Control Validation Compass is brought to you by a security practicioner and former consultant to enterprise security & intelligence teams. The Knowledge Center provides general resources to help teams getting started with - or maturing - their threat modeling, cyber threat intelligence, and control validation capabilities (many of which directly inspired & informed development of this tool!)
Tutorials
How to Use Control Validation Compass (Series)
Use Case Walkthroughs
Developing Red Team Tests with MITRE ATT&CK, Intelligence, and a Compass
Cyber Risk Modeling (Lite), Made Easy
CISA's "Top Malware" Report: Technique Overlap & Operational Resources
General Knowledge
Threat Modeling
Resistance Isn't Futile: A Practical Approach to Prioritizing Defenses
Using Threat Intelligence to Focus ATT&CK Activities
MITRE ATT&CK®
Getting Started with ATT&CK (Series)
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
Cyber Threat Intelligence (CTI)
Getting Started with ATT&CK: Threat Intelligence
Sourcing TTP-Focused Intelligence
Control Validation
Intelligence-Led Security Validation
Frequently Asked Questions (FAQ)
What is Control Validation Compass?
Control Validation Compass ("CVC") is an open source tool and dataset designed to speed the process of a) identifying security control gaps and b) closing those gaps by pointing teams to relevant detections. CVC promotes a control validation or "purple team" approach and mindset by also pointing teams to relevant offensive security tests, so they can immediately validate the effectiveness of new (or existing) controls.
Anticipated Uses
Intelligence Teams: CVC was built with intelligence teams in mind. These teams identify threats to the organizations they support, but often have less immediate visibility into their internal controls landscape (or may have little/no visibility into detection capabilities if using a managed service). CVC puts more resources and potential context directly into these teams' hands.
Defenders / Blue Teams: The Threat Alignment page provides a quick & easy way for any team to instantly identify potential gaps in control coverage that should be filled with new detections and then tested. If new detections must be created, each page of CVC points teams to many resources with potentially relevant logic.
Offensive Security / Red Teams: Red teams can use CVC to identify where control coverage may be lighter, and build simulation/emulation exercises around this knowledge. CVC's author used the tool to identify many cases where detection logic exists around a given technique, yet no offensive tests exist yet (publicly) - this led to quick new development of tests that were published in the resources below!
The CVC dataset could be analyzed at a higher level to see if commonalities or trends exist among techniques with the highest or lowest volumes of detections or tests, within certain ATT&CK Tactic categories, or for techniques visible through certain types of data sources.
Limitations
CVC simply points teams to relevant detections and tests - it does not centrally compile or host the detections/tests. The structure of and ATT&CK-mapping formats contained within the source repositories differ widely. The details below offer guidance on how to surface detections/tests within each repository. Teams seeking faster navigation are highly encouraged to download the repositories locally and update them over time where relevant. Internal- or non-public data/mappings/etc could also be added for internal use.
Resources included in CVC provide "out-of-the-box" detection capabilities for the tools they cover. The detections activated by default will vary depending on the tool, and many teams may have added supplemental capabilities. CVC should not be considered a replacement for a more comprehensive, validated internal control "mapping" exercise, although it may serve as a great starting point.
The Lowest Level checkbox on the Controls Lookup and Threat Alignment / Risk pages refers to ATT&CK sub-techniques, and to ATT&CK techniques for which no sub-techniques exist. In contrast, T1001 is not considered a "lowest level" technique since it contains sub-techniques. This label was created to describe techniques that the author generally finds to have the highest amount of detail or granularity in their description. The label is not formalized within MITRE ATT&CK (or, to the author's knowledge, within the wider community).
Policy & Process Control Resources
This section was last updated in April 2022
MITRE ATT&CK Mitigations
URL: https://attack.mitre.org/mitigations/enterprise/
Repository last updated: November 2021
Last accessed by CVC: March 11, 2022
Overview: Per the link above, "Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed."
How to navigate: ATT&CK technique/sub-technique mappings can be surfaced by navigating into a particular mitigation's dedicated page.
