Add MITRE ATT&CK TTP mapping (Oct 2025 Update) (#909)

* scuba_constants: change OPA_VERSION from "v1.0.1" to "v1.13.1" (#885)

* branch baseline updates

* needed for branch updates

* deleted extra space after TTP names

* Update .gitignore

Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com>

---------

Co-authored-by: Roy Lane <rlane@mitre.org>
Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com>
This commit is contained in:
pvanderveen110
2026-02-25 13:59:08 -05:00
committed by Hilton
parent 3be613fbf8
commit ecc7809a99
3 changed files with 10 additions and 2 deletions
+1 -1
View File
@@ -27,4 +27,4 @@ scubagoggles.egg-info
opa
opa_windows_amd64.exe
opa_darwin_amd64
opa_linux_amd64_static
opa_linux_amd64_static
+1
View File
@@ -180,6 +180,7 @@ External chat messaging SHALL be restricted to allowlisted domains only.
- _NIST SP 800-53 Rev. 5 FedRAMP High Baseline Mapping:_ AC-3
- MITRE ATT&CK TTP Mapping
- [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
- [T1213.005: Data from Information Repositories: Messaging Applications](https://attack.mitre.org/techniques/T1213/005/)
### Resources
+8 -1
View File
@@ -113,6 +113,7 @@ DKIM SHOULD be enabled for all domains.
- [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- [T1434: Internal Spear Phishing](https://attack.mitre.org/techniques/T1434/)
- [T1672: Email Spoofing](https://attack.mitre.org/techniques/T1672/)
### Resources
@@ -166,6 +167,9 @@ An SPF policy SHALL be published for each domain that fails all non-approved sen
- [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
- [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
- [T1566:003: Phishing: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
- [T1672: Email Spoofing](https://attack.mitre.org/techniques/T1672/)
- [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
- [T1598.003: Phishing for Information: Spearphishing Link](https://attack.mitre.org/techniques/T1598/003/)
### Resources
@@ -211,7 +215,9 @@ A DMARC policy SHALL be published at the full domain or the second-level domain
- User alias domains provide an alternative email address to send or receive email and therefore must have a DMARC policy in place.
- _NIST SP 800-53 Rev. 5 FedRAMP High Baseline Mapping:_ SI-8
- MITRE ATT&CK TTP Mapping
- None
- [T1672: Email Spoofing](https://attack.mitre.org/techniques/T1672/)
- [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
- [T1598.003: Phishing for Information: Spearphishing Link](https://attack.mitre.org/techniques/T1598/003/)
#### GWS.GMAIL.4.2v0.6
The DMARC message rejection option SHALL be p=reject.
@@ -229,6 +235,7 @@ The DMARC message rejection option SHALL be p=reject.
- [T1566:003: Phishing: Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003/)
- [T1586:002: Compromise Accounts](https://attack.mitre.org/techniques/T1586/)
- [T1586:002: Compromise Accounts: Email Accounts](https://attack.mitre.org/techniques/T1586/002/)
- [T1672: Email Spoofing](https://attack.mitre.org/techniques/T1672/)
#### GWS.GMAIL.4.3v0.6
The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`.