Imported ATT&CK Views

Overview

You can use the ATT&CK^® Visualizer to import ATT&CK views built in the MITRE ATT&CK^® Navigator into ThreatConnect^®. By using ThreatConnect as a repository for all your ATT&CK views, your security teams can collaborate more effectively when evaluating and optimizing your organization’s cybersecurity strategy. After you import an ATT&CK view, you can save it so that you and other users in your Organization can open it from the ATT&CK screen, or you can export it as a PNG or JSON file.

The ATT&CK Visualizer includes three view overlays for imported ATT&CK views: Threat Group Comparison, Technique Prevalence, and Security Coverage. Together, these overlays empower you to make more informed decisions regarding your organization’s security strategies, ensuring effective defense prioritization and keeping you ahead of evolving threats.

Before You Start

User Roles

• To import ATT&CK views, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To save imported ATT&CK views, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To open saved imported ATT&CK views, your user account can have any Organization role.
• To edit and delete saved imported ATT&CK views, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To export saved imported ATT&CK views, your user account can have any Organization role.
• To export unsaved imported ATT&CK views, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.

Prerequisites

• To use the Security Coverage overlay, assign security coverage for your Organization in the ATT&CK Visualizer (must be an Organization Administrator to perform this action).

Importing ATT&CK Views

Follow these steps to import an ATT&CK view built in the MITRE ATT&CK Navigator into the ThreatConnect ATT&CK Visualizer:

1. Export an ATT&CK view built in the MITRE ATT&CK Navigator as a JSON file.
   Important

   Only single-layer ATT&CK views built in the MITRE ATT&CK Navigator may be imported into the ThreatConnect ATT&CK Visualizer. When exporting an ATT&CK view from the MITRE ATT&CK Navigator, select the download single layer as json export option.
2. In ThreatConnect, select ATT&CK from the Tools dropdown on the top navigation bar.
3. Click the + Create ATT&CK View button at the upper right of the ATT&CK screen and select Imported View….
4. Locate and select the JSON file downloaded from the MITRE ATT&CK Navigator. After the ATT&CK view is imported, the ATT&CK Visualizer will open and display the ATT&CK view.

ATT&CK Visualizer Overlays for Imported Views

The ATT&CK Visualizer includes the following overlays for imported ATT&CK views:

• Imported Color Assignments (default)
• Imported Score Prevalence
• Security Coverage

You can change overlays in the ATT&CK Visualizer using the dropdown at the upper left of the ATT&CK Visualizer, next to the search bar.

Imported Color Assignments

The Imported Color Assignments overlay displays the colors and scores assigned to techniques and sub-techniques that were annotated in the MITRE ATT&CK Navigator (Figure 1).

When using the Imported Color Assignments overlay, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways:

• Each tactic displays the number of its techniques that are annotated out of the total number of its techniques.
• Annotated techniques and sub-techniques are outlined in the same color that was used when they were annotated in the MITRE ATT&CK Navigator. If a score has been assigned to a technique or sub-technique, it also displays the assigned score out of the maximum score possible.
• Each annotated technique displays the number of its sub-techniques that are annotated out of the total number of its sub-techniques. If a technique has sub-techniques, but only the technique is annotated, the technique will display 0 of <#>, where <#> is the total number of the technique’s sub-techniques.

Imported Score Prevalence

The Imported Score Prevalence overlay displays a color-coded heat map that shows the score range corresponding to techniques and sub-techniques that were assigned scores in the MITRE ATT&CK Navigator (Figure 2).

When using the Imported Score Prevalence overlay, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways:

• Each tactic displays the number of its techniques that are annotated out of the total number of its techniques.
• Annotated techniques and sub-techniques with scores are outlined in a color representing the score range (Highest, High, Moderate, and Lowest) in which their score falls. They also display a label with the corresponding score range and their assigned score out of the maximum score possible [e.g., ◼Highest (75 of 100)].
  Note

  The values associated with each score range used in the Imported Score Prevalence overlay are based on how scoring was configured when the ATT&CK view was built in the MITRE ATT&CK Navigator.
• Annotated techniques and sub-techniques without scores are outlined in the same color that was used when they were annotated in the MITRE ATT&CK Navigator.
• Each annotated technique displays the number of its sub-techniques that are annotated out of the total number of its sub-techniques. If a technique has sub-techniques, but only the technique is annotated, the technique will display 0 of <#>, where <#> is the total number of the technique’s sub-techniques.

Security Coverage

The Security Coverage overlay displays your Organization’s security coverage for techniques and sub-techniques that were annotated in the MITRE ATT&CK Navigator. For more information, see ATT&CK Security Coverage.

Viewing Technique and Sub-technique Details

Click a technique or sub-technique to open its Selection Details drawer and view more details about the selected item and any Groups with a corresponding ATT&CK Tag applied to them.

Saving Imported ATT&CK Views

Saving an imported ATT&CK view allows you and other users in your Organization to open it from the ATT&CK screen. To save a new (i.e., unsaved) imported ATT&CK view, click Save View at the upper right of the ATT&CK Visualizer.

Imported ATT&CK View Options

Use the ⋯ menu at the upper right of the ATT&CK Visualizer to do the following while an imported ATT&CK view is open in the ATT&CK Visualizer:

• Switch to a different ATT&CK view (either a saved standard ATT&CK view or a saved imported ATT&CK view).
• Import a new JSON file downloaded from the MITRE ATT&CK Navigator.
  Warning

  Performing this operation will overwrite the contents of the imported ATT&CK view that is currently open in the ATT&CK Visualizer.
• Export the imported ATT&CK view as a JSON or PNG file.
  Note

  Using the ATT&CK Visualizer’s Export as PNG… feature in Firefox^® is not recommended at this time.
• (Saved imported ATT&CK views only) Delete the imported ATT&CK view.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.
Firefox^® is a registered trademark of The Mozilla Foundation.

20151-08 v.02.A