NIST 800-53 Revision 5 Control Mappings
Repository last updated: January 2022
Last accessed by CVC: September 26, 2021
Overview: A comprehensive, community-sourced set of mappings of the NIST Special Publication (SP) 800-53 Revision 5 security and policy controls to MITRE ATT&CK v9.0.
How to navigate: Mappings between NIST controls and ATT&CK can be found in the linked json file or spreadsheet format here.
CIS Controls v8 ATT&CK Mappings
URL: https://www.cisecurity.org/controls/cis-controls-navigator/
Repository last updated: April 2021
Last accessed by CVC: September 25, 2021
Overview: Per the CIS site, "CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks".
How to navigate: Mappings to ATT&CK v8.2 can be surfaced by adding/checking the appropriate box in the linked Navigator tool (Add > Select MITRE Enterprise ATT&CK v8.2 > Apply Mappings).
MITRE D3FEND
URL: https://d3fend.mitre.org/tools/attack-mapper
Repository last updated: June 2021
Last accessed by CVC: April 1, 2022
Overview: MITRE D3FEND is a framework/knowledge base of encoded cybersecurity countermeasure components and capabilities.
How to navigate: Surface ATT&CK mappings by adding techniques/sub-techniques in the linked tool and running it.
MITRE Engage
URL: https://github.com/mitre/engage/blob/main/Data/json/attack_mapping.json
Repository last updated: February 2022
Last accessed by CVC: April 1, 2022
Overview: Per its website, MITRE Engage "is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals." The framework is organized into "Adversary Vulnerabilities" and defender "Engagement Activities", which are mapped to MITRE ATT&CK.
How to navigate: Mappings to Adversary Vulnerabilities (eav) and Engagement Activities (eac) are contained in the linked json file.
Technical Control / Detection Resources
This section was last updated in April 2022
Splunk
URL: https://github.com/splunk/security_content/tree/develop/detections
Repository last updated: March 2022
Last accessed by CVC: January 10, 2022
Overview: Splunk's "Security Content" repository containing a library of publicly accessible detection searches for Splunk SIEM. New detection searches are added regularly.
How to navigate: Navigate into each folder contained within the detections folder linked above to access Splunk searches saved individually in YAML format. ATT&CK technique mappings are contained in each YAML file's mitre_attack_id tag. A map of all the detections' ATT&CK technique tags can be found here.
ThreatHunting Splunk app
URL: https://github.com/olafhartong/ThreatHunting/blob/master/default/savedsearches.conf
Repository last updated: May 2019
Last accessed by CVC: January 10, 2022
Description: A Splunk app containing ATT&CK-focused dashboards and a series of Splunk searches mapped to ATT&CK. A map of the full set of searches can be found here.
Navigation: Each block of search query language within the page linked above begins with a header containing its ATT&CK mapping.
Elastic Stack
URL: https://github.com/elastic/detection-rules/tree/main/rules
Repository last updated: March 2022
Last accessed by CVC: January 16, 2022
Description: A repository of out-of-the-box detection rules for the Elastic Security capability. New rules are added regularly.
Navigation: The linked rules folder contains .toml files, each containing logic for an Elastic search. The searches are organized into sub-folders per platform (e.g. Windows, Linux, etc). Rules mapped to ATT&CK techniques will contain ATT&CK identifiers under the rule.threat.technique and rule.threat.subtechnique tags.
EQL Analytics Library
URL: https://eqllib.readthedocs.io/en/latest/analytics.html
Repository last updated: February 2020
Last accessed by CVC: January 12, 2022
Description: A repository of event-based analytics written in Elastic Event Query Language (EQL).
Navigation: Surface rules by searching for ATT&CK techniques in the far-right column of the table on the page linked above.
Azure full stack mappings
URL: https://center-for-threat-informed-defense.github.io/security-stack-mappings/Azure/README.html
Repository last updated: June 2021
Last accessed by CVC: January 16, 2021
Description: A comprehensive, community-sourced set of mappings of the Microsoft Azure Infrastructure as a Services security controls to ATT&CK.
