Security Frameworks Mapping

Overview

Ascend's risk scoring system is designed to align with industry-standard security frameworks including CVSS (Common Vulnerability Scoring System), NIST (National Institute of Standards and Technology), and MITRE ATT&CK. This alignment ensures that risk scores are meaningful to security professionals and support compliance requirements.

Key Capabilities

• CVSS Alignment: Risk scores correlate with CVSS severity levels
• NIST Mapping: Scores map to NIST 800-53 controls and impact levels
• MITRE ATT&CK Integration: Techniques and tactics inform risk calculation
• Framework-Specific Reports: Generate compliance reports per framework
• Custom Mappings: Define organization-specific framework mappings

CVSS Alignment

CVSS Severity Mapping

Ascend risk scores align with CVSS 3.1 severity ratings:

CVSS Score	CVSS Severity	Ascend Score	Ascend Level
9.0 - 10.0	Critical	90 - 100	CRITICAL
7.0 - 8.9	High	70 - 89	HIGH
4.0 - 6.9	Medium	50 - 69	MEDIUM
0.1 - 3.9	Low	25 - 49	LOW
0.0	None	0 - 24	MINIMAL

CVSS Vector Components

Ascend incorporates CVSS vector components in risk calculation:

┌─────────────────────────────────────────────────────────────────────────────┐
│                    CVSS VECTOR COMPONENT MAPPING                             │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  CVSS Base Metrics → Ascend Risk Factors                                    │
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │  Attack Vector (AV)                                                  │   │
│  │    Network (N)      → external_access (+20)                         │   │
│  │    Adjacent (A)     → network_access (+15)                          │   │
│  │    Local (L)        → local_access (+10)                            │   │
│  │    Physical (P)     → physical_access (+5)                          │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │  Privileges Required (PR)                                            │   │
│  │    None (N)         → no_auth_required (+25)                        │   │
│  │    Low (L)          → basic_auth (+10)                              │   │
│  │    High (H)         → admin_required (+5)                           │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │  Impact Metrics                                                      │   │
│  │    Confidentiality  → data_category_score                           │   │
│  │    Integrity        → write_operation_score                         │   │
│  │    Availability     → delete_operation_score                        │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

CVSS-Enhanced Risk Calculation

# CVSS-aligned risk calculation
def calculate_cvss_aligned_score(action, context):
    base_score = 0

    # Attack Vector
    if context.source == "external":
        base_score += 20  # Network vector
    elif context.source == "vpn":
        base_score += 15  # Adjacent vector
    else:
        base_score += 10  # Local vector

    # Privileges Required
    if action.requires_no_auth:
        base_score += 25
    elif action.requires_basic_auth:
        base_score += 10
    else:
        base_score += 5

    # Impact: Confidentiality
    if action.accesses_sensitive_data:
        base_score += 20

    # Impact: Integrity
    if action.modifies_data:
        base_score += 20

    # Impact: Availability
    if action.deletes_data:
        base_score += 25

    return min(100, base_score)

NIST Framework Mapping

NIST 800-53 Control Mapping

Ascend risk categories map to NIST 800-53 control families:

Ascend Category	NIST Control Family	Key Controls
Security	Access Control (AC)	AC-2, AC-3, AC-6
Security	Identification & Auth (IA)	IA-2, IA-4, IA-5
Data	System & Communications (SC)	SC-8, SC-12, SC-28
Compliance	Audit & Accountability (AU)	AU-2, AU-3, AU-6
Financial	Configuration Mgmt (CM)	CM-2, CM-3, CM-5

NIST Impact Levels

┌─────────────────────────────────────────────────────────────────────────────┐
│                    NIST IMPACT LEVEL MAPPING                                 │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  NIST FIPS 199 Impact Levels → Ascend Risk Scores                          │
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │                                                                      │   │
│  │  HIGH IMPACT (significant adverse effect)                           │   │
│  │  ├─ Severe degradation or loss of mission capability                │   │
│  │  ├─ Major financial loss                                            │   │
│  │  └─ Severe harm to individuals                                      │   │
│  │  → Ascend Score: 70-100 (HIGH/CRITICAL)                            │   │
│  │                                                                      │   │
│  │  MODERATE IMPACT (serious adverse effect)                           │   │
│  │  ├─ Significant degradation of mission capability                   │   │
│  │  ├─ Significant financial loss                                      │   │
│  │  └─ Significant harm to individuals                                 │   │
│  │  → Ascend Score: 40-69 (LOW/MEDIUM)                                │   │
│  │                                                                      │   │
│  │  LOW IMPACT (limited adverse effect)                                │   │
│  │  ├─ Degradation of mission capability                               │   │
│  │  ├─ Minor financial loss                                            │   │
│  │  └─ Minor harm to individuals                                       │   │
│  │  → Ascend Score: 0-39 (MINIMAL/LOW)                                │   │
│  │                                                                      │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

