full stack mappings

URL: https://center-for-threat-informed-defense.github.io/security-stack-mappings/Azure/README.html

Repository last updated: June 2021

Last accessed by CVC: January 16, 2021

Description: A comprehensive, community-sourced set of mappings of the Microsoft Azure Infrastructure as a Services security controls to ATT&CK.

Navigation: Surface the mapped controls by searching on the linked page for MITRE ATT&CK identifiers of interest.

Sentinel detection mappings

URL: https://github.com/BlueTeamLabs/sentinel-attack/tree/master/detections

Repository last updated: November 2020

Last accessed by CVC: January 12, 2022

Description: A repository of Kusto detection rules provided by the third-party BlueTeamLabs.

Navigation: Surface mapped detections by searching the linked detections repository folder by MITRE ATT&CK identifier.

LogPoint

URL: https://docs.logpoint.com/docs/alert-rules/en/latest/MITRE.html

Repository last updated: February 2022

Last accessed by CVC: February 17, 2022

Description: A repository of analytics integrated into LogPoint SIEM.

Navigation: Surface mapped detection rule logic by searching the linked Analytics page by MITRE ATT&CK identifier.

Network Security Monitoring rule mappings

URL: https://github.com/0xtf/nsm-attack

Repository last updated: April 2020

Last accessed by CVC: January 16, 2022

Description: A repository of third-party mappings of the Proofpoint Emerging Threats library, a feed of Suricata/network security monitoring rules/signatures.

Navigation: Each folder in the linked nsm-attack respository is organized by and labeled with a relevant ATT&CK navigator.

Tanium Threat Response

URL: https://content.tanium.com/files/misc/ThreatResponse/ThreatResponse.html

Repository last updated: February 2022

Last accessed by CVC: January 16, 2022

Description: A repository of detection "signals" for the Tanium Threat Response endpoint security solution.

Navigation: The full library of detection signals can be downloaded at the link above. Each rule within the downloaded signals file contains mappings to MITRE ATT&CK identifiers.

AWS security control mappings

URL: https://center-for-threat-informed-defense.github.io/security-stack-mappings/AWS/README.html

Repository last updated: September 2021

Last accessed by CVC: January 16, 2022

Description: A comprehensive, community-sourced set of mappings of the Amazon Web Services (AWS) security controls to ATT&CK.

Navigation: Surface the mapped controls by searching on the linked page for MITRE ATT&CK identifiers of interest.

GCP Community Security Analytics

URL: https://github.com/GoogleCloudPlatform/security-analytics/tree/main/src

Repository last updated: March 2022

Last accessed by CVC: March 26, 2022

Description: A community-driven list of sample security analytics for detecting threats to data in Google Cloud Platform ("GCP").

Navigation: Analytics are stored in the linked src folder. ATT&CK mappings for the analytics can be found in the table here.

Cyber Analytics Repository

URL: https://github.com/mitre-attack/car/tree/master/analytics

Repository last updated: February 2022

Last accessed by CVC: January 17, 2022

Description: The Cyber Analytics Repository ("CAR") is a knowledge base of analytics published by MITRE. All analytics provide a generic "pseudocode"-format example, and many also have examples formatted for specific security tools and "unit test(s)" to test the detection logic.

Navigation: Each analytic in the linked analytics folder contains ATT&CK technique and/or subtechnique mappings under the coverage field.

Atomic Threat Coverage

URL: https://github.com/atc-project/atomic-threat-coverage/tree/master/Atomic_Threat_Coverage/Detection_Rules

Repository last updated: November 2020

Last accessed by CVC: January 17, 2022

Description: Atomic Threat Coverage ("ATC") is a framework/tool with a goal of enabling users to automatically generate knowledge bases of detection rules, tests, and supporting information, all mapped to MITRE ATT&CK. ATC's Github repository also provides a sizable library of actual detection rules.

Navigation: Files within the linked Detection_Rules folder contain mappings to relevant ATT&CK techniques. One quick way to surface relevant detections is by searching the analytics.csv file for ATT&CK identifiers of interest, then searching the linked Detection_Rules folder for the name of the relevant rule(s).

