- 10 Jan 2024
- 15 Minutes to read
-
Print
-
DarkLight
Standard ATT&CK Views
- Updated on 10 Jan 2024
- 15 Minutes to read
-
Print
-
DarkLight
When using the ATT&CK® Visualizer in ThreatConnect®, you can create standard ATT&CK views with one or more Groups in your owners added as analysis layers. This allows you to view the MITRE ATT&CK® Enterprise tactics, techniques, and sub-techniques used by each Group to gain a better understanding of the Groups’ behaviors and strategies; gather insights into other Groups using similar tactics, techniques, and procedures (TTPs); and make informed decisions during an investigation involving the Groups. After you build out an ATT&CK view, you can save it so that you and other users in your Organization can access it on the Standard Views tab of the ATT&CK screen or export it as a PNG or JSON file.
Within the ATT&CK Visualizer, there are three view options available for standard ATT&CK views: Threat Group Comparison, Technique Prevalence, and Security Coverage. Together, these options empower you to make more informed decisions regarding your organization's security strategies, ensuring effective defense prioritization and keeping you ahead of evolving threats.
Creating Standard ATT&CK Views
This section describes how to create a standard ATT&CK view in the ATT&CK Visualizer and add analysis layers (Groups) to it. If you access the ATT&CK Visualizer from a Group’s Details drawer or screen, a new standard ATT&CK view will be created with that Group added as an analysis layer automatically.
- On the top navigation bar, click ATT&CK. The ATT&CK screen will be displayed.
- Click the + Create ATT&CK View button at the top right of the ATT&CK screen and select Standard View. The ATT&CK Visualizer will open and display the default standard ATT&CK view, showing all tactics, techniques, and sub-techniques in the MITRE ATT&CK Enterprise Matrix (Figure 1). When no analysis layers have been added to a standard ATT&CK view, a message stating “No analysis layer selected” will be displayed next to the Analysis Layers dropdown at the top left of the screen, and a count of 0 will be displayed in the dropdown.NoteIf you are logged in as a Read Only user, the +Create ATT&CK View button will be replaced with an Explore ATT&CK View button that, when clicked, opens the ATT&CK Visualizer and displays the default standard ATT&CK view (Figure 1).
- Click Add analysis layersto the right of the Analysis Layers dropdown to add one or more Groups to the ATT&CK view. The Add an Analysis Layer window will be displayed, showing all Groups in your owners that have not been added to the ATT&CK view (Figure 2).
- Select one or more Groups to add to the ATT&CK view. To open a Group’s Details screen in a new browser tab, click the Group’s summary in the Name/Summarycolumn.NoteYou can add up to 250 Groups to a single ATT&CK view.
- Filter options: If desired, use one or more of the following options to filter the available Groups:
- Toggle this option on to display a box where you can enter a query written in ThreatConnect Query Language (TQL) to filter Groups [e.g., hasTag(name = "APT29")]. After entering your query, press the Enter key or click Searchto execute it. By default, the box will contain a TQL query based on any filter options configured in the Filtersmenu.
- Search bar: Enter text in the box at the top of the window to filter Groups by summary.
- Filters: Click this button to view a menu with options to filter Groups by owner, type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also use the Only Groups with ATT&CK Tags checkbox in the menu, which is selected by default, to filter Groups based on whether they have ATT&CK Tags applied to them.
- Clear all filters & search: When one or more filters are applied, click this button to the right of the Filtersmenu to remove all filters.
- Click the Add Layer button to add the selected Groups to the ATT&CK view.
- Select one or more Groups to add to the ATT&CK view. To open a Group’s Details screen in a new browser tab, click the Group’s summary in the Name/Summarycolumn.
The ATT&CK Visualizer will now display only the tactics, techniques, and sub-techniques, if any, used by the selected Groups. In addition, labels with the name and, in the Threat Group Comparison view, assigned color for each Group will be displayed next to the Analysis Layers dropdown. If you added multiple Groups to the ATT&CK view, use the arrows on either side of the labels to scroll through them horizontally. To add more Groups to the ATT&CK view, repeat Step 3.
