cyberzeshan/mitre-attack-grc-mapping
GitHub: cyberzeshan/mitre-attack-grc-mapping
将 MITRE ATT&CK 攻击技术系统性映射至 NIST 800-53、ISO 27001、CIS v8、SOC 2 等主流 GRC 框架,为威胁情报与合规治理搭建桥梁的参考知识库。
Stars: 0 | Forks: 0
# 🗺️ MITRE ATT&CK → GRC 控制措施映射
**将 MITRE ATT&CK Enterprise v15 技术全面映射至 NIST SP 800-53 Rev 5、ISO 27001:2022 Annex A、CIS Controls v8 和 SOC 2 TSC —— 包含检测指南、数据来源及 GRC 控制措施建议。**
## 📖 概述
**威胁情报**与**治理框架**之间的鸿沟正是安全计划失败的根源。GRC 从业人员熟知其控制措施;威胁情报团队则了解对手。本映射项目为两者搭建了桥梁。
对于每一项主要的 ATT&CK 技术,本仓库提供:
- 涵盖该技术的**GRC 控制措施**(NIST、ISO、CIS、SOC 2)
- 需要实施的**数据来源与检测方法**
- ATT&CK 推荐的**缓解措施**(映射至实际的控制实施)
- 基于普遍性和影响程度的各项技术的**风险评分指南**
## 📂 仓库结构
```
mitre-attack-grc-mapping/
│
├── mappings/
│ ├── initial-access-mapping.md # TA0001 — Phishing, supply chain, external services
│ ├── persistence-mapping.md # TA0003 — Scheduled tasks, registry, boot persistence
│ ├── privilege-escalation-mapping.md # TA0004 — Token manipulation, abuse elevation
│ ├── defense-evasion-mapping.md # TA0005 — Log clearing, masquerading, obfuscation
│ ├── credential-access-mapping.md # TA0006 — Credential dumping, brute force, keylogging
│ ├── lateral-movement-mapping.md # TA0008 — Pass the hash, RDP, internal spearphishing
│ ├── exfiltration-mapping.md # TA0010 — Exfil over C2, web service, physical medium
│ └── impact-mapping.md # TA0040 — Ransomware, data destruction, defacement
│
├── by-framework/
│ ├── nist-800-53-to-attck.md # NIST control → ATT&CK techniques it mitigates
│ ├── iso27001-annex-a-to-attck.md # ISO Annex A control → ATT&CK coverage
│ ├── cis-v8-to-attck.md # CIS Control → ATT&CK coverage gaps
│ └── soc2-tsc-to-attck.md # SOC 2 TSC → ATT&CK technique coverage
│
├── risk-scoring/
│ ├── technique-risk-ratings.md # Prevalence + impact scoring for top techniques
│ └── control-gap-analysis.md # Where your controls leave ATT&CK coverage gaps
│
└── use-cases/
├── purple-team-grc-alignment.md # How to use this for purple team exercises
├── soc-detection-coverage.md # Mapping SOC detections to GRC controls
└── ransomware-defense-mapping.md # Full ransomware kill-chain → control mapping
```
## 🗺️ 主映射表 — 重点 ATT&CK 技术(按普遍性排序)
| ATT&CK ID | 技术 | 战术 | 普遍性 | NIST SP 800-53 控制 | ISO 27001 Annex A | CIS Controls v8 | SOC 2 TSC | 检测来源 |
|:---|:---|:---|:---:|:---|:---|:---|:---|:---|
| T1566.001 | 钓鱼:鱼叉式钓鱼附件 | Initial Access | 🔴 严重 | SI-8, AT-2, SC-7 | A.6.3, A.8.23 | CIS 9, 14 | CC6.1, CC2.2 | 电子邮件网关日志,沙箱引爆 |
| T1078 | 有效账户 | Initial Access / Persistence | 🔴 严重 | AC-2, AC-3, IA-5 | A.5.15–5.18 | CIS 5, 6 | CC6.1, CC6.2 | 身份验证日志,UEBA |
