Standard ATT&CK Views

Overview

You can use the ThreatConnect^® ATT&CK^® Visualizer to create standard ATT&CK views with Groups in ThreatConnect added as analysis layers. This allows you to view the MITRE ATT&CK^® Enterprise tactics, techniques, and sub-techniques that each Group uses; gather insights into other Groups using similar tactics, techniques, and procedures (TTPs); and make informed decisions during an investigation involving the Groups. After you create a standard ATT&CK view, you can save it so that you and other users in your Organization can open it from the ATT&CK screen, or you can export it as a PNG or JSON file.

The ATT&CK Visualizer includes four overlays for standard ATT&CK views: Threat Group Comparison, Technique Prevalence, Security Coverage, and Financial Impact. Together, these overlays empower you to make more informed decisions regarding your organization’s security strategies, ensuring effective defense prioritization and keeping you ahead of evolving threats.

Before You Start

User Roles

• To create standard ATT&CK views, your user account can have any Organization role.
• To add Groups in an Organization to standard ATT&CK views as analysis layers, your user account can have any Organization role.
• To add Groups in a Community or Source to standard ATT&CK views as analysis layers, your user account can have any Community role except Banned for that Community or Source.
• To save standard ATT&CK views, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To open saved ATT&CK views, your user account can have any Organization role.
• To edit and delete saved standard ATT&CK views, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To export standard ATT&CK views, your user account can have any Organization role.

Prerequisites

• To use the Security Coverage overlay, assign security coverage for your Organization in the ATT&CK Visualizer (must be an Organization Administrator to perform this action).
• To use the Financial Impact overlay, enable and configure ATT&CK RQ Financial Impact by doing the following:
  • On the System Settings screen, turn on the financialImpactEstimates system setting (must be a System Administrator to perform this action).
  • On the ATT&CK screen, enable and configure ATT&CK RQ Financial Impact for your Organization (must be an Organization Administrator to perform this action).

Creating Standard ATT&CK Views

The following steps describe how to create a standard ATT&CK view in the ATT&CK Visualizer and add Groups to it as analysis layers. If you access the ATT&CK Visualizer for a specific Group, a standard ATT&CK view will be created with the Group added as an analysis layer automatically.

1. From the Tools dropdown on the top navigation bar, select ATT&CK.
2. Click + Create ATT&CK View at the upper right of the ATT&CK screen and select Standard View to create a standard ATT&CK view and open it in the ATT&CK Visualizer (Figure 1).
   Note

   If your user account has an Organization role of Read Only User or Read Only Commenter, the +Create ATT&CK View button will be replaced with the Explore ATT&CK View button. Click Explore ATT&CK View to create a standard ATT&CK view and open it in the ATT&CK Visualizer.
   

    

3. To add Groups to the standard ATT&CK view, do the following:
   1. Click Add analysis layersat the upper left of the ATT&CK Visualizer, next to the Analysis Layers dropdown.
   2. On the Add an Analysis Layer window, select the Groups to add to the standard ATT&CK view, and then click Add Layers.

After you add Groups to a standard ATT&CK view, the ATT&CK Visualizer will display only the tactics, techniques, and sub-techniques used by the Groups. In addition, the ATT&CK Visualizer will display labels with each Group’s name and, in the Threat Group Comparison overlay, assigned color next to the Analysis Layers dropdown. Use the arrows on either side of the Group labels to scroll horizontally through them if there are many to display at one time.

ATT&CK Visualizer Overlays for Standard Views

The ATT&CK Visualizer includes the following overlays for standard ATT&CK views:

• Threat Group Comparison (default)
• Technique Prevalence
• Security Coverage
• Financial Impact

You can change overlays using the dropdown at the upper left of the ATT&CK Visualizer, next to the search bar. Also, you can view a legend for the selected overlay by clicking the Analysis Layers dropdown at the upper left of the ATT&CK Visualizer.

Threat Group Comparison

The Threat Group Comparison overlay reveals shared techniques and sub-techniques among the Groups added to a standard ATT&CK view (Figure 2).

When using the Threat Group Comparison overlay, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways:

• Each tactic displays the number of its techniques used by the Groups out of the total number of its techniques.
• Techniques and sub-techniques used by only one of the Groups are outlined in the color assigned to that Group and display a label with the Group’s name (e.g.,◼Backchannel Diplomac…). If the Group uses a sub-technique, but not the parent technique, this formatting is applied only to the sub-technique. If the Group uses a sub-technique and its parent technique, this formatting is applied to both the technique and sub-technique.
• Techniques and sub-techniques used by multiple Groups are outlined in gray and display a label with the number of Groups using them  (e.g.,2 Groups). Expand the label to view the Groups. If the Groups use a sub-technique, but not the parent technique, this formatting is applied only to the sub-technique. If the Groups use a sub-technique and its parent technique, this formatting is applied to both the technique and sub-technique.
• Each technique displays the number of its sub-techniques used by the Groups out of the total number of its sub-techniques. If a technique has sub-techniques, but the Groups use only the technique, the technique displays 0 of <#>, where <#> is the total number of the technique’s sub-techniques.

