Introduction to ATT&CK Navigator
Summary
TLDRKaty Nichols from MITRE introduces 'Attack Navigator,' a tool designed for strategic navigation and annotation of cyber attack techniques. The tool, available for free on GitHub, is user-friendly and offers functionalities like multi-tactic technique selection, search filters, and layer controls. It also supports exporting layers to formats like JSON and Excel, and visualizing threat intelligence through customizable scores and colors. Nichols demonstrates how to use the tool for comparing techniques used by different threat groups, emphasizing its utility in prioritizing defenses based on adversary behaviors.
Takeaways
- 😀 Attack Navigator is a tool released by MITRE to help with basic navigation and annotation of attack techniques.
- 📚 It is designed to replace the use of Excel for layer comparison with matrices, providing a more purpose-built tool.
- 🌐 Attack Navigator is free and open-source, available on GitHub for local use or through a hosted instance for easier access.
- 📊 The tool displays an attack matrix with tactics and techniques, allowing users to understand how adversaries achieve their goals.
- 🔒 Users can lock multi-tactic technique selection, focusing on specific techniques relevant to their analysis.
- 🔍 The search feature enables users to find techniques by keywords, such as 'registry', and select multiple techniques or groups/software for analysis.
- 📑 Layer controls allow users to add context, download layers in JSON format, export to Excel, or render to SVG for presentations.
- 🎨 Users can filter techniques based on criteria like operating systems (Linux, Mac) or focus on pre-attack techniques.
- 📝 Technique controls enable users to disable certain techniques, change background colors, assign scores, and add comments for prioritization.
- 📈 A use case for threat intelligence is demonstrated, showing how to compare techniques used by different threat groups (APT 3 and APT 29) and prioritize based on their commonalities.
- 💡 The tool encourages users to add their knowledge about different groups or software to visualize and compare behaviors, aiding in threat prioritization and defense strategy.
Q & A
What is the purpose of the Attack Navigator tool?
-The Attack Navigator is a tool designed to help with the basic navigation and annotation of attack techniques. It is intended to replace the use of Excel for layer comparison and is purpose-built for analyzing and visualizing cyber threat techniques.
Is the Attack Navigator tool free and open-source?
-Yes, Attack Navigator is free and open-source. It is available on GitHub, allowing users to download and use it locally.
What is the default view of the Attack Navigator?
-The default view of the Attack Navigator displays the Enterprise Attack matrix, which shows the tactics and techniques used by adversaries to achieve their goals.
What is the 'lair' in the context of Attack Navigator?
-In Attack Navigator, the 'lair' is an object used to capture different information about the techniques, providing a way to organize and analyze data related to attack techniques.
How can users customize the view in Attack Navigator?
-Users can customize the view in Attack Navigator by toggling between full technique names, first letters, or rectangles. They can also change tactic row backgrounds, disable certain techniques, and add annotations or comments to specific techniques.
What is a 'multi-tactic technique' and how does Attack Navigator handle it?
-A 'multi-tactic technique' is a technique that falls under multiple tactics. Attack Navigator allows users to select these techniques across tactics, but also provides the option to lock the selection to only one tactic if desired.
How does Attack Navigator assist with threat intelligence?
-Attack Navigator assists with threat intelligence by allowing users to create layers of information, compare techniques used by different groups or software, and prioritize actions based on the analysis. It can be used to visualize and compare adversary behaviors and techniques.
What is the process for creating a new layer in Attack Navigator?
-To create a new layer in Attack Navigator, users click on the plus sign, name the layer, and select the techniques they want to include. They can also add a description and score for the techniques to provide context and priority.
How can users combine layers in Attack Navigator?
-Users can combine layers in Attack Navigator by using the 'create layer from other layers' option. They can input a score expression to merge information from multiple layers, such as adding scores from different threat groups.
What are some of the export options available in Attack Navigator?
-Attack Navigator allows users to export layers in various formats, including JSON, Excel, and SVG. This enables analysts to use the data in other tools or include it in presentations.
How can Attack Navigator help in prioritizing defense actions?
-Attack Navigator can help in prioritizing defense actions by visually comparing techniques used by different threat groups and highlighting areas where there is no coverage or detection. This can guide defenders to focus on high-priority areas.