| T1059.001 | 命令与脚本:PowerShell | Execution | 🔴 严重 | CM-7, SI-3, AU-12 | A.8.19, A.8.15 | CIS 4, 8 | CC7.2 | PowerShell 日志 (4103/4104),EDR |
| T1055 | 进程注入 | Defense Evasion / Privilege Escalation | 🟠 高 | SI-3, CM-7, SC-39 | A.8.8, A.8.19 | CIS 10, 13 | CC7.2 | EDR 进程遥测,内存分析 |
| T1003.001 | 操作系统凭证转储:LSASS 内存 | Credential Access | 🔴 严重 | IA-5, SC-28, AC-6 | A.5.17, A.8.5 | CIS 5.4, 13 | CC6.1 | EDR,Windows 事件 4656/4663 |
| T1021.001 | 远程桌面协议 | Lateral Movement | 🟠 高 | AC-17, SC-7, CM-7 | A.6.7, A.8.20 | CIS 4.5, 12 | CC6.6 | 网络流量,RDP 身份验证日志 |
| T1486 | 数据加密以造成影响(勒索软件) | Impact | 🔴 严重 | CP-9, SC-28, IR-4 | A.5.29, A.8.13 | CIS 11, 17 | CC7.5, A1.2 | 文件系统监控,EDR,备份完整性 |
| T1190 | 利用面向公众的应用 | Initial Access | 🟠 高 | RA-5, SI-2, CM-7 | A.8.8, A.8.25 | CIS 7 | CC7.1 | WAF 日志,漏洞扫描器,IDS |
| T1110 | 暴力破解 | Credential Access | 🟡 中 | AC-7, IA-5, AU-6 | A.5.17, A.8.5 | CIS 5.2, 6 | CC6.1 | 身份验证失败日志,SIEM 告警 |
| T1071.001 | 应用层协议:Web 协议 (C2) | Command and Control | 🟠 高 | SC-7, SC-44, SI-4 | A.8.20, A.8.22 | CIS 12, 13 | CC7.2 | 代理日志,DNS 日志,NTA/NDR |
| T1027 | 混淆文件或信息 | Defense Evasion | 🟡 中 | SI-3, CM-7, AU-12 | A.8.19, A.8.15 | CIS 10 | CC7.2 | EDR,脚本块日志记录 |
| T1053.005 | 计划任务/作业 | Persistence | 🟡 中 | CM-7, AU-12, SI-7 | A.8.19, A.8.15 | CIS 4, 8 | CC6.1, CC7.2 | Windows 事件 4698/4702,EDR |
| T1136 | 创建账户 | Persistence | 🟡 中 | AC-2, AU-9, IA-2 | A.5.16, A.5.18 | CIS 5, 6 | CC6.2 | 目录变更日志,SIEM |
| T1562.001 | 削弱防御:禁用安全工具 | Defense Evasion | 🟠 高 | AU-9, CM-7, SI-3 | A.8.19, A.8.15 | CIS 10 | CC7.2 | 安全工具健康监控,EDR |
| T1041 | 通过 C2 通道渗漏数据 | Exfiltration | 🟠 高 | SC-7, SC-44, DM 策略 | A.5.14, A.8.20 | CIS 12, 13 | CC6.7, CC7.2 | NDR,DLP,代理/防火墙日志 |
**普遍性评级:** 🔴 严重(在 >50% 的事件中出现) | 🟠 高 (>25%) | 🟡 中 (>10%) | 🔵 低
## 🛡️ 勒索软件杀伤链 — 完整控制映射
```
RANSOMWARE ATTACK CHAIN GRC CONTROLS THAT BREAK EACH STAGE
═══════════════════════════════════════════════════════════════════════════════
STAGE 1: INITIAL ACCESS
T1566 — Phishing Email → Email filtering (CIS 9), Security Awareness (CIS 14)
T1190 — Exploit Public App → Vulnerability Management (CIS 7), WAF (SC-7)
T1078 — Stolen Credentials → MFA (CIS 5.3), PAM (CIS 5.4), UEBA
STAGE 2: EXECUTION & PERSISTENCE
T1059 — Script Execution → PowerShell constrained mode, script block logging
T1053 — Scheduled Tasks → Endpoint hardening (CIS 4), EDR detection
T1547 — Boot/Logon Autostart → Application allowlisting (CIS 2.7)
STAGE 3: PRIVILEGE ESCALATION
T1055 — Process Injection → EDR with behavioral detection, least privilege
T1068 — Exploit Privilege Escalation → Patch management SLA (CIS 7.4)
