Introduction to ATT&CK Navigator

mitrecorp
7 Jun 201911:45

Summary

TLDRKaty Nichols from MITRE introduces 'Attack Navigator,' a tool designed for strategic navigation and annotation of cyber attack techniques. The tool, available for free on GitHub, is user-friendly and offers functionalities like multi-tactic technique selection, search filters, and layer controls. It also supports exporting layers to formats like JSON and Excel, and visualizing threat intelligence through customizable scores and colors. Nichols demonstrates how to use the tool for comparing techniques used by different threat groups, emphasizing its utility in prioritizing defenses based on adversary behaviors.

Takeaways

  • 😀 Attack Navigator is a tool released by MITRE to help with basic navigation and annotation of attack techniques.
  • 📚 It is designed to replace the use of Excel for layer comparison with matrices, providing a more purpose-built tool.
  • 🌐 Attack Navigator is free and open-source, available on GitHub for local use or through a hosted instance for easier access.
  • 📊 The tool displays an attack matrix with tactics and techniques, allowing users to understand how adversaries achieve their goals.
  • 🔒 Users can lock multi-tactic technique selection, focusing on specific techniques relevant to their analysis.
  • 🔍 The search feature enables users to find techniques by keywords, such as 'registry', and select multiple techniques or groups/software for analysis.
  • 📑 Layer controls allow users to add context, download layers in JSON format, export to Excel, or render to SVG for presentations.
  • 🎨 Users can filter techniques based on criteria like operating systems (Linux, Mac) or focus on pre-attack techniques.
  • 📝 Technique controls enable users to disable certain techniques, change background colors, assign scores, and add comments for prioritization.
  • 📈 A use case for threat intelligence is demonstrated, showing how to compare techniques used by different threat groups (APT 3 and APT 29) and prioritize based on their commonalities.
  • 💡 The tool encourages users to add their knowledge about different groups or software to visualize and compare behaviors, aiding in threat prioritization and defense strategy.

Q & A

  • What is the purpose of the Attack Navigator tool?

    -The Attack Navigator is a tool designed to help with the basic navigation and annotation of attack techniques. It is intended to replace the use of Excel for layer comparison and is purpose-built for analyzing and visualizing cyber threat techniques.

  • Is the Attack Navigator tool free and open-source?

    -Yes, Attack Navigator is free and open-source. It is available on GitHub, allowing users to download and use it locally.

  • What is the default view of the Attack Navigator?

    -The default view of the Attack Navigator displays the Enterprise Attack matrix, which shows the tactics and techniques used by adversaries to achieve their goals.

  • What is the 'lair' in the context of Attack Navigator?

    -In Attack Navigator, the 'lair' is an object used to capture different information about the techniques, providing a way to organize and analyze data related to attack techniques.

  • How can users customize the view in Attack Navigator?

    -Users can customize the view in Attack Navigator by toggling between full technique names, first letters, or rectangles. They can also change tactic row backgrounds, disable certain techniques, and add annotations or comments to specific techniques.

  • What is a 'multi-tactic technique' and how does Attack Navigator handle it?

    -A 'multi-tactic technique' is a technique that falls under multiple tactics. Attack Navigator allows users to select these techniques across tactics, but also provides the option to lock the selection to only one tactic if desired.

  • How does Attack Navigator assist with threat intelligence?

    -Attack Navigator assists with threat intelligence by allowing users to create layers of information, compare techniques used by different groups or software, and prioritize actions based on the analysis. It can be used to visualize and compare adversary behaviors and techniques.

  • What is the process for creating a new layer in Attack Navigator?

    -To create a new layer in Attack Navigator, users click on the plus sign, name the layer, and select the techniques they want to include. They can also add a description and score for the techniques to provide context and priority.

  • How can users combine layers in Attack Navigator?

    -Users can combine layers in Attack Navigator by using the 'create layer from other layers' option. They can input a score expression to merge information from multiple layers, such as adding scores from different threat groups.

  • What are some of the export options available in Attack Navigator?

    -Attack Navigator allows users to export layers in various formats, including JSON, Excel, and SVG. This enables analysts to use the data in other tools or include it in presentations.

  • How can Attack Navigator help in prioritizing defense actions?

    -Attack Navigator can help in prioritizing defense actions by visually comparing techniques used by different threat groups and highlighting areas where there is no coverage or detection. This can guide defenders to focus on high-priority areas.

Outlines

plate

Esta sección está disponible solo para usuarios con suscripción. Por favor, mejora tu plan para acceder a esta parte.

Mejorar ahora

Mindmap

plate

Esta sección está disponible solo para usuarios con suscripción. Por favor, mejora tu plan para acceder a esta parte.

Mejorar ahora

Keywords

plate

Esta sección está disponible solo para usuarios con suscripción. Por favor, mejora tu plan para acceder a esta parte.

Mejorar ahora

Highlights

plate

Esta sección está disponible solo para usuarios con suscripción. Por favor, mejora tu plan para acceder a esta parte.

Mejorar ahora

Transcripts

plate

Esta sección está disponible solo para usuarios con suscripción. Por favor, mejora tu plan para acceder a esta parte.

Mejorar ahora
Rate This

5.0 / 5 (0 votes)

Etiquetas Relacionadas
Threat IntelligenceMITRE AttackCybersecurity ToolsTechnique AnalysisLayer ComparisonOpen Source ReportingTactics and TechniquesPrioritization StrategyCyber DefenseSecurity Research
¿Necesitas un resumen en inglés?