NIST CSF Function Mapping

NIST CSF Function	Ascend Feature	Risk Factor
Identify	Agent Registry, Asset Discovery	Resource classification
Protect	Policy Engine, Access Control	Permission validation
Detect	Risk Scoring, Anomaly Detection	Threat indicators
Respond	Approval Workflows, Alerts	Incident response
Recover	Audit Logs, Rollback	Recovery procedures

MITRE ATT&CK Integration

Tactic Mapping

Ascend detects and scores actions that align with MITRE ATT&CK tactics:

ATT&CK Tactic	ID	Ascend Detection	Risk Increase
Initial Access	TA0001	External access patterns	+20
Execution	TA0002	Code execution attempts	+30
Persistence	TA0003	Configuration changes	+25
Privilege Escalation	TA0004	Permission modifications	+35
Defense Evasion	TA0005	Audit log manipulation	+40
Credential Access	TA0006	Credential operations	+45
Discovery	TA0007	Enumeration patterns	+15
Lateral Movement	TA0008	Cross-system access	+30
Collection	TA0009	Bulk data access	+25
Exfiltration	TA0010	Data export operations	+35
Impact	TA0040	Destructive operations	+50

Technique Detection

┌─────────────────────────────────────────────────────────────────────────────┐
│                    MITRE ATT&CK TECHNIQUE DETECTION                          │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  High-Risk Techniques (automatically flagged):                              │
│                                                                              │
│  T1078 - Valid Accounts                                                     │
│    Detection: Service account usage in unusual context                      │
│    Risk Increase: +25                                                       │
│                                                                              │
│  T1098 - Account Manipulation                                               │
│    Detection: Permission/role modification operations                       │
│    Risk Increase: +35                                                       │
│                                                                              │
│  T1136 - Create Account                                                     │
│    Detection: New account/credential creation                               │
│    Risk Increase: +30                                                       │
│                                                                              │
│  T1552 - Unsecured Credentials                                              │
│    Detection: Credential file access                                        │
│    Risk Increase: +45                                                       │
│                                                                              │
│  T1485 - Data Destruction                                                   │
│    Detection: Delete/truncate operations                                    │
│    Risk Increase: +50                                                       │
│                                                                              │
│  T1530 - Data from Cloud Storage                                            │
│    Detection: Bulk cloud data access                                        │
│    Risk Increase: +30                                                       │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

ATT&CK-Enhanced Scoring

# ATT&CK-informed risk scoring
ATTACK_TECHNIQUE_RISK = {
    # Credential Access techniques
    "credential_dumping": 45,
    "brute_force": 40,
    "credential_in_files": 45,

    # Privilege Escalation techniques
    "sudo_abuse": 40,
    "setuid_setgid": 35,
    "access_token_manipulation": 40,

    # Defense Evasion techniques
    "clear_command_history": 35,
    "disable_logging": 50,
    "file_deletion": 30,

    # Impact techniques
    "data_encrypted": 60,
    "data_destruction": 50,
    "service_stop": 40
}

def detect_attack_techniques(action, context):
    detected_techniques = []
    risk_increase = 0

    if action.accesses("credentials"):
        detected_techniques.append("credential_access")
        risk_increase += ATTACK_TECHNIQUE_RISK["credential_in_files"]

    if action.modifies("permissions"):
        detected_techniques.append("privilege_escalation")
        risk_increase += ATTACK_TECHNIQUE_RISK["access_token_manipulation"]

    if action.deletes("audit_logs"):
        detected_techniques.append("defense_evasion")
        risk_increase += ATTACK_TECHNIQUE_RISK["disable_logging"]

    return detected_techniques, risk_increase

Configuration

Framework-Specific Settings

{
  "framework_settings": {
    "cvss": {
      "enabled": true,
      "version": "3.1",
      "temporal_scoring": true,
      "environmental_scoring": true
    },
    "nist": {
      "enabled": true,
      "framework": "800-53",
      "revision": "5",
      "baseline": "moderate"
    },
    "mitre_attack": {
      "enabled": true,
      "version": "13.1",
      "auto_detect_techniques": true,
      "alert_on_detection": true
    }
  }
}