T1003 — Credential Dumping → LSASS protection, Credential Guard, PAM
STAGE 4: LATERAL MOVEMENT
T1021 — Remote Services → Network segmentation (CIS 12), RDP restriction
T1550 — Pass the Hash → Disable NTLM, implement Kerberos, tier model
T1563 — RDP Session Hijacking → Just-in-time access, privileged workstations
STAGE 5: DATA STAGING & EXFILTRATION
T1041 — Exfil over C2 → DLP (CIS 3.14), Proxy inspection, NDR
T1048 — Exfil Alternative Protocol → Egress filtering, DNS monitoring
T1567 — Exfil to Cloud → CASB, cloud app control, data classification
STAGE 6: IMPACT — ENCRYPTION
T1486 — Data Encrypted for Impact → Immutable backups (CIS 11), tested recovery
File integrity monitoring, rapid IR plan
═══════════════════════════════════════════════════════════════════════════════
DEFENSE SUMMARY:
Controls with highest kill-chain coverage:
1. MFA + PAM → Blocks Stages 1, 3, 4
2. EDR with behavioral rules → Blocks Stages 2, 3, 4, 6
3. Network Segmentation → Degrades Stages 4, 5
4. Immutable Backups → Defeats Stage 6 (eliminates leverage)
5. Patch Management SLA → Reduces Stage 1, 3 attack surface
```
## 📊 控制覆盖热力图 — 前 5 大 GRC 框架
| ATT&CK 战术 | NIST 800-53 | ISO 27001 | CIS v8 | SOC 2 TSC | 覆盖缺口 |
|:---|:---:|:---:|:---:|:---:|:---|
| Initial Access | ●●●●○ | ●●●○○ | ●●●●○ | ●●○○○ | SOC 2 缺乏技术控制 |
| Execution | ●●●●● | ●●●○○ | ●●●●○ | ●●●○○ | ISO 27001 仅停留在高层 |
| Persistence | ●●●●○ | ●●●○○ | ●●●●● | ●●○○○ | SOC 2 检测覆盖较弱 |
| Privilege Escalation | ●●●●○ | ●●●○○ | ●●●●● | ●●●○○ | ISO 27001 缺乏技术深度 |
| Defense Evasion | ●●●○○ | ●●○○○ | ●●●●○ | ●●○○○ | 所有框架在此均存在缺口 |
| Credential Access | ●●●●● | ●●●○○ | ●●●●● | ●●●●○ | ISO 27001 规定性较弱 |
| Lateral Movement | ●●●●○ | ●●●○○ | ●●●●○ | ●●●○○ | 需侧重于网络隔离 |
| Exfiltration | ●●●○○ | ●●●○○ | ●●●●○ | ●●●○○ | DLP 覆盖不一致 |
| Impact | ●●●●● | ●●●●○ | ●●●●● | ●●●●○ | 所有框架均具有强大覆盖 |
**图例:** ● = 覆盖强度(1-5 级)
## 📚 参考文献
- [MITRE ATT&CK Enterprise v15](https://attack.mitre.org/)
- [NIST SP 800-53 Rev 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
- [NIST SP 800-53B 控制基线](https://csrc.nist.gov/publications/detail/sp/800-53b/final)
- [威胁知情防御中心 — ATT&CK 至 800-53 映射](https://ctid.mitre-engenuity.org/)
- [CIS Controls v8](https://www.cisecurity.org/controls/v8)
## 📄 许可证
MIT License — 可免费使用、改编和分发,但需注明出处。
由 Zeshan Ahmad 构建 · GRC 工程师与网络安全领域专家 (SME)
标签:CIS Controls, Cloudflare, GRC, ISO 27001, IT治理, MITRE ATT&CK, NIST 800-53, SOC 2, 企业安全, 初始访问, 协议分析, 合规自动化, 威胁情报, 安全合规, 安全基线, 安全框架映射, 开发者工具, 控制措施, 教学环境, 数据源, 权限提升, 私有化部署, 缓解措施, 网络代理, 网络安全, 网络资产管理, 防御加固, 防御规避, 隐私保护, 风险评分