General Documents

Using the knowledge provided by MITRE ATT&CK framework, you can learn how threat actors execute their attacks and plan to detect and respond to threats.

The MITRE ATT&CK framework also maintains a library of information about selected threat actors and the campaigns they have conducted. This allows security teams to correlate specific adversaries with the techniques they use in their attacks.

The MITRE ATT&CK framework helps organizations identify the techniques adversaries are likely to use. This helps security teams to evaluate the defenses and strengthen them where they matter most.

Analysts can map tactics and techniques to provide contextualized insights into the TTPs leveraged by threat actors while publishing alerts and intel. The below screenshot shows a sample alert mapped with relevant tactics and techniques for sharing with members of the organization.

CSAP users can view adversary tactics and techniques, as a heat map, to devise threat models and defensive strategies for your organization. Different types of cyber tactics are displayed in columnar format, as well as the number of times the tactic or technique is spotted in alerts and intel.

The MITRE ATT&CK Navigator empowers organizations to deduce contextual threat intelligence and take quick decisions to defend against threats. It provides a common standardized framework that is globally accessible, allowing threat intel teams to work together with data to compare, detect and respond to threats.

Security analysts and defenders can create and share threat intelligence related to the behavior of attackers. Collaboratively, they can create and share threat-based knowledge by closing the information gaps that attackers attempt to exploit.

The ATT&CK Navigator provides a roadmap for security teams to apply in their operational controls and realize their weaknesses and strengths against certain threat actors.

Detection and Analysis: SOCs and incident response teams can leverage ATT&CK techniques and tactics to assess defensive strengths, weaknesses, and operational issues. They validate controls, detect or uncover known and unknown threats, and identify misconfigurations.

Containment: The containment stage is when security teams take steps to contain the threat. ATT&CK empowers them with updated malicious signatures, IOC identification, contextual analysis of SIEM logs, providing tactical insights on moving abused hosts to a controlled environment for further monitoring, and much more.

Eradication and Recovery: Security teams assess attacks for ATT&CK framework compliance, rectify any identified misconfigurations, update signatures, utilize SIEM for correlation analysis, and leverage the internal workflow to promptly address alerts.

Learnings: This process is often provided less significance, but it is important. ATT&CK Navigator can help security teams summarize the incident and see if the countermeasures will work in the long run.

The ATT&CK Navigator gives a quick overview of the object statuses, popular techniques observed, and the popular MITRE-listed threat actors detected.

Using the ATT&CK matrix, for each technique, analysts can view the affected platforms, data sources, associated malware, the defenses it can bypass, and the required mitigation and detection methods.

The ATT&CK Navigator also shows the indicators, malware, threat actors, or incidents related to the technique, along with examples and further references. By visiting the Relations tab, analysts can use the Threat Visualizer to view the IOCs associated with a specific ATT&CK technique more effectively.

Analysts can switch between Enterprise and Mobile ATT&CK matrix to view different sets of techniques that affect corresponding assets, and switch to the MITRE ATT&CK Heatmap view for a color-coded representation of critical MITRE tactics and techniques.

Analysts can also search for specific top-level techniques or sub-techniques associated with particular platforms, threat actors, software, and log data sources.

Analysts can add custom layers with their chosen techniques, sub-techniques. Custom layers are for users to visualize organized information related to the MITRE ATT&CK Framework. MITRE ATT&CK Navigator tool layers offer customizable views of the navigator, so users can focus on specific aspects of the framework. Here are some ways the MITRE ATT&CK Navigator tool can use layers:

The below screenshots show a sample custom layer for the APT3 threat actor group with color codes configured. The colors denote scores as (1 - RED) (2 - YELLOW) (3 - GREEN). While 1 denotes a low score, 3 denotes a high score for a technique.