--- id: pattern:cross-mapping-in-practice type: pattern title: Cross-Mapping in Practice — one skill, five frameworks status: active confidence: 0.8 sources: - 2026-05-09-cybersec-mapping-mitre-attack.md - 2026-05-09-cybersec-skill-acquire-disk-image.md - 2026-05-09-cybersec-skill-threat-actor-ttps.md - 2026-05-09-cybersec-skill-cloud-siem.md - 2026-05-09-cybersec-library-overview.md created: 2026-05-09 updated: 2026-05-09 updated_log: - 2026-05-09: created tiers: procedural half_life_days: 180 tags: [cross-mapping, walkthrough, procedure] --- # Cross-Mapping in Practice ## Summary This is the procedure for taking one skill and reading it across all five frameworks — the value-prop of [[concept:cross-mapping]] made concrete. Step 1: read the skill's frontmatter for explicit framework field declarations. Step 2: read the body's `Workflow` and `Tools & Systems` to find implicit ATT&CK technique IDs. Step 3: cross-walk OWASP→ATT&CK→CSF tables for any web/app skill. The result: one skill becomes evidence for compliance auditors, fuel for purple-team exercises, and a node in a threat-informed-defense map. Most skills decline to fill all five fields — coverage tracks relevance, not a scoreboard. ## Claims - The library README's worked example shows `analyzing-network-traffic-of-malware` mapping to T1071 (ATT&CK), DE.CM (NIST CSF), AML.T0047 (ATLAS), D3-NTA (D3FEND), and MEASURE-2.6 (AI RMF) — the canonical "one skill, five frameworks" demonstration. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.85}` - A real sample skill — `acquiring-disk-image-with-dd-and-dcfldd` — declares `nist_csf: [RS.AN-01, RS.AN-03, DE.AE-02, RS.MA-01]` in frontmatter (4 NIST CSF subcategories spanning Respond and Detect functions) and *no* atlas/d3fend/ai_rmf/mitre_attack fields. Cross-mapping isn't always 5-of-5. `[src: raw/2026-05-09-cybersec-skill-acquire-disk-image.md] {conf: 0.9}` - The threat-actor-TTPs skill explicitly uses MITRE Navigator and lists its `d3fend_techniques` as friendly names ("Executable Denylisting", "Execution Isolation", "File Metadata Consistency Validation", "Content Format Conversion", "File Content Analysis") + 4 NIST CSF subcategories — but no atlas/ai_rmf/mitre_attack fields, even though its core domain is mapping ATT&CK techniques. `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.85}` - A cloud skill — `building-cloud-siem-with-sentinel` — declares all three of `nist_ai_rmf`, `atlas_techniques`, and `nist_csf` in frontmatter (covering 3 ATLAS techniques: AML.T0070 RAG poisoning, AML.T0066, AML.T0082) — illustrating that cloud + AI/ML skills get the most cross-framework coverage. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.85}` - The walkthrough procedure, distilled from the mapping README: (1) read SKILL.md to understand what the skill teaches, (2) find the ATT&CK technique on attack.mitre.org, (3) classify offensive vs. defensive intent, (4) update the mapping table, (5) update skill tags with `mitre-attack` and technique-specific tags, (6) submit a PR with the ATT&CK technique URL as justification. `[src: raw/2026-05-09-cybersec-mapping-mitre-attack.md] {conf: 0.85}` - Sub-technique mapping is encouraged for precision — e.g. T1566.001 (Spearphishing Attachment) for `analyzing-email-headers-for-phishing-investigation`, T1003.001 (LSASS Memory) for `analyzing-memory-dumps-with-volatility`. `[src: raw/2026-05-09-cybersec-mapping-mitre-attack.md] {conf: 0.85}` ## Relationships - composes → [[concept:cross-mapping]] `{conf: 0.85}` - uses → [[skill:acquire-disk-image]] `{conf: 0.85}` - uses → [[skill:threat-actor-ttps]] `{conf: 0.85}` - uses → [[skill:cloud-siem]] `{conf: 0.85}` - uses → [[tool:mitre-attack-navigator]] `{conf: 0.7}` - complements → [[pattern:skill-anatomy]] `{conf: 0.8}` ## Open questions - [ ] How do you reconcile partial mappings during compliance audit? If a skill ships with only NIST CSF tags, can the auditor infer ATT&CK coverage from the body, or is missing-field a hard miss? ## Changelog - 2026-05-09 — created