Sigma rules public repository

URL: https://github.com/SigmaHQ/sigma/tree/master/rules

Repository last updated: March 2022

Last accessed by CVC: January 17, 2022

Description: Sigma is a generic, open signature format for describing relevant log events. The rule format is designed to be applicable to any type of log file and can be automatically converted into specific query language formats used by a number of commercial security tools. The linked Github repository contains a large library of publicly accessible Sigma rules. It is updated frequently.

Navigation: Sigma rules in the linked rules folder that are mapped to ATT&CK will contain the relevant identifiers within the tags field. The sigma2attack python script is a utility that can process all ATT&CK-mapped Sigma rules in the repository and produce an aggregated ATT&CK Navigator heatmap layer file.

ThreatHunter Playbook

URL: https://github.com/OTRF/ThreatHunter-Playbook/tree/master/docs/notebooks/windows

Repository last updated: February 2022

Last accessed by CVC: January 18, 2022

Description: Threat Hunter Playbook is a community-driven, open source project with a goal of making detection development more efficient. It contains a repository of detection logic aligned with MITRE ATT&CK.

Navigation: Files containing detection logic are arranged according to MITRE ATT&CK Tactic in the linked windows folder. Mappings of the files to ATT&CK techniques can be found in the embedded ATT&CK Navigator here.

Atomic Red Team

URL: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics

Repository last updated: March 2022

Last accessed by CVC: January 18, 2022

Description: Atomic Red Team is an open source and community-developed library of tests mapped to MITRE ATT&CK. The repository of tests is updated frequently.

Navigation: All tests are organized according to ATT&CK techniques and subtechniques in the linked atomics folder.

Cyber Analytics Repository

URL: https://github.com/mitre-attack/car/tree/master/analytics

Repository last updated: February 2022

Last accessed by CVC: January 17, 2022

Description: The Cyber Analytics Repository ("CAR") is a knowledge base of analytics published by MITRE. All analytics provide a generic "pseudocode"-format example, and many also have examples formatted for specific security tools and "unit test(s)" to test the detection logic.

Navigation: Each item in the linked analytics folder, which contain detection logic as well as unit test(s), contains ATT&CK technique and/or subtechnique mappings under the coverage field.

Red Team Automation

URL: https://github.com/endgameinc/RTA/tree/master/red_ttp

Repository last updated: August 2018

Last accessed by CVC: January 18, 2022

Description: Red Team Automation provides a series of Python scripts designed to simulate actual adversary TTPs.

Navigation: Scripts contained in the linked red_ttp folder contain mappings to ATT&CK. A mapping of the overall repository can be found in the attack-navigator-coverage.json file.

Prelude Community TTPs

URL: https://github.com/preludeorg/community/tree/master/ttps

Repository last updated: March 2022

Last accessed by CVC: January 18, 2022

Description: This repository contains files for publicly-accessible, open source "Community" TTPs intended for use with the Prelude Operator automated offensive security and training platform. The repository is updated regularly.

Navigation: TTP files in the linked ttps folder are organized by MITRE ATT&CK Tactic. Each TTP contains an ATT&CK technique or subtechnique mapping within the technique field of the YAML file.

CALDERA Stockpile

URL: https://github.com/mitre/stockpile/tree/master/data/abilities

Repository last updated: March 2022

Last accessed by CVC: January 18, 2022

Description: This repository contains TTPs, as well as adversary profiles, intended for use with the Stockpile plugin for the MITRE CALDERA automated adversary emulation platform.

Navigation: TTP files in the linked abilities folder are organized by MITRE ATT&CK Tactic. Each TTP contains an ATT&CK technique or subtechnique mapping within the technique field of the YAML file.

Scythe

URL: https://github.com/scythe-io/community-threats

Repository last updated: March 2022

Last accessed by CVC: February 16, 2022

Description: The Community Threats Library contains publicly-accessible, open source files outlining "attack chains", each of which contain multiple discrete simulations of adversary TTPs. The chains are intended for use in the SCYTHE adversary emulation platform. The repository is updated regularly.

Navigation: Attack chains are organized by adversary in the linked community-threats repository. Where relevant, ATT&CK mappings are provided in the rtags field of the attack chain's json file (usually in the format [ADVERSARY]_scythe_threat.json.