Visualizing ATT&CK Tactics, Techniques, and Sub-Techniques

ATT&CK Visualizer Layout

Figure 1 illustrates how tactics, techniques, and sub-techniques in the MITRE ATT&CK^® Enterprise Matrix are represented in the ThreatConnect^® ATT&CK^® Visualizer.

• Each column represents a tactic (i.e., the goal a threat actor or adversary is trying to achieve). The number displayed on each column indicates the number of techniques the tactic comprises. In the Assign Coverage view , a checkbox will be displayed in the column header.
• Each tactic column contains a series of cards representing the techniques (i.e., the methods a threat actor or adversary uses to achieve their goal) the tactic comprises. The number displayed on each technique indicates the number of sub-techniques the technique comprises.
• Click Show sub-techniquesat the bottom of a technique to displays its sub-techniques. If desired, use the Expand All and Collapse All buttons at the top right of the ATT&CK Visualizer to expand and collapse, respectively, all techniques.

Viewing Details for Selected Techniques and Sub-Techniques

When using the ATT&CK Visualizer, you can select techniques and sub-techniques to display the Selection Details drawer and view more information about the selected items. Depending on the number of items selected, the appearance of the Selection Details drawer will vary.

When you select an individual technique or sub-technique, the Selection Details drawer is displayed automatically; however, you can click View selection detailsat the top right of the ATT&CK Visualizer, or select View Selection Details from the Selection Actions dropdown, to access this drawer at any time.

Individual Technique

When only one technique is selected, the Selection Details drawer displays details about the technique (Figure 2).

• The header of the drawer displays the technique’s name and the associated tactic.
• Technique: The technique’s ID.
• Associated Tactics: The tactic associated with the technique.
• Platform(s): The operating systems and applications associated with the technique.
• Sub-Techniques: The sub-techniques the technique comprises. To view the Selection Details drawer for a sub-technique in this list, click on its name.
• Groups using Technique: The number of Groups in your Organization, Communities, and Sources containing an ATT&CK Tag representing the technique.
• Description: The technique’s description. To view the technique’s entry on the MITRE ATT&CK website, click the More information link at the bottom of this section.
• Groups: If an ATT&CK Tag representing the technique has been applied to one or more Groups in your owners, the Groups card will be displayed and list those Groups in a paginated table. To filter Groups, use the search bar and Filtersmenu; to control which table columns are displayed, click Select columns.

Individual Sub-Technique

When only one sub-technique is selected, the Selection Details drawer displays details about the sub-technique (Figure 3).

• The header of the drawer displays the sub-technique’s name and the associated tactic.
• Technique: The sub-technique’s ID.
• Associated Tactic: The tactic associated with the sub-technique.
• Platform(s): The operating systems and applications associated with the sub-technique.
• Parent Technique: The sub-technique’s parent technique. To view the Selection Details drawer for the technique, click on its name.
• Groups using Sub-technique: The number of Groups in your Organization, Communities, and Sources containing an ATT&CK Tag representing the sub-technique.
• Description: The sub-technique’s description. To view the sub-technique’s entry on the MITRE ATT&CK website, click the More information link at the bottom of this section.
• Groups: If an ATT&CK Tag representing the sub-technique has been applied to one or more Groups in your owners, the Groups card will be displayed and list those Groups in a paginated table. To filter Groups, use the search bar and Filtersmenu; to control which table columns are displayed, click Select columns.

Multiple Techniques and Sub-Techniques

When multiple techniques or sub-techniques are selected, the Selection Details drawer displays the Selections and, for standard ATT&CK views only, Shared Groups cards (Figure 4).

Selections

The Selections card displays a paginated table with all techniques and sub-techniques currently selected in the ATT&CK Visualizer. You can clear individual or all selections by clicking theicon in a table row or the table header, respectively.

To view details for a specific technique or sub-technique, click on its row in the table on the Selections card. The Selection Details drawer will display details for that technique or sub-technique (Figure 5).To return to the Selection card, click Go Backat the upper-left corner of the drawer.

Shared Groups

The Shared Groups card, available only when viewing a standard ATT&CK view, displays a paginated table with Groups that have ATT&CK Tags representing all selected techniques and sub-techniques applied to them. To filter Groups, use the search bar and Filtersmenu; to control which table columns are displayed, click Select columns.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20151-05 v.03.A