Navigation: Surface the mapped controls by searching on the linked page for MITRE ATT&CK identifiers of interest.
Sentinel detection mappings
URL: https://github.com/BlueTeamLabs/sentinel-attack/tree/master/detections
Repository last updated: November 2020
Last accessed by CVC: January 12, 2022
Description: A repository of Kusto detection rules provided by the third-party BlueTeamLabs.
Navigation: Surface mapped detections by searching the linked detections repository folder by MITRE ATT&CK identifier.
LogPoint
URL: https://docs.logpoint.com/docs/alert-rules/en/latest/MITRE.html
Repository last updated: February 2022
Last accessed by CVC: February 17, 2022
Description: A repository of analytics integrated into LogPoint SIEM.
Navigation: Surface mapped detection rule logic by searching the linked Analytics page by MITRE ATT&CK identifier.
Network Security Monitoring rule mappings
URL: https://github.com/0xtf/nsm-attack
Repository last updated: April 2020
Last accessed by CVC: January 16, 2022
Description: A repository of third-party mappings of the Proofpoint Emerging Threats library, a feed of Suricata/network security monitoring rules/signatures.
Navigation: Each folder in the linked nsm-attack respository is organized by and labeled with a relevant ATT&CK navigator.
Tanium Threat Response
URL: https://content.tanium.com/files/misc/ThreatResponse/ThreatResponse.html
Repository last updated: February 2022
Last accessed by CVC: January 16, 2022
Description: A repository of detection "signals" for the Tanium Threat Response endpoint security solution.
Navigation: The full library of detection signals can be downloaded at the link above. Each rule within the downloaded signals file contains mappings to MITRE ATT&CK identifiers.
AWS security control mappings
URL: https://center-for-threat-informed-defense.github.io/security-stack-mappings/AWS/README.html
Repository last updated: September 2021
Last accessed by CVC: January 16, 2022
Description: A comprehensive, community-sourced set of mappings of the Amazon Web Services (AWS) security controls to ATT&CK.
Navigation: Surface the mapped controls by searching on the linked page for MITRE ATT&CK identifiers of interest.
GCP Community Security Analytics
URL: https://github.com/GoogleCloudPlatform/security-analytics/tree/main/src
Repository last updated: March 2022
Last accessed by CVC: March 26, 2022
Description: A community-driven list of sample security analytics for detecting threats to data in Google Cloud Platform ("GCP").
Navigation: Analytics are stored in the linked src folder. ATT&CK mappings for the analytics can be found in the table here.
Cyber Analytics Repository
URL: https://github.com/mitre-attack/car/tree/master/analytics
Repository last updated: February 2022
Last accessed by CVC: January 17, 2022
Description: The Cyber Analytics Repository ("CAR") is a knowledge base of analytics published by MITRE. All analytics provide a generic "pseudocode"-format example, and many also have examples formatted for specific security tools and "unit test(s)" to test the detection logic.
Navigation: Each analytic in the linked analytics folder contains ATT&CK technique and/or subtechnique mappings under the coverage field.
Atomic Threat Coverage
Repository last updated: November 2020
Last accessed by CVC: January 17, 2022
Description: Atomic Threat Coverage ("ATC") is a framework/tool with a goal of enabling users to automatically generate knowledge bases of detection rules, tests, and supporting information, all mapped to MITRE ATT&CK. ATC's Github repository also provides a sizable library of actual detection rules.
Navigation: Files within the linked Detection_Rules folder contain mappings to relevant ATT&CK techniques. One quick way to surface relevant detections is by searching the analytics.csv file for ATT&CK identifiers of interest, then searching the linked Detection_Rules folder for the name of the relevant rule(s).
Sigma rules public repository
URL: https://github.com/SigmaHQ/sigma/tree/master/rules
Repository last updated: March 2022
Last accessed by CVC: January 17, 2022
Description: Sigma is a generic, open signature format for describing relevant log events. The rule format is designed to be applicable to any type of log file and can be automatically converted into specific query language formats used by a number of commercial security tools. The linked Github repository contains a large library of publicly accessible Sigma rules. It is updated frequently.
