🚨ATTENTION🚨 The VERIS mappings have migrated to CTID’s new Mappings Explorer project. You can find the latest mappings on the Mappings Explorer website. This website presents threat and mitigation data in easily accessible and customizable ways, enabling cyber defenders to understand how security controls and capabilities map onto adversary behaviors catalogued in the MITRE ATT&CK® knowledge base. The source code and raw data for the Mappings Explorer project can be found in the mappings-explorer repository.
Vocabulary for Event Recording and Incident Sharing (VERIS) provides a common language for describing cybersecurity incidents–including the demographics, metadata, and technical details–in a repeatable manner. As a standard representation, it allows for the analysis of data across a variety of incidents and is used, among other things, to generate the Verizon Data Breach Investigation Report (DBIR). While VERIS is comprehensive in describing most aspects of cybersecurity incidents, it is focused on a high-level description of an incident as a whole, and as such does not provide the level of fidelity that MITRE ATT&CK® provides in describing the adversary behaviors that were used to carry out an attack at the system level.
Table Of Contents:
The project provides a mapping and translation layer between VERIS v1.3.7 and ATT&CK v12.1 that allows for describing adversary behaviors that are observed in an incident coded in VERIS. This draws upon the strengths of VERIS (incident demographics and metadata) and the strengths of ATT&CK (the behaviors adversaries use to attack systems) to provide a fuller and more detailed picture of cyber incidents, including the threat actor, technical behavior, assets targeted, and impact.
While VERIS allows for the expression of all these aspects, ATT&CK provides a significant improvement in level of detail, consistency of detail, and comprehensiveness in describing technical behaviors. These improvements can be used to develop better predictions and insights about how we might be attacked in the future by understanding better how and why we were attacked in the past.
This project includes mappings from VERIS to:
- Enterprise ATT&CK
- Mobile ATT&CK
- ICS ATT&CK
- ATT&CK Groups
The example below shows the bidirectional mapping of the VERIS Action Hacking Vector's Desktop sharing software to a more granular set of ATT&CK techniques. This granular description of an adversary's behavior allows users to better understand how to detect and mitigate the threat.
The mapping structure, use cases, and scenarios are fully described on the project website.
Resource | Description |
---|---|
Project Website | Documentation, scenarios, and use cases for VERIS mappings. |
VERIS to ATT&CK Mappings | VERIS framework mappings to ATT&CK. |
ATT&CK Navigator Layers – Enterprise | ATT&CK Navigator layers for the mappings from Enterprise ATT&CK to VERIS. |
ATT&CK Navigator Layers – Mobile | ATT&CK Navigator layers for the mappings from Mobile ATT&CK to VERIS. |
ATT&CK Navigator Layers – ICS | ATT&CK Navigator layers for the mappings from ICS ATT&CK to VERIS. |
ATT&CK Navigator Layers – Groups | ATT&CK Navigator layers for the mappings from ATT&CK Groups to VERIS. |
There are several ways that you can get involved with this project and help advance threat-informed defense.
Please review the mappings, use them, and tell us what you think. We welcome your review and feedback on the VERIS mappings, our methodology, and resources.
We are interested developing additional tools and resources to help the community understand and make threat-informed decisions in their risk management programs. Share your ideas and we will consider them as we explore additional research projects.
Please submit issues for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.
Also see the guidance for contributors if are you interested in contributing or simply reporting issues.
Copyright 2021-2023 MITRE Engenuity. Approved for public release. Document number CT0064
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of MITRE ATT&CK®