New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft Proposal for Threat Catalog and Control Catalog Taxonomy #153
base: main
Are you sure you want to change the base?
Conversation
|
e7a9700
to
7c5f2f1
Compare
Committer: Damien Burks <damien.burks@citi.com> Author: Damien Burks <damien.burks@citi.com>
@eddie-knight @rowan-baker @jonmuk @AdrianHammond @iMichaela - can you please add yourself as reviewers so we can keep the momentum on feedback. Please add anyone else that makes sense. The overview of the PR at the last all-hands call was well received with good positive feedback, but would like to keep momentum on the PR review so that we can start iterating on the respective threat and control catalogs and keep overall momentum in parallel to more formalisation on the WGs via the steerco Thanks! |
This may need to be captured elsewhere instead of blocking the PR... @robmoffat and I were brainstorming previously regarding the scope of work and the need to reuse existing material. With the values proposed here, how much do we anticipate we will be able to reuse tools from folks such as MITRE Engenuity? Relatedly, is there a way we can confirm that our structure is best suited to harness work that's already been done by the greater cybersecurity community? |
@@ -0,0 +1,5 @@ | |||
| Control Id | Objective | Description | Test | Service Taxonomy Id | NIST CF | MITRE ATT&CK Mitigations | Threats | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding the Test
column:
In our taxonomy work, @smendis-scottlogic and I proposed keeping taxonomy tests in a parallel gherkin file for each service.
I like the idea of keeping things simple in one place, but I'm not sure how well it reads in this format. Curious to hear feedback on whether Test
should be included here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding the NIST CF
column:
Do we anticipate that any controls will fall outside of the Protect
category?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an interesting question. On Detect
, I can see benefit in assessing the CSP's native threat detection capabilities (as well as basic audit logging of specific APIs) for a given service - e.g. data stores exposed outside of given data perimeters - here we'd also have the option of mapping to MITRE ATT&CK Data Sources
e.g. for Cloud Storage: https://attack.mitre.org/datasources/DS0010/
However...this would naturally be a lot more work...It feels like our priority should be on maturing our thinking on Protect
with more Protect
examples within and across the services and continuing to think/experiment on Detect
? Feels like an early decision for steerco too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally agree that the Test
values in Gherkin don't read well in that format. We can shift to a separate gherkin file as you suggest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mlysaght2017 thanks for picking this up and driving
I like the idea of having top level info to help users navigate into CCC as I see the most common user entry point is going to be the cloud service taxonomy that is being consumed.
I just have a couple of comments / questions:
- Do we need all of this information here (objective, description and test) as this could become a maintenance overhead in the future? I think having just the Objective would be sufficient.
- Is Control id and Service Taxonomy always going to have a 1-2-1 relationship? If so should we use Service Taxonomy id as top level id?
- Should we take this opportunity to update the format of the Service taxonomy id to CCC-xx-nnnn where xx is 2 characters representing the service, like you have used in control id
Thanks @AdrianHammond
ML:
ML: I can see the Service Taxonomy having a 1-2-Many relationship with the Threats
ML: I think there's been a new issue created to standardize on this - will check, but either way will align asap. |
Thanks @eddie-knight - all great points!
Realise we've had a couple of discussions on the mappings MITRE Engenuity have done between ATT&CK and NIST 800-53 Rev 4... |
This PR is draft and is an initial proposal from Damien and myself on structure to a basic threat catalog and control catalog taxonomy in basic md format, with example mappings to the generic CCC object storage service as a starting point
The PR addresses some of the questions posed in #139 as well as #11 within #126