ATT&CK Visualizer View Options for Standard Views
The ATT&CK Visualizer offers three different view options for standard ATT&CK views: Threat Group Comparison, Technique Prevalence, and Security Coverage. You can select which view to display via the dropdown at the top left of the ATT&CK Visualizer. By default, the Threat Group Comparison view option is selected.
Threat Group Comparison
Figure 3 illustrates the Threat Group Comparison view for a standard ATT&CK view with 11 Groups added to it. Use this view when you want to reveal shared techniques and sub-techniques among the selected Groups.
- Each tactic column displays the number of techniques used by the Groups out of the total number of the tactic’s techniques. For example, the 2 of 9 label on the Initial Access column indicates that one or more Groups use 2 of the 9 techniques the Initial Access tactic comprises.
- Techniques and sub-techniques used by only one of the Groups are outlined in the color assigned to that Group and contain a label with the Group’s name (e.g.,◼Backchannel Diplomac…). If the Group uses a sub-technique, but not the parent technique, then this formatting will be applied only to the sub-technique; if the Group uses a sub-technique and its parent technique, then this formatting will be applied to both the technique and sub-technique cards.
- Techniques and sub-techniques used by multiple Groups are outlined in gray and contain a label with the number of Groups using them (e.g.,6 Groups). If the Groups use a sub-technique, but not the parent technique, then this formatting will be applied only to the sub-technique; if the Groups use a sub-technique and its parent technique, then this formatting will be applied to both the technique and sub-technique. To view a list of all Groups that use a technique or sub-technique, click on the<#> Groups label.
- Each technique displays the number of its sub-techniques used by one or more Groups out of the total number of its sub-techniques. For example, the 2 of 3 label on the Phishing card indicates that one or more Groups use 2 of the 3 sub-techniques the Phishing technique comprises. If a technique has sub-techniques and the Groups use only the technique, a 0 of <#> label will be displayed on the technique, where <#> represents the total number of sub-techniques the technique comprises.
To view a legend for the Threat Group Comparison view, click the Analysis Layers dropdown at the top left of the ATT&CK Visualizer.
Technique Prevalence
Figure 4 illustrates the Technique Prevalence view for a standard ATT&CK view with 11 Groups added to it. Use this view when you want to generate a color-coded heat map that displays the prevalence of each technique and sub-technique used by the selected Groups.
- Each tactic column displays the number of techniques used by the Groups out of the total number of the tactic’s techniques. For example, the 2 of 9 label on the Initial Access column indicates that one or more Groups use 2 of the 9 techniques the Initial Access tactic comprises.
- Techniques and sub-techniques used by the Groups are outlined in a color representing how prevalent the technique or sub-technique is based on the percentage of Groups using it. There are four possible colors, each of which represents a quartile of prevalence: 75% - 100% (Highest), 50% - 74% (High), 25% - 49% (Moderate), and Less than 1% - 24% (Lowest). In addition, each technique and sub-technique contains a label with its quartile of prevalence and the percentage of Groups using it [e.g., ◼High (64% of 11)]. Click this label to display a list of all Groups using the technique or sub-technique.
- Each technique displays the number of its sub-techniques used by the Groups out of the total number of its sub-techniques. For example, the 2 of 3 label on the Phishing card indicates that the Groups use 2 of the 3 sub-techniques the Phishing technique comprises. If a technique has sub-techniques and the Groups use only the technique, a 0 of <#> label will be displayed on the technique, where <#> represents the total number of sub-techniques the technique comprises.
To view a legend for the Technique Prevalence view, click the Analysis Layers dropdown at the top left of the ATT&CK Visualizer.
Security Coverage
Figure 5 illustrates the Security Coverage view for a standard ATT&CK view with 11 Groups added to it. Use this view when you want to see your Organization’s security coverage for each technique and sub-technique used by the selected Groups.
- Each tactic column displays the number of techniques used by the Groups out of the total number of the tactic’s techniques. For example, the 2 of 9 label on the Initial Access column indicates that one or more Groups use 2 of the 9 techniques the Initial Access tactic comprises.
