ATT&CK Security Coverage

Within the ThreatConnect^® ATT&CK^® Visualizer, Organization Administrators can assign security coverage to specific techniques and sub-techniques in the MITRE ATT&CK^® Enterprise Matrix for their Organization. Doing so enables you to evaluate the strengths and weaknesses for specific techniques, identify gaps in security coverage, and enhance defense strategies with precision. In addition, other users in your Organization can overlay the security coverage map onto any ATT&CK view, allowing them to identify which techniques are covered and which ones may need attention.

Assigning Security Coverage for Your Organization

1. Log into ThreatConnect with an Organization Administrator account.
2. On the top navigation bar, click ATT&CK. The ATT&CK screen will be displayed.
3. Click the Assign Coverage button at the top right of the ATT&CK screen. The Assign Coverage view will open in the ATT&CK Visualizer (Figure 1).
   

    

4. Select the techniques and sub-techniques to which you want to assign coverage. For more information on how to select techniques and sub-techniques in the Assign Coverage view, see the “Selecting Techniques and Sub-Techniques” section.
   
   Note

   If the Selection Details drawer is displayed on the screen after selecting techniques and sub-techniques, click Closeat the top right of the drawer to close it before proceeding to Step 5.
5. Click the Selection Actions dropdown at the top right of the ATT&CK Visualizer, select Assign Coverage, and select one of the following options:
   • No Coverage: Select this option if your organization’s security defenses are not addressing or detecting the techniques.
   • Weak Coverage: Select this option if your organization is equipped to provide only limited coverage for the techniques.
   • Moderate Coverage: Select this option if your organization has a reasonable amount of coverage for the techniques.
   • Strong Coverage: Select this option if your organization’s security defenses are well equipped to detect, mitigate, and respond effectively to the techniques.
   • Clear Coverage: Select this option to remove coverage assigned to the techniques.
6. To assign coverage to additional techniques and sub-techniques, click the Clear Selections button at the top right of the ATT&CK Visualizer and then repeat Steps 4–5.
7. After all coverage has been assigned to the desired techniques and sub-techniques, click the Save Coverage button at the top right of the ATT&CK Visualizer.

Figure 2 shows security coverage assigned to techniques and sub-techniques for the Organization named Demo Organization.

Selecting Techniques and Sub-Techniques

While the Assign Coverage view is open in the ATT&CK Visualizer, you can select techniques and sub-techniques to assign coverage to using the methods described in the following subsections. As you select techniques and sub-techniques, you can view the total number of selected items in the Selection Actions dropdown at the top right of the ATT&CK Visualizer.

Selecting Techniques and Sub-Techniques Individually

Click on a technique or sub-technique to select it. When a technique or sub-technique is selected, clicking on it again will clear its selection. You can also clear the selection of individual techniques and sub-techniques from the Selections card of the Selection Details drawer when multiple items are selected.

Selecting All Visible Techniques and Sub-Techniques in a Tactic

Click on a tactic column header to select all visible (i.e., not collapsed) techniques and sub-techniques in the tactic column, including items that are scrolled off to the bottom. If a technique has sub-techniques and the technique is not expanded when you click the tactic column header, none of its sub-techniques will be selected.

If all visible techniques and sub-techniques in a tactic column are selected, clicking on the tactic column header again will clear the selections.

Selecting Multiple Techniques and Sub-Techniques at Once

The Selection Actions dropdown at the top right of the ATT&CK Visualizer provides the following options for selecting, and clearing the selections of, multiple techniques and sub-techniques at once:

• Select All Visible: Select this option to select all techniques and sub-techniques visible (i.e., not collapsed) on the screen, including items that are scrolled off to the side, top, or bottom. If a technique has sub-techniques and the technique is not expanded when you select the Select All Visible option, none of its sub-techniques will be selected.
• Deselect All Visible: Select this option to clear the selections of all techniques and sub-techniques visible on the screen, including items that are scrolled off to the side, top, or bottom.
• Deselect All: Select this option to clear the selections of all techniques and sub-techniques, regardless of whether they are visible on the screen.

In addition to the Deselect All option in the Selections Actions dropdown, you can click the Clear Selections button at the top right of the ATT&CK Visualizer to clear the selections of all techniques and sub-techniques, regardless of whether they are visible on the screen. You can also clear all selections from the Selections card of the Selection Details drawer when multiple items are selected.

Viewing Selection Details

The Selection Details drawer provides information about the techniques and sub-techniques currently selected in the ATT&CK Visualizer. When you select an individual technique or sub-technique, the Selection Details drawer is displayed automatically; however, you can click View selection detailsat the top right of the ATT&CK Visualizer, or select View Selection Details from the Selection Actions dropdown, to access this drawer at any time.

Filtering Techniques and Sub-Techniques

While the Assign Coverage view is open in the ATT&CK Visualizer, you can use the search bar at the top left of the screen to filter techniques and sub-techniques by name.

Assign Coverage View Options

When you click Optionsat the top right of the ATT&CK Visualizer while the Assign Coverage view is open, a menu with the following options will be displayed:

• Export as JSON…: Select this option to export the Assign Coverage view as it is currently displayed in your browser as a JSON file.
• Export as PNG…: Select this option to export the Assign Coverage view as it is currently displayed in your browser as a PNG file.
  
  Note

  Using the ATT&CK Visualizer’s Export as PNG… feature in Firefox^® is not recommended at this time.
• Clear All Coverage…: Select this option to remove all assigned security coverage for your Organization.
  
  Warning

  Removing all assigned security coverage for your Organization cannot be undone.

Closing the Assign Coverage View

While the Assign Coverage view is open in the ATT&CK Visualizer, a Close Viewbutton is displayed at the top right of the screen. Click this button to close the Assign Coverage view and return to the ATT&CK screen.

Viewing Security Coverage in ATT&CK Views

When an ATT&CK view is open in the ATT&CK Visualizer, users can select the Security Coverage view to overlay the security coverage map onto the ATT&CK view. See the “Security Coverage” section of Standard ATT&CK Views and Imported ATT&CK Views for more information on using this view option for standard and imported ATT&CK views, respectively.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.
Firefox^® is a registered trademark of The Mozilla Foundation.

20151-07 v.01.B