- Cyware Fusion and Threat Response
- Product Documentation
- Analyst Workbench
- ATT&CK Navigator
ATT&CK Navigator
ATT&CK Navigator is an open-source tool developed by MITRE Corporation. It is designed to provide basic navigation and annotation of ATT&CK matrices similar to the task carried out by a security analyst using spreadsheets to map Tactics and Techniques used by threat actors. This tool helps you to visualize the defensive coverage and frequency of detected techniques, color code the planning in threat response, and perform many other useful operations that help in mapping a threat actor's Tactics and Techniques. The navigator helps you to quickly manipulate the cells in the matrix by actions such as color-coding, adding a comment, assigning a numerical value, and many more. Typically, it can be used by all users in the security team to visualize the matrix.
To view the Tactics and Techniques, go to Menu > ATT&CK Navigator. By default, the ATT&CK Navigator displays the enterprise version. To view the mobile version, select Mobile from the Enterprise drop-down. By default, ATT&CK Navigator displays the MITRE tactics and techniques with the heat map turned on. To turn off the heat map, click Heat Map | ON. To download the tactics and techniques, click Download.
Using the ATT&CK Navigator, you can:
Define the layers.
Customize the ATT&CK Knowledge Base view.
Highlight techniques.
Note
Layers can be created interactively within the Navigator or generated programmatically and then visualized via the Navigator.
You can use the ATT&CK Navigator tool through the major phases of the threat response process such as detection analysis, containment, investigation and eradication, and gathering learning from the incidents. You can also use the Incident Heat Map to color code the techniques based on the number of times the techniques have been used and their severity. A separate APT-to-Technique mapping matrix and a Technique-to-APT mapping matrix are provided as added features. Users can also view Incident Tactics - by - Severity.
View Technique Details
To view the details of a technique, open an existing layer and click a technique. The selected technique page displays the details of the technique under the following tabs:
Basic Details: Displays the basic details of the technique, such as the number of various components that use the technique, description, platforms, data sources, the tactics to which the technique belongs, software, defense bypassed, and the last modified date.
Relations: Displays the relationship of the technique with other components and indicators. The Network Diagram tab graphically represents the relationship of the technique.
Actions: Displays the list of actions that are created for the technique. You can also create actions for the technique on this tab. For more information about how to create actions, see Create Action.
Notes: Displays the notes that are added by various CFTR users.
Examples: Displays the examples and their description.
References: Displays the list of references. You can visit the reference links to know more about the technique.
Map Tactics and Techniques to Threat Actors
Select the threat actors from the Threat Actor expanding drop-down button on the right panel to view the tactic used by the respective threat actors in various attacks. The same tactic can be mapped to a technique.
Map Tactics and Techniques to Software
Select the software from the Software expanding drop-down button on the right panel to view the tactic used for compromise of the software in various attacks. The same tactic can be mapped to a technique. Software assets available in the CFTR platform are mapped in this section.
Map Tactics and Techniques to Sources
Select the sources from the Source expanding drop-down button on the right panel to view the tactic used for compromise of the source in various attacks. The same tactic can be mapped to the appropriate technique by just viewing the respective column.
Map Tactics and Techniques to Defenses Bypassed
Select the defense measures from the Defenses Bypassed expanding drop-down button on the right panel to view the tactic used for bypassing the defense measures. The same tactics can be mapped to the appropriate techniques by just viewing the respective column.
Add or Search a Tactic/Techniques/Sub-technique based on MITRE ID
You can search for a tactic, technique, or sub-technique based on the unique ID allocated as per the MITRE database. For example, the Boot or Login Autostart Execution technique has the ID: T1547, and its sub techniques are identified using concatenated IDs such as T1547.001, T1547.002, T1547.003, and so on.
You can also search for a tactic, technique, or sub-technique while creating an Incident, in the Tactic-Technique-SubTechnique field and on an incident details page to collect information about a tactic, or technique, or a sub-technique.
Add New Layer
The MITRE layer includes a comprehensive list of tactics and techniques that widely apply to common attacks. You can add custom layers to modify the existing MITRE tactics and techniques as per the security requirements of your organization to defend against the attacks. The layers constitute tactics and techniques that are used to track and monitor specific adversaries and platforms. You can browse, select, and add the set of techniques and custom techniques to match the particular criteria for specific projects.
To add a new layer, do the following:
Go to Menu > ATT&CK Navigator.
Click Add New Layer next to the MITRE tab.
Enter a name for the layer and press Enter. For example, to add a layer for the tactics and techniques used to attack the cloud platforms, enter Cloud.
Select the tactics and techniques that you want to include in the layer and click Hide Unselected.
Click Save.
The new layer tab appears next to the MITRE tab. To manage a custom layer, you can perform the following activities:
Edit: Update the tactics and techniques that are included in the layer.
Pin: Freeze a layer in the tabs next to the MITRE tab.
Share: Define the sharing preferences:
Private: Only you can view the layer.
Public: All users can view the layer but only the creator can update it.
Shared: Choose the user groups with whom you want to share the layer.
Rename: Update the name. of the layer.
Duplicate: Create a copy of a layer to reuse the tactics and techniques of the layer.
Close Tab: Hide a layer.
Delete: Delete a layer.
Note
Only the creator of a layer can delete it.
Supported Activities for Att&ck Navigator
You can perform the following activities to manage Att&ck Navigator layers:
Show or hide summary. The Att&ck Navigator summary displays the following data:
Object Stats: Displays the number of incidents, indicators, malware, and threat actors that are using the techniques and sub-techniques.
Popular Techniques: Displays the popular techniques used by threat actors.
Popular Threat Actors: Displays the popular threat actors.
Search techniques and sub-techniques.
Expand or collapse sub-techniques.
When the heat map is turned off, you can view the number of incidents, indicators, malware, and threat actors for each technique and sub-technique.
When the heat map is turned on, you can view the color codes for each technique and sub-technique based on the number of incidents, indicators, malware, or threat actors.
Filter techniques and sub-techniques based on the impacted business units, data sources, the incident created date, defense bypassed, impacted locations, platforms, software, and threat actors.
Note
You can filter the techniques and sub-techniques used in incidents based on the incident created date in the heat map view.