MITRE ATT&CK Mapping — Enterprise v14
Classification: CONFIDENTIAL — Internal Use Only
Document: security/mitre-attack.md · v1.0 · 2026-03-16 · GPUS-IT
Coverage summary
| Status |
Count |
Description |
| ✅ Covered |
7 |
Active controls + monitoring in place |
| ◐ Partial |
3 |
Controls present but gaps remain |
| ✗ Gap |
2 |
Limited or no coverage |
Overall coverage: 62% (19/31 sub-techniques across 12 tactics)
Tactic coverage
TA0001 — Initial Access ✅ Covered
| Technique |
ID |
Control |
| Phishing |
T1566 |
Email filtering, staff awareness training |
| Valid Accounts |
T1078 |
SSH key-only auth, Fail2ban, auditd |
| Supply Chain Compromise |
T1195 |
Vendor review, Artifact Registry |
TA0002 — Execution ✅ Covered
| Technique |
ID |
Control |
| Command and Scripting Interpreter |
T1059 |
SELinux enforcing, auditd syscall logging |
| User Execution |
T1204 |
SELinux, restricted sudo |
TA0003 — Persistence ✅ Covered
| Technique |
ID |
Control |
| Boot or Logon Autostart |
T1547 |
AIDE monitors /etc/rc.d, systemd units |
| SSH Authorized Keys |
T1098.004 |
AIDE monitors /root/.ssh, auditd |
TA0004 — Privilege Escalation ◐ Partial
| Technique |
ID |
Control |
Gap |
| Sudo and Sudo Caching |
T1548.003 |
Scoped sudo rules per service account |
No PAM hardening yet |
| Valid Accounts |
T1078 |
Key-only SSH |
No MFA |
TA0005 — Defense Evasion ✅ Covered
| Technique |
ID |
Control |
| Indicator Removal |
T1070 |
auditd immutable mode — log tampering prevented |
| Impair Defenses |
T1562 |
auditd --e 2 cannot be disabled at runtime |
| Modify Authentication Process |
T1556 |
AIDE monitors PAM config files |
TA0006 — Credential Access ◐ Partial
| Technique |
ID |
Control |
Gap |
| Brute Force |
T1110 |
Fail2ban — 5 attempts → ban |
No account lockout policy |
| OS Credential Dumping |
T1003 |
SELinux, auditd |
No memory protection beyond SELinux |
TA0007 — Discovery ✅ Covered
| Technique |
ID |
Control |
| Network Service Discovery |
T1046 |
firewalld default-deny, VPN-only exposure |
| System Information Discovery |
T1082 |
auditd logs all discovery commands |
TA0008 — Lateral Movement ◐ Partial
| Technique |
ID |
Control |
Gap |
| Remote Services (SSH) |
T1021.004 |
Key-only auth, Fail2ban |
No network segmentation |
| Lateral Tool Transfer |
T1570 |
auditd, AIDE |
No egress filtering between servers |
TA0009 — Collection ✅ Covered
| Technique |
ID |
Control |
| Data from Local System |
T1005 |
auditd monitors read of sensitive paths |
| Data Staged |
T1074 |
AIDE monitors /tmp, staging directories |
TA0010 — Exfiltration ✗ Gap
| Technique |
ID |
Gap |
Planned control |
| Exfiltration Over C2 Channel |
T1041 |
No DLP, no egress inspection |
Network segmentation Q3 2026 |
| Transfer Data to Cloud Account |
T1537 |
GCS access not restricted by IP |
Workload Identity + VPC SC Q2 2026 |
TA0011 — Command & Control ✅ Covered
| Technique |
ID |
Control |
| Application Layer Protocol |
T1071 |
Firewall blocks outbound on non-standard ports |
| Proxy |
T1090 |
VPN tunnel enforces routing |
TA0040 — Impact ✗ Gap
| Technique |
ID |
Gap |
Planned control |
| Data Encrypted for Impact |
T1486 |
No ransomware detection |
Lynis + auditd alerting Q2 2026 |
| Service Stop |
T1489 |
No automated service restart detection |
Prometheus alerting rules Q2 2026 |
Control mapping summary
| MITRE Tactic |
Primary Controls |
Secondary Controls |
| Initial Access |
Fail2ban, SSH key auth |
Email filtering, vendor review |
| Execution |
SELinux, auditd |
Restricted sudo |
| Persistence |
AIDE, auditd |
systemd unit monitoring |
| Privilege Escalation |
Scoped sudo |
(MFA planned) |
| Defense Evasion |
auditd immutable |
AIDE baselines |
| Credential Access |
Fail2ban |
SELinux |
| Discovery |
firewalld, VPN |
auditd |
| Lateral Movement |
SSH key auth |
(Segmentation planned) |
| Collection |
auditd |
AIDE |
| Exfiltration |
(Gap) |
(Segmentation planned) |
| Command & Control |
firewalld |
VPN routing |
| Impact |
(Gap) |
(Prometheus alerting planned) |