- Techniques and sub-techniques with security coverage that are used by one or more Groups are outlined in a color corresponding to the assigned security coverage level (None, Weak, Moderate, and Strong) and contain a label with the assigned security coverage level and the number of Groups using the technique or sub-technique (e.g.,◼ Moderate - 2 Groups). Click this label to display a list of all Groups using the technique or sub-technique.
- Techniques and sub-techniques without security coverage that are used by one or more Groups are outlined in light gray and contain a label with the number of Groups using the technique or sub-technique (e.g., 2 Groups). Click this label to display a list of all Groups using the technique or sub-technique.
- Each technique displays the number of its sub-techniques used by the Groups out of the total number of its sub-techniques. For example, the 2 of 3 label on the Phishing card indicates that the Groups use 2 of the 3 sub-techniques the Phishing technique comprises. If a technique has sub-techniques and the Groups use only the technique, a 0 of <#> label will be displayed on the technique, where <#> represents the total number of sub-techniques the technique comprises.
To view a legend for the Security Coverage view, click the Analysis Layers dropdown at the top left of the ATT&CK Visualizer.
Analysis Layers
The Analysis Layers dropdown at the top left of the ATT&CK Visualizer displays the total number of Groups added to a standard ATT&CK view. Clicking this dropdown while at least one Group is added to an ATT&CK view will display the following options (Figure 6):
- Search bar: Enter text into the search bar to filter the list of Groups added to the ATT&CK view.
- Select the checkbox for one or more Groups to highlight only the techniques or sub-techniques used by those Groups in the ATT&CK view. To select all Groups, select the Select All checkbox.
- Click Clear layerto the right of a Group to remove it from the ATT&CK view. To remove all Groups from the ATT&CK view and return to the default ATT&CK view, click Clear all analysis layersto the right of the Select All checkbox.NoteWhen you remove one or more Groups from an ATT&CK view, a confirmation message is displayed at the lower-left corner of the ATT&CK Visualizer. If you removed a Group by accident, click UNDO in this message to re-add the Group to the ATT&CK view.
Figure 7 illustrates the Threat Group Comparison view for a standard ATT&CK view with 11 Groups added to it, but only two selected in the Analysis Layers dropdown. Here, the techniques and sub-techniques used by the two selected Groups are highlighted in the ATT&CK view, while all other techniques and sub-techniques in the ATT&CK view are grayed out.
Selecting Techniques and Sub-Techniques
While a standard ATT&CK view is open in the ATT&CK Visualizer, you can select one or more techniques and sub-techniques to display the Selection Details drawer and view more details about the selected items and any Groups using them. As you select techniques and sub-techniques, you can view the total number of selected items in the Selection Actions dropdown at the top right of the ATT&CK Visualizer.
Selecting Techniques and Sub-Techniques Individually
Click on a technique or sub-technique to select it. When a technique or sub-technique is selected, clicking on it again will clear its selection. You can also clear the selection of individual techniques and sub-techniques from the Selections card of the Selection Details drawer when multiple items are selected.
Selecting Multiple Techniques and Sub-Techniques at Once
The Selection Actions dropdown at the top right of the ATT&CK Visualizer provides the following options for selecting, and clearing the selections of, multiple techniques and sub-techniques at once:
- Select All Visible: Select this option to select all techniques and sub-techniques visible (i.e., not collapsed) on the screen, including items that are scrolled off to the side, top, or bottom. If a technique has sub-techniques and the technique is not expanded when you select the Select All Visible option, none of its sub-techniques will be selected.
- Deselect All Visible: Select this option to clear the selections of all techniques and sub-techniques visible on the screen, including items that are scrolled off to the side, top, or bottom.
- Deselect All: Select this option to clear the selections of all techniques and sub-techniques, regardless of whether they are visible on the screen.