Navigation: Sigma rules in the linked rules folder that are mapped to ATT&CK will contain the relevant identifiers within the tags field. The sigma2attack python script is a utility that can process all ATT&CK-mapped Sigma rules in the repository and produce an aggregated ATT&CK Navigator heatmap layer file.
ThreatHunter Playbook
URL: https://github.com/OTRF/ThreatHunter-Playbook/tree/master/docs/notebooks/windows
Repository last updated: February 2022
Last accessed by CVC: January 18, 2022
Description: Threat Hunter Playbook is a community-driven, open source project with a goal of making detection development more efficient. It contains a repository of detection logic aligned with MITRE ATT&CK.
Navigation: Files containing detection logic are arranged according to MITRE ATT&CK Tactic in the linked windows folder. Mappings of the files to ATT&CK techniques can be found in the embedded ATT&CK Navigator here.
Offensive Security / Red Team Testing Resources
This section was last updated in April 2022
Atomic Red Team
URL: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics
Repository last updated: March 2022
Last accessed by CVC: January 18, 2022
Description: Atomic Red Team is an open source and community-developed library of tests mapped to MITRE ATT&CK. The repository of tests is updated frequently.
Navigation: All tests are organized according to ATT&CK techniques and subtechniques in the linked atomics folder.
Cyber Analytics Repository
URL: https://github.com/mitre-attack/car/tree/master/analytics
Repository last updated: February 2022
Last accessed by CVC: January 17, 2022
Description: The Cyber Analytics Repository ("CAR") is a knowledge base of analytics published by MITRE. All analytics provide a generic "pseudocode"-format example, and many also have examples formatted for specific security tools and "unit test(s)" to test the detection logic.
Navigation: Each item in the linked analytics folder, which contain detection logic as well as unit test(s), contains ATT&CK technique and/or subtechnique mappings under the coverage field.
Red Team Automation
URL: https://github.com/endgameinc/RTA/tree/master/red_ttp
Repository last updated: August 2018
Last accessed by CVC: January 18, 2022
Description: Red Team Automation provides a series of Python scripts designed to simulate actual adversary TTPs.
Navigation: Scripts contained in the linked red_ttp folder contain mappings to ATT&CK. A mapping of the overall repository can be found in the attack-navigator-coverage.json file.
Prelude Community TTPs
URL: https://github.com/preludeorg/community/tree/master/ttps
Repository last updated: March 2022
Last accessed by CVC: January 18, 2022
Description: This repository contains files for publicly-accessible, open source "Community" TTPs intended for use with the Prelude Operator automated offensive security and training platform. The repository is updated regularly.
Navigation: TTP files in the linked ttps folder are organized by MITRE ATT&CK Tactic. Each TTP contains an ATT&CK technique or subtechnique mapping within the technique field of the YAML file.
CALDERA Stockpile
URL: https://github.com/mitre/stockpile/tree/master/data/abilities
Repository last updated: March 2022
Last accessed by CVC: January 18, 2022
Description: This repository contains TTPs, as well as adversary profiles, intended for use with the Stockpile plugin for the MITRE CALDERA automated adversary emulation platform.
Navigation: TTP files in the linked abilities folder are organized by MITRE ATT&CK Tactic. Each TTP contains an ATT&CK technique or subtechnique mapping within the technique field of the YAML file.
Scythe
URL: https://github.com/scythe-io/community-threats
Repository last updated: March 2022
Last accessed by CVC: February 16, 2022
Description: The Community Threats Library contains publicly-accessible, open source files outlining "attack chains", each of which contain multiple discrete simulations of adversary TTPs. The chains are intended for use in the SCYTHE adversary emulation platform. The repository is updated regularly.
Navigation: Attack chains are organized by adversary in the linked community-threats repository. Where relevant, ATT&CK mappings are provided in the rtags field of the attack chain's json file (usually in the format [ADVERSARY]_scythe_threat.json.