Visualizing ATT&CK Tactics, Techniques, and Sub-Techniques

Updated on 17 Nov 2023
3 Minutes to read

Print
Dark

Light

Article Summary

Share feedback

Thanks for sharing your feedback!

Figure 1 illustrates how tactics, techniques, and sub-techniques in the MITRE ATT&CK^® Enterprise Matrix are represented when using the ATT&CK^® Visualizer in ThreatConnect^®.

Figure 1_Visualizing ATT&CK Tactics, Techniques, and Sub-Techniques_7.2.0

Each column represents a tactic (i.e., the goal a threat actor or adversary is trying to achieve). The number displayed on each column indicates the number of techniques the tactic comprises.
Each tactic column contains a series of cards representing the techniques (i.e., the methods a threat actor or adversary uses to achieve their goal) the tactic comprises. The number displayed on each card indicates the number of sub-techniques the technique comprises.
Click Show sub-techniquesat the bottom of a technique card to display one or more cards representing the sub-techniques the technique comprises. If desired, use the Expand All and Collapse All buttons in the ATT&CK Visualizer header to expand and collapse, respectively, all technique cards.

Viewing Technique and Sub-Technique Details

Techniques

Click a technique card to display its ATT&CK Technique drawer (Figure 2).

Figure 2_Visualizing ATT&CK Tactics, Techniques, and Sub-Techniques_7.2.0(1)

The header of the drawer displays the technique’s name and the associated tactic.
Technique: The technique’s ID.
Associated Tactics: The tactic associated with the technique.
Platform(s): The operating systems and applications associated with the technique.
Sub-Techniques: The sub-techniques the technique comprises. To view the ATT&CK Sub-technique drawer for a sub-technique in this list, click on its name.
Groups using Technique: The number of Groups in your Organization, Communities, and Sources containing an ATT&CK Tag representing the technique.
Description: The technique’s description. To view the technique’s entry on the MITRE ATT&CK website, click the More information link at the bottom of this section.
Groups: The Groups card will be displayed if an ATT&CK Tag representing the technique is applied to one or more Groups in your ThreatConnect owners. See the “Viewing Groups Using a Technique or Sub-Technique” section for more information about this card.

Sub-Techniques

Click a sub-technique card to display its ATT&CK Sub-technique drawer (Figure 3).

Figure 3_Visualizing ATT&CK Tactics, Techniques, and Sub-Techniques_7.2.0

The header of the drawer displays the sub-technique’s name and the associated tactic.
Technique: The sub-technique’s ID.
Associated Tactic: The tactic associated with the sub-technique.
Platform(s): The operating systems and applications associated with the sub-technique.
Parent Technique: The sub-technique’s parent technique. To view the ATT&CK Technique drawer for the technique, click on its name.
Groups using Sub-technique: The number of Groups in your Organization, Communities, and Sources containing an ATT&CK Tag representing the sub-technique.
Description: The sub-technique’s description. To view the sub-technique’s entry on the MITRE ATT&CK website, click the More information link at the bottom of this section.
Groups: The Groups card will be displayed if an ATT&CK Tag representing the sub-technique is applied to one or more Groups in your ThreatConnect owners. See the “Viewing Groups Using a Technique or Sub-Technique” section for more information about this card.

Viewing Groups Using a Technique or Sub-Technique

When an ATT&CK Tag representing a technique or sub-technique is applied to one or more Groups in your ThreatConnect owners, a Groups card will be displayed at the bottom of the ATT&CK Technique or ATT&CK Sub-technique drawer, as in Figure 2 and Figure 3, respectively. On this card, the total number of Groups using the technique or sub-technique will be displayed next to the card’s heading, and the Groups will be displayed in a table with the following columns:

Type: The Group’s type.
Name/Summary: The Group’s summary. Click the summary to open the Group’s Details screen in a new browser tab.
Owner: The Organization, Community, or Source to which the Group belongs.

To control which columns are displayed on the table, click Select columnsat the top right of the card; select or clear the checkbox for each column you want to display or hide, respectively; and click the Apply button.

Note

You cannot hide the Name/Summary column.

Two filtering options are available on the Groups card: the search bar and the Filtersmenu at the top of the card. The search bar allows you to filter Groups by their summary, and the Filtersmenu allows you to filter Groups by owner, type, a range of dates within which they were created, and a range of dates within which they were last modified. To remove all filters applied to the Groups card, click the Clear all filters & searchbutton to the right of the Filtersmenu.

Filtering Techniques and Sub-Techniques

To filter techniques and sub-techniques displayed in the ATT&CK Visualizer by name, enter text into the search bar at the top of the screen. Note that you cannot filter tactics.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20151-05 v.02.A

Was this article helpful?

What's Next

Viewing All Saved ATT&CK Views

Table of contents

Viewing Technique and Sub-Technique Details
Filtering Techniques and Sub-Techniques