In addition to the Deselect All option in the Selections Actions dropdown, you can click the Clear Selections button at the top right of the ATT&CK Visualizer to clear the selections of all techniques and sub-techniques, regardless of whether they are visible on the screen. You can also clear all selections from the Selections card of the Selection Details drawer when multiple items are selected.
Viewing Selection Details
The Selection Details drawer provides information about the techniques and sub-techniques currently selected in the ATT&CK Visualizer. When you select an individual technique or sub-technique, the Selection Details drawer is displayed automatically; however, you can click View selection detailsat the top right of the ATT&CK Visualizer, or select View Selection Details from the Selection Actions dropdown, to access this drawer at any time.
Filtering Techniques and Sub-Techniques
You can use the following options to filter techniques and sub-techniques while a standard ATT&CK view is open in the ATT&CK Visualizer:
- Search bar: Enter text in the box at the top left of the ATT&CK Visualizer to filter techniques and sub-techniques by name.
- Filters: Click this button to view a menu with options to filter techniques and sub-techniques by platform, prevalence, and security coverage.
To remove all filters when one or more are applied, click Clear all filters & searchto the right of the Filtersmenu.
Saving Standard ATT&CK Views
Saving a standard ATT&CK view allows you and other users in your Organization to access it via the Standard Views tab of the ATT&CK screen . If you are working with an unsaved standard ATT&CK view, as in Figure 1, click the Save View button at the top right of the ATT&CK Visualizer to save it. The New ATT&CK View window will be displayed (Figure 8).
- Name: Enter a unique name for the ATT&CK view.
- Description: If desired, enter a description of the ATT&CK view.
- Click the Save button to save the ATT&CK view.
If you are working with a saved standard ATT&CK view, as in Figure 3 through Figure 5 and in Figure 7, a Save button will be displayed at the top right of the ATT&CK Visualizer that displays the following options when clicked:
- Save Changes: Select this option to save any changes made to the ATT&CK view since it was last saved.
- Save a Copy…: Select this option to save a copy of the ATT&CK view. The Save a Copy window will be displayed with the name of the ATT&CK view and the text “ – COPY” appended to it prepopulated in the Name field. If desired, enter a new, unique name for the ATT&CK view in the Name field, enter a description or update the existing one in the Description field, and click the Save button. The copy of the ATT&CK view will be displayed in the ATT&CK Visualizer.
Editing a Saved ATT&CK View’s Name
When a saved standard ATT&CK view is open in the ATT&CK Visualizer, an Editbutton is displayed to the right of its name at the top left of the screen. Click this button to edit the ATT&CK view’s name and then click Confirmto save your changes.
Standard ATT&CK View Options
When you click Optionsat the top right of the ATT&CK Visualizer while a standard ATT&CK view is open, a menu with some or all of the following options will be displayed, depending on whether the view is saved or unsaved:
- Switch View…: Available for saved and unsaved views.
- Export as JSON…: Available for saved and unsaved views.
- Export as PNG…: Available for saved and unsaved views.
- Delete…: Available for saved views only.
Switching ATT&CK Views
Select Switch View… to open a different saved standard or imported ATT&CK view in the ATT&CK Visualizer. The Switch ATT&CK View window will be displayed (Figure 9).
- Click on the row for the ATT&CK view you want to open in the ATT&CK Visualizer. To toggle between standard and imported ATT&CK views, use the Standard View and Imported View options at the top left of the window.
- Click the Switch View button.
Exporting ATT&CK Views
Select Export as PNG… or Export as JSON… to export the standard ATT&CK view as it is currently displayed in your browser as a PNG or JSON file, respectively.
Deleting Saved ATT&CK Views
When a saved standard ATT&CK view is open in the ATT&CK Visualizer, a Delete… option is displayed in the Optionsmenu. Select this option to delete the saved ATT&CK view.
Closing Standard ATT&CK Views
When a saved standard ATT&CK view is open in the ATT&CK Visualizer, a Close Viewbutton is displayed at the top right of the screen. Click this button to close the ATT&CK view and return to the ATT&CK screen.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
Firefox® is a registered trademark of The Mozilla Foundation.
20151-04 v.03.A