- 10 Jan 2024
- 7 Minutes to read
-
Print
-
DarkLight
Imported ATT&CK Views
- Updated on 10 Jan 2024
- 7 Minutes to read
-
Print
-
DarkLight
In ThreatConnect®, you can import JSON files for views built in the MITRE ATT&CK® Navigator into the ATT&CK® Visualizer. By using ThreatConnect as a centralized platform for ATT&CK views, your security teams can collaborate more effectively when evaluating and optimizing your organization’s cybersecurity strategy.
When an imported ATT&CK view is open in the ATT&CK Visualizer, you can view the color scheme and scores used when techniques and sub-techniques were annotated in the MITRE ATT&CK Navigator, the prevalence of annotated techniques and sub-techniques, and security coverage assigned to those items by your Organization Administrator.
Importing ATT&CK Views
Before following the steps in this section, make sure that you have downloaded a JSON file for a view built in the MITRE ATT&CK Navigator.
- On the top navigation bar, click ATT&CK. The ATT&CK screen will be displayed.
- Click the + Create ATT&CK View button at the top right of the ATT&CK screen and select Imported View….
- Locate and select a JSON file downloaded from the MITRE ATT&CK Navigator. The imported ATT&CK view will open in the ATT&CK Visualizer. By default, the Imported Color Assignments view option is selected.
ATT&CK Visualizer View Options for Imported Views
The ATT&CK Visualizer offers three different view options for imported ATT&CK views: Imported Color Assignments, Imported Score Prevalence, and Security Coverage. You can select which view to display via the dropdown at the top left of the ATT&CK Visualizer.
Imported Color Assignments
Figure 1 illustrates the Imported Color Assignments view for an imported ATT&CK view. Use this view when you want to visualize the same color selections and scores for techniques and sub-techniques that were annotated when the view was built in the MITRE ATT&CK Navigator.
- Each tactic column displays the number of annotated techniques out of the total number of the tactic’s techniques. For example, the 6 of 10 label on the Reconnaissance column indicates that 6 of the 10 techniques the Reconnaissance tactic comprises were annotated when the view was built in the MITRE ATT&CK Navigator.
- Annotated techniques and sub-techniques are outlined in a color that matches the color scheme configured in the MITRE ATT&CK Navigator and, if a score has been assigned, contain a label with their score out of the maximum score possible (e.g., Score 2 of 8).
- Each annotated technique displays the number of its sub-techniques that have been annotated out of the total number of its sub-techniques. For example, the 4 of 8 label on the Acquire Infrastructure card indicates that 4 of the 8 sub-techniques the Acquire Infrastructure technique comprises have been annotated. If a technique has sub-techniques and only the technique was annotated, a 0 of <#> label will be displayed on the technique, where <#> represents the total number of sub-techniques the technique comprises.
Imported Score Prevalence
Figure 2 illustrates the Imported Score Prevalence view for an imported ATT&CK view. Use this view when you want to generate a color-coded heat map that displays the score range corresponding to techniques and sub-techniques that were annotated and assigned scores when the view was built in the MITRE ATT&CK Navigator.
- Each tactic column displays the number of annotated techniques out of the total number of the tactic’s techniques. For example, the 6 of 10 label on the Reconnaissance column indicates that 6 of the 10 techniques the Reconnaissance tactic comprises were annotated when the view was built in the MITRE ATT&CK Navigator.
- Annotated techniques and sub-techniques with scores are outlined in a color representing the score range (Highest, High, Moderate, and Lowest) in which their score falls. They also contain a label with the corresponding score range followed by their score out of the maximum score possible [e.g., ◼Highest (8 of 8)].NoteThe score values associated with each score range used in Imported Score Prevalence view are based on how scoring was configured when the imported view was built in the MITRE ATT&CK Navigator.
- Annotated techniques and sub-techniques without scores are outlined in a color that matches the color used when they were annotated in the MITRE ATT&CK Navigator.
- Each annotated technique displays the number of its sub-techniques that have been annotated out of the total number of its sub-techniques. For example, the 4 of 8 label on the Acquire Infrastructure card indicates that 4 of the 8 sub-techniques the Acquire Infrastructure technique comprises have been annotated. If a technique has sub-techniques and only the technique was annotated, a 0 of <#> label will be displayed on the technique, where <#> represents the total number of sub-techniques the technique comprises.