Technique Prevalence

The Technique Prevalence overlay displays a color-coded heat map that shows the prevalence of each technique and sub-technique used by the Groups added to a standard ATT&CK view (Figure 3).

When using the Technique Prevalence overlay, the ATT&CK Visualizer displays tactics, techniques, and sub-techniques in the following ways:

• Each tactic displays the number of its techniques used by the Groups out of the total number of its techniques.
• Techniques and sub-techniques used by the Groups are outlined in a color representing the technique’s or sub-technique’s quartile of prevalence based on the percentage of Groups using it. Each technique and sub-technique also displays a label with its quartile of prevalence and the percentage of Groups using it out of the total number of Groups [e.g., ◼High (57% of 14)]. Expand the label to view the Groups.
• Each technique displays the number of its sub-techniques used by the Groups out of the total number of its sub-techniques. If a technique has sub-techniques, but the Groups use only the technique, the technique will display 0 of <#>, where <#> is the total number of the technique’s sub-techniques.

Security Coverage

The Security Coverage overlay displays your Organization’s security coverage for each technique and sub-technique used by the Groups added to a standard ATT&CK view. For more information, see ATT&CK Security Coverage.

Financial Impact

The Financial Impact overlay displays color-coded currency symbols that represent the relative amount of potential financial risk associated with each technique or sub-technique used by the Groups added to a standard ATT&CK view. For more information, see ATT&CK RQ Financial Impact.

Analysis Layers

The Analysis Layers dropdown at the upper left of the ATT&CK Visualizer displays the total number of Groups added to a standard ATT&CK view. If a standard ATT&CK view has at least one Group added to it, this dropdown provides options to do the following:

• Select Groups and highlight the techniques and sub-techniques used by those Groups in the standard ATT&CK view.
• Remove Groups from the standard ATT&CK view.

Figure 4 illustrates a standard ATT&CK view with 11 Groups added to it, but only 2 selected in the Analysis Layers dropdown. Here, the techniques and sub-techniques used by the 2 selected Groups are highlighted, while the techniques and sub-techniques used by the remaining 9 Groups are grayed out.

Viewing Technique and Sub-technique Details

You can select techniques and sub-techniques in a standard ATT&CK view to open the Selection Details drawer and view more details about the selected items and the Groups using them. As you select techniques and sub-techniques, the Selection Actions dropdown displays the current number of selected items.

There are multiple ways to select and deselect techniques and sub-techniques in a standard ATT&CK view:

• Select items individually: Click a technique or sub-technique to select it. When a technique or sub-technique is selected, clicking it again will deselect it. You can also deselect techniques and sub-techniques individually from the Selections card of the Selection Details drawer when multiple items are selected.
• Select all visible items: Select Select All Visible from the Selection Actions dropdown at the upper right to select all techniques and sub-techniques that are visible (i.e., not collapsed) on the screen, including items that are scrolled off to the side, top, or bottom. If a technique has sub-techniques, but the technique is not expanded when you select the Select All Visible option, none of its sub-techniques will be selected.
• Deselect all visible items: Select Deselect All Visible from the Selection Actions dropdown at the upper right to deselect all techniques and sub-techniques that are visible on the screen, including items that are scrolled off to the side, top, or bottom.
• Deselect all items:
  • Select Deselect All from the Selection Actions dropdown at the upper right to deselect all techniques and sub-techniques, regardless of whether they are visible on the screen.
  • Click Clear Selections at the upper right to deselect all techniques and sub-techniques, regardless of whether they are visible on the screen.

The Selection Details drawer provides information about the techniques and sub-techniques that are currently selected. When you select an individual technique or sub-technique, the Selection Details drawer opens automatically. You can also open the Selection Details drawer manually by clicking View selection detailsat the upper right or by selecting View Selection Details from the Selection Actions dropdown at the upper right.

Saving Standard ATT&CK Views

Saving a standard ATT&CK view allows you and other users in your Organization to open it from the ATT&CK screen. You can save standard ATT&CK views in the following ways:

• Save a new ATT&CK view: To save a new (i.e., unsaved) standard ATT&CK view, click Save View at the upper right.
• Save changes to a saved ATT&CK view: To save changes made to a saved standard ATT&CK view, click Save at the upper right and select Save Changes.
• Save a copy of a saved ATT&CK view: To save a copy of a saved standard ATT&CK view, click Save at the upper right and select Save a Copy….

Standard ATT&CK View Options

Use the ⋯ menu at the upper right of the ATT&CK Visualizer to do the following while a standard ATT&CK view is open in the ATT&CK Visualizer:

• Switch to a different ATT&CK view (either a saved standard ATT&CK view or a saved imported ATT&CK view).
• Export the standard ATT&CK view as a JSON or PNG file.
  Note

  Using the ATT&CK Visualizer’s Export as PNG… feature in Firefox^® is not recommended at this time.
• (Saved standard ATT&CK views only) Delete the standard ATT&CK view.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.
Firefox^® is a registered trademark of The Mozilla Foundation.

20151-04 v.04.A