ATT&CK Security Coverage

Overview

Organization Administrators can use the ThreatConnect^® ATT&CK^® Visualizer to assign security coverage to MITRE ATT&CK^® Enterprise techniques and sub-techniques for their Organization. This information can help you evaluate the strengths and weaknesses of your security posture for specific techniques, identify gaps in security coverage, and enhance defense strategies with precision. After an Organization Administrator has assigned security coverage in the ATT&CK Visualizer, users in the Organization can use the Security Coverage overlay for standard and imported ATT&CK views to identify which techniques have coverage and which ones may require attention.

Before You Start

User Roles

• To assign security coverage for an Organization in the ATT&CK Visualizer, your user account must have an Organization role of Organization Administrator.
• To use the Security Coverage overlay for standard and imported ATT&CK views, your user account can have any Organization role.

Assigning Security Coverage for Your Organization

Follow these steps to assign security coverage to techniques and sub-techniques in the ATT&CK Visualizer:

1. From the Tools dropdown on the top navigation bar, select ATT&CK.
2. Click Settings  at the upper right of the ATT&CK screen.
3. On the ATT&CK Settings drawer, click Assign Coverage to open the security coverage assignment view in the ATT&CK Visualizer (Figure 1).
   

    

4. Select the techniques and sub-techniques that you want to assign security coverage to.
   Note

   If the Selection Details drawer is open, close it before proceeding to Step 5.
5. Click the Selection Actions dropdown at the upper right and select Assign Coverage. Then select one of the following options:
   • No Coverage: Your organization’s security defenses do not address or detect the techniques.
   • Weak Coverage: Your organization is equipped to provide only limited coverage for the techniques.
   • Moderate Coverage: Your organization has a reasonable amount of coverage for the techniques.
   • Strong Coverage: Your organization’s security defenses are well equipped to detect, mitigate, and respond effectively to the techniques.
   • Clear Coverage: Remove the assigned coverage from the techniques.
6. To assign security coverage to additional techniques and sub-techniques, click Clear Selections at the upper right, and then repeat Steps 4–5.
7. After all security coverage is assigned, click Save Coverage at the upper right.

Figure 2 shows security coverage assigned to techniques and sub-techniques for the Organization named Demo Organization.

Selecting Techniques and Sub-techniques

When assigning security coverage in the ATT&CK Visualizer, you can use the following methods to select techniques and sub-techniques:

• Select items individually: Click a technique or sub-technique to select it. When a technique or sub-technique is selected, click it again to deselect it.
• Select all visible items under a tactic: Click a tactic to select all visible (i.e., not collapsed) techniques and sub-techniques in the tactic’s column, including items that are scrolled off to the bottom. If a technique has sub-techniques, but the technique is not expanded when you click the tactic, none of the technique’s sub-techniques will be selected. If all visible techniques and sub-techniques in a tactic column are selected, clicking the tactic again will deselect those items.
• Select all visible items: Select Select All Visible from the Selection Actions dropdown at the upper right to select all techniques and sub-techniques that are visible (i.e., not collapsed) on the screen, including items that are scrolled off to the side, top, or bottom. If a technique has sub-techniques, but the technique is not expanded when you select the Select All Visible option, none of its sub-techniques will be selected.
• Deselect all visible items: Select Deselect All Visible from the Selection Actions dropdown at the upper right to deselect all techniques and sub-techniques that are visible on the screen, including items that are scrolled off to the side, top, or bottom.
• Deselect all items:
  • Select Deselect All from the Selection Actions dropdown at the upper right to deselect all techniques and sub-techniques, regardless of whether they are visible on the screen.
  • Click Clear Selections at the upper right to deselect all techniques and sub-techniques, regardless of whether they are visible on the screen.

As you select techniques and sub-techniques, the Selection Actions dropdown displays the current number of selected items.

Viewing Technique and Sub-technique Details

Selecting techniques and sub-techniques in the ATT&CK Visualizer opens the Selection Details drawer. When only one technique or sub-technique is selected, the Selection Details drawer displays details about the selected item. When multiple techniques or sub-techniques are selected, the Selection Details drawer displays the current selections in a tabular format. To view more details about a specific technique or sub-technique, click its table row.

When you select an individual technique or sub-technique, the Selection Details drawer opens automatically. You can also open the Selection Details drawer manually by clicking View selection detailsat the upper right or by selecting View Selection Details from the Selection Actions dropdown at the upper right.

Assign Coverage View Options

Use the ⋯ menu at the upper right to do the following while assigning security coverage in the ATT&CK Visualizer:

• Export the security coverage assignment as a JSON or PNG file.
  Note

  Using the ATT&CK Visualizer’s Export as PNG… feature in Firefox^® is not recommended at this time.
• Remove all assigned security coverage for your Organization.
  Warning

  Removing all assigned security coverage for your Organization cannot be undone.

Security Coverage Overlay in ATT&CK Views

When a standard or imported ATT&CK view is open in the ATT&CK Visualizer, users in your Organization can select the Security Coverage overlay to display the security coverage assigned to techniques and sub-techniques in the ATT&CK view.

Security Coverage for Standard ATT&CK Views

The Security Coverage overlay for standard ATT&CK views displays your Organization’s security coverage for each technique and sub-technique used by the Groups added to a standard ATT&CK view (Figure 3).

When using the Security Coverage overlay for standard ATT&CK views, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways:

• Each tactic displays the number of its techniques used by the Groups out of the total number of its techniques.
• Techniques and sub-techniques that have security coverage and are used by the Groups are outlined in a color corresponding to the assigned security coverage level (None, Weak, Moderate, and Strong) and display a label with the assigned security coverage level and the number of Groups using the technique or sub-technique (e.g., ◼ Weak - 2 Groups). Expand the label to view the Groups.
• Techniques and sub-techniques that do not have security coverage and are used by the Groups are outlined in light gray and display a label with the number of Groups using the technique or sub-technique (e.g., 2 Groups). Expand the label to view the Groups.
• Each technique displays the number of its sub-techniques used by the Groups out of the total number of its sub-techniques. If a technique has sub-techniques, but the Groups use only the technique, the technique will display 0 of <#>, where <#> is the total number of the technique’s sub-techniques.

Security Coverage for Imported ATT&CK Views

The Security Coverage overlay for imported ATT&CK views displays your Organization’s security coverage for techniques and sub-techniques that were annotated in the MITRE ATT&CK^® Navigator (Figure 4).

When using the Security Coverage overlay for imported ATT&CK views, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways:

• Each tactic displays the number of its techniques that are annotated out of the total number of its techniques.
• Annotated techniques and sub-techniques with security coverage are outlined in a color corresponding to the assigned security coverage level (None, Weak, Moderate, and Strong) and display a label with the assigned security coverage level.
• Annotated techniques and sub-techniques without security coverage are outlined in light gray.
• Each annotated technique displays the number of its sub-techniques that are annotated out of the total number of its sub-techniques. If a technique has sub-techniques, but only the technique is annotated, the technique will display 0 of <#>, where <#> is the total number of the technique’s sub-techniques.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.
Firefox^® is a registered trademark of The Mozilla Foundation.

20151-07 v.02.A