Security Coverage
Figure 3 illustrates the Security Coverage view for an imported ATT&CK view. Use this view when you want to see your Organization’s security coverage for techniques and sub-techniques that were annotated when the view was built in the MITRE ATT&CK Navigator.
- Each tactic column displays the number of annotated techniques out of the total number of the tactic’s techniques. For example, the 6 of 10 label on the Reconnaissance column indicates that 6 of the 10 techniques the Reconnaissance tactic comprises were annotated when the view was built in the MITRE ATT&CK Navigator.
- Annotated techniques and sub-techniques with security coverage are outlined in a color corresponding to the assigned security coverage level (None, Weak, Moderate, and Strong) and contain a label with the assigned security coverage level (e.g.,◼ Moderate).
- Annotated techniques and sub-techniques without security coverage are outlined in light gray.
- Each annotated technique displays the number of its sub-techniques that have been annotated out of the total number of its sub-techniques. For example, the 4 of 8 label on the Acquire Infrastructure card indicates that 4 of the 8 sub-techniques the Acquire Infrastructure technique comprises have been annotated. If a technique has sub-techniques and only the technique was annotated, a 0 of <#> label will be displayed on the technique, where <#> represents the total number of sub-techniques the technique comprises.
Selecting and Viewing Details for Techniques and Sub-Techniques
While an imported ATT&CK view is open in the ATT&CK Visualizer, click on a technique or sub-technique to display its Selection Details drawer and view more details about the selected item and any Groups with a corresponding ATT&CK Tag applied to them.
Filtering Techniques and Sub-Techniques
While an imported ATT&CK view is open in the ATT&CK Visualizer, you can use the search bar at the top left of the screen to filter techniques and sub-techniques by name.
Saving Imported ATT&CK Views
Saving an imported ATT&CK view allows you and other users in your Organization to access it via the Imported Views tab of the ATT&CK screen. To save an imported ATT&CK view, click the Save View button at the top right of the ATT&CK Visualizer. The New Imported ATT&CK View window will be displayed (Figure 4).
- Name: Enter a unique name for the ATT&CK view.
- Description: If desired, enter a description of the ATT&CK view.
- Click the Save button to save the ATT&CK view.
If you are viewing a saved imported ATT&CK view, a Saved button will be displayed at the top right of the ATT&CK Visualizer. Note that this button will be grayed out.
Editing a Saved ATT&CK View’s Name
When a saved imported ATT&CK view is open in the ATT&CK Visualizer, an Editbutton is displayed to the right of its name at the top left of the screen. Click this button to edit the ATT&CK view’s name and then click Confirmto save your changes.
Imported ATT&CK View Options
When you click Optionsat the top right of the ATT&CK Visualizer while an imported ATT&CK view is open, a menu with some or all of the following options will be displayed, depending on whether the view is saved or unsaved:
- Switch View…: Available for saved and unsaved views.
- Import a JSON…: Available for saved and unsaved views.
- Export as JSON…: Available for saved and unsaved views.
- Export as PNG…: Available for saved and unsaved views.
- Delete…: Available for saved views only.
Switching ATT&CK Views
Select Switch View… to open a different saved standard or imported ATT&CK view in the ATT&CK Visualizer. The Switch ATT&CK View window will be displayed (Figure 5).
- Click on the row for the ATT&CK view you want to open in the ATT&CK Visualizer. To toggle between standard and imported ATT&CK views, use the Standard View and Imported View options at the top left of the window.
- Click the Switch View button.
Importing a New JSON File
Select Import a JSON… to import a new JSON file downloaded from the MITRE ATT&CK Navigator into ThreatConnect’s ATT&CK Visualizer.
Exporting Imported ATT&CK Views
Select Export as PNG… or Export as JSON… to export the imported ATT&CK view as it is currently displayed in your browser as a PNG or JSON file, respectively.
Deleting Saved ATT&CK Views
When a saved imported ATT&CK view is open in the ATT&CK Visualizer, a Delete… option is displayed in the Optionsmenu. Select this option to delete the saved ATT&CK view.
Closing Standard ATT&CK Views
When a saved imported ATT&CK view is open in the ATT&CK Visualizer, a Close Viewbutton is displayed at the top right of the screen. Click this button to close the ATT&CK view and return to the ATT&CK screen.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
Firefox® is a registered trademark of The Mozilla Foundation.
20151-08 v.01.A