Skip to main content

MITRE ATT&CK

This guide contains the following sections:

 

What is MITRE ATT&CK?

ATT&CK stands for adversarial tactics techniques and common knowledge.

The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by threat hunters, red teamers, and defenders to help with identifying attack types and defining risk. 

It began its life as an internal project, but has since developed into a comprehensive public knowledge base adopted by numerous security vendors and consultants. 

As a knowledge base of real cyber-attack tactics, techniques and procedures, MITRE ATT&CK brings structure to the understanding of adversarial behavior. 

Our labs are mapped against tactics and techniques in the ATT&CK framework and so, as individuals complete content, our ATT&CK heat map will show you where coverage is strong, or where improvements are needed.

Find out more on MITRE here.

 

Why are we using it?

The framework's organized approach means you can select the attack required to validate your security strategy and then analyze your defense in order to expand your security controls rationally.

Mapping and measuring skills aligned to the MITRE ATT&CK framework means:

  • In the event of an incident, you'll be able to identify individuals with the right skills to respond as the situation unfolds.
  • You have the ability to visualize skill levels. This will help with measuring and improving areas of coverage, as well as those that require investment. 
  • You can confidently address skill gaps and reduce cyber risk.
  • For individual users, the gamified learning experience is enhanced;  seeing their skills mapped against the framework will help them see the real-world relevance and feel engaged. Individuals will also feel motivated to strategically upskill.

A guided tour of the framework

The framework presents a well-organized taxonomy of a threat actor's tactics and techniques. It aims to improve post-compromise detection in enterprises by illustrating the actions an attacker may have taken:

  • How did the attacker get in?
  • How are they moving around?

These are the questions that the framework answers, helping to define an organization's security posture at the end perimeter and beyond.

What are tactics?

A tactic is a high-level description of attacker behavior and it represents a class of a certain type of behavior.  

What are techniques?

A technique provides a more detailed description of specific types of behavior within that tactic class.

The ATT&CK Matrix

MITRE presents thirteen different matrices to organize and present the attacker tactics and techniques categorized at a high level as Enterprise, Mobile and ICS:

Pre-ATT&CK is organized around an adversary's activity prior to launching an attack.  The remaining matrices align with the execution of the specific attacks by computing platform. Threat hunters can leverage the ATT&CK framework to look for specific techniques that adversaries may use in conjunction with others. The framework is extremely useful for gauging an organization's visibility against targeted attacks with the existing tools deployed across their endpoints and perimeter. 

 

MITRE ATT&CK Dashboard

You can access the MITRE ATT&CK framework via the main navigation menu.

There are two different dashboards available. 

  • Personal View: this displays learners/employees with a view of how their cyber capability skills are mapped against MITRE.
  • Organization View: this demonstrates your organization's coverage of skills mapped against the framework.

mitre_dash.png

Note:  What you can view will depend on your role (and associated permissions) on the platform.

Organization Managers can see both the Personal and Organization dashboard. The data available on the Organization dashboard will be data for the whole organization.

Team Admins can also see both dashboards. However, the data available on the Organization dashboard will only reflect data for the team(s) they manage.

Individual learners with no management permissions will only be able to see the Personal dashboard, which will show them how their skills are mapped against the Framework, based on their lab completions.

 

How does the dashboard work?

Heat-map feature

As individuals and teams complete relevant exercises, our ATT&CK heat-map Dashboard will show you where coverage is strong and where improvement is needed.

On the Personal View of the Dashboard, the heat-map will indicate completed, in progress or not started status against techniques. There will also be an indication of where we have no labs mapped against a technique.  You'll find a key in the bottom left corner. 

Here's a short video of what to expect:

Screen-Recording-2021-12-23-at-11.29.35.gif

On the Organization View of the Dashboard, the heat-map indicates coverage against the Framework. The higher the shading, the higher the coverage. Similar to the Personal View, you can find a key in the bottom left corner. Here's a short video:

Screen-Recording-2021-12-23-at-11.30.41.gif

It's interactive

You can find out more information on coverage by selecting the specific technique you're interested in. 

This will display the relevant information in a side-panel. This will include the number of users in progress, as well as the number of users completed. It will also showcase the number of labs on the platform mapped against the technique or sub-technique. You'll be able to jump straight through to the labs from here.

MITRE_side_panel.PNG

Accessibility features

You're able to:

  • Scroll vertically and horizontally
  • Select and drag content/the framework around using the pan button (icon that looks like a hand)
  • Zoom in and out enabling you to find the techniques or sub-techniques of interest (plus and minus icons)
  • Use fit-to-screen (arrows facing in opposite directions): this fits all the columns into view on desktop devices

mceclip2.png

Hovering over the action buttons depicted above will show you what keyboard shortcuts you can use to trigger each action. 

Notes:

The Framework Dashboards are screen-reader friendly. If you experience any issues interacting with the Framework using your screen reader, please report the details to our customer support team. We are passionate about continuously improving the accessibility of our platform and features.

If you're accessing the Framework Dashboards on a mobile device you will not have the pan and zoom functionality available via the toolbar or shortcuts. You can still pan and zoom in and out by touching your screen (dragging or pinching).

 

Coverage calculations

Personal view 

  • Not started: no labs have been completed in the technique or any of the technique's sub-techniques
  • In progress: at least one lab is complete in the technique or sub-techniques but there is at least one or more sub-techniques incomplete   
  • Completed: all labs are complete in the technique (including sub-techniques if applicable).
  • No labs mapped: we don't currently have any content on our platform mapped against the technique (and/or sub-techniques)

Organization view

Coverage is based on the proportion of labs completed in each sub-technique by the people in your organization.

You can find a link to calculation details on the dashboard's key:

mceclip3.png

Here's some more information:

The coverage (and hence shading) is based on proportions: we look at how many learners have completed labs in a technique (and/or sub-techniques) in proportion to the number of learners who have completed labs in the technique which has the highest number of lab completions for your organization.  

This then allows us to group coverage into the three bands (higher, medium, lower) as below:

  • Lower coverage: <=33% of the highest technique coverage 
  • Medium coverage: <=34-66% of the highest technique coverage
  • Higher coverage: >=67% of the highest technique coverage

Here's an example to help you put this into context:  

Imagine we have a framework with four techniques. Each technique has two sub-techniques.   

The example organization has a total of 10 learners. 

For the first technique (technique A), all users have completed both sub-techniques.   This is not the case for any of the other techniques (B, C or D). Technique A is therefore the technique with the highest coverage.

Calculation detail for coverage: 

Each user that has completed all of the labs in a sub-technique earns a point for each sub-technique they have completed all the labs for. The total technique score is the average of the points across sub-techniques. Therefore the total technique score here would be 10.   

(10+10) / 2 = 10.  

For technique B, all learners have completed the first sub-technique; however, no learners have completed the second. 

The score for this technique would be:  five

(10+0) / 2 = 5.

Because this coverage is half (50%) of the highest technique coverage (of technique A), this would fall into the medium coverage band (<=34-66%).

 

Adding labs to custom collections by the Framework

Did you know you can use the MITRE ATT&CK Framework to add labs to Custom Collections?

Target users with exercises that will strengthen your cyber capabilities across the organization and minimize risk.   

To learn more, visit our Custom Collections guide.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Related articles