Custom Framework Mappings

from ascend import AscendClient

client = AscendClient(api_key="your-api-key")

# Define custom framework mapping
client.risk.add_custom_mapping(
    name="PCI-DSS-v4",
    mappings={
        "cardholder_data_access": {
            "controls": ["3.4", "3.5", "7.1"],
            "risk_increase": 30,
            "required_approval_level": 3
        },
        "payment_processing": {
            "controls": ["4.1", "6.5", "8.3"],
            "risk_increase": 40,
            "required_approval_level": 4
        }
    }
)

Usage Examples

Get Framework-Aligned Report

from ascend import AscendClient

client = AscendClient(api_key="your-api-key")

# Generate CVSS-aligned risk report
report = client.risk.generate_report(
    framework="cvss",
    time_range_days=30
)

print(f"CVSS Risk Report (30 days)")
print(f"Total Evaluations: {report.total_evaluations}")
print(f"\nSeverity Distribution:")
print(f"  Critical (9.0-10.0): {report.severity_counts['critical']}")
print(f"  High (7.0-8.9): {report.severity_counts['high']}")
print(f"  Medium (4.0-6.9): {report.severity_counts['medium']}")
print(f"  Low (0.1-3.9): {report.severity_counts['low']}")

Detect ATT&CK Techniques

from ascend import AscendClient

client = AscendClient(api_key="your-api-key")

# Analyze action for ATT&CK techniques
analysis = client.risk.analyze_attack_techniques(
    action_type="permission_change",
    resource="iam.roles",
    context={
        "user_role": "service_account",
        "environment": "production"
    }
)

print(f"ATT&CK Analysis:")
for technique in analysis.detected_techniques:
    print(f"\n  Technique: {technique.id} - {technique.name}")
    print(f"  Tactic: {technique.tactic}")
    print(f"  Confidence: {technique.confidence}%")
    print(f"  Risk Increase: +{technique.risk_increase}")

Generate NIST Compliance Report

curl -X GET "https://api.ascend.security/api/risk/reports/nist?baseline=moderate" \
  -H "Authorization: Bearer YOUR_API_KEY"

# Response:
# {
#   "framework": "NIST 800-53 Rev 5",
#   "baseline": "moderate",
#   "report_date": "2026-01-20",
#   "control_coverage": {
#     "AC": {"implemented": 18, "total": 25, "percentage": 72},
#     "AU": {"implemented": 14, "total": 16, "percentage": 87.5},
#     "IA": {"implemented": 11, "total": 13, "percentage": 84.6}
#   },
#   "risk_by_impact": {
#     "high": {"count": 145, "average_score": 82.3},
#     "moderate": {"count": 523, "average_score": 55.7},
#     "low": {"count": 1234, "average_score": 28.4}
#   }
# }

Best Practices

Framework Selection

Organization Type	Primary Framework	Secondary
Financial Services	PCI-DSS, SOX	NIST, CVSS
Healthcare	HIPAA	NIST, MITRE
Government	NIST	MITRE ATT&CK
General Enterprise	SOC 2	CVSS, NIST
Security Operations	MITRE ATT&CK	CVSS

Implementation Recommendations

1. Enable All Frameworks: Use multiple frameworks for comprehensive coverage
2. Customize Mappings: Adjust mappings for your specific compliance needs
3. Regular Reviews: Review framework reports monthly
4. Alert Integration: Connect ATT&CK detections to SIEM
5. Baseline Calibration: Calibrate NIST baseline to your risk tolerance

Reporting Best Practices

1. Executive Reports: Use CVSS severity for board presentations
2. Compliance Reports: Use NIST mappings for auditors
3. Security Operations: Use MITRE ATT&CK for SOC teams
4. Trend Analysis: Track framework scores over time
5. Gap Analysis: Identify missing controls via framework reports

Related

• Risk Scoring Overview - Scoring fundamentals
• Score Calculation - Calculation details
• Threshold Configuration - Configuring thresholds
• Compliance Overview - Compliance reporting

Compliance

Framework mappings support compliance with:

• SOC 2 CC3.1: Risk assessment using industry frameworks
• PCI-DSS 6.5: Security vulnerability identification
• PCI-DSS 12.2: Risk assessment processes
• HIPAA 164.308(a)(1): Risk analysis
• NIST 800-53 RA-3: Risk assessment
• ISO 27001 A.12.6: Technical vulnerability management
• FedRAMP: NIST 800-53 control implementation