Outlines
🛠️ Introduction to MITRE Attack Navigator Tool
Katy Nichols from the MITRE attack team introduces the Attack Navigator, a free and open-source tool designed for the basic navigation and annotation of attack techniques. The tool, which is an improvement over the traditional Excel matrix comparison method, can be used locally or accessed via a hosted instance. The video showcases the tool's interface, explaining its features such as the 'lair' object for capturing information about techniques, and the various controls available for users to customize their experience, including multi-tactic technique selection, search functionality, and layer controls for adding context to analysis.
🔍 Customizing and Exporting Layers in Attack Navigator
The script explains how to customize and export layers within the Attack Navigator. Users can add names and descriptions to layers for context, download layers as JSON, or export them to Excel or SVG for presentations. The tool also allows filtering techniques based on platforms like Linux or Mac, focusing on pre-attack or enterprise attack techniques, and sorting techniques in various ways. Users can also change the color scheme to highlight different tactics or techniques, which is particularly useful in the threat intelligence use case discussed later in the script.
📊 Threat Intelligence Use Case with Attack Navigator
Katy demonstrates a use case for the Attack Navigator focusing on threat intelligence. She guides through creating new layers for different threat groups, such as APT3 and APT29, assigning scores to techniques based on the group's known actions, and combining these layers to compare and prioritize techniques. The process includes using a scoring expression to merge layers and visually differentiate techniques used by both groups. The summary also covers how to use color coding to represent different scores and the importance of adding context and comments to techniques for better analysis and communication among analysts.
Mindmap
Keywords
💡Attack Navigator
💡MITRE
💡Tactics
💡Techniques
💡Layers
💡Threat Intelligence
💡APT (Advanced Persistent Threat)
💡Annotations
💡Score
💡Visualization
💡Export
Highlights
Introduction to Attack Navigator, a tool for basic navigation and annotation of attack techniques.
Attack Navigator is designed to replace the use of Excel for layer comparison with matrices.
The tool is free and open-source, available on GitHub for local use.
A hosted instance of Attack Navigator is available for those who prefer not to download the tool.
The default view of Attack Navigator displays the Enterprise Attack matrix.
The tool includes a 'lair' object for capturing information about techniques.
Multi-tactic technique selection allows for focusing on specific tactics within techniques.
A search function enables finding techniques by keywords, such as 'registry'.
Users can select and deselect techniques and groups based on open source reporting.
Layer controls in Navigator allow for the creation and management of contextual information layers.
Layers can be exported in JSON format or to Excel for further analysis.
The tool supports rendering layers to SVG for inclusion in presentations.
Techniques can be filtered based on criteria such as operating system or attack phase.
Sorting options allow for organizing techniques by name, score, or other attributes.
Color customization is available for tactic rows and techniques to aid in visual distinction.
View mode toggle allows for adjusting the level of detail displayed for techniques and tactics.
Technique controls enable disabling certain techniques from the view and managing visibility.
Annotations can be added to techniques, including comments and scores, with visual indicators.
A use case for threat intelligence is demonstrated, showing how to compare techniques used by different APT groups.
Layers can be combined using a scoring expression to create a comparative analysis.
Color setup allows for assigning colors to different scores and groups for visual differentiation.
The tool encourages adding knowledge about different groups and their behaviors for prioritization.
Attack Navigator is positioned as a simple tool to visualize and utilize the MITRE ATT&CK framework.
Transcripts
everyone this is Katy Nichols from The
MITRE attack team I'm here today to talk
to you about attack navigator and a use
case for it
so navigator is a tool we released last
year that helps you do basic navigation
annotation of attack techniques and we
saw a lot of people doing this kind of
layer comparison with matrices in Excel
which is great but we wanted to create a
tool that is purpose-built for this
purpose so attack navigator just like
attack is free and open on github you
can pull it down you can use it locally
lots of info here are changelog or
readme we also have a hosted instance if
you don't want to have to pull it down
maybe you're not a developer you just
want to get started using it cool we
have a hosted instance for you that is
linked to from this usage section so
this is what the attack navigator looks
like by default you also have a version
for mobile attack but this is
automatically displaying enterprise
attack which you'll recall is kind of
how the adversaries get in and what they
do after they've gotten in so you'll be
pretty familiar with this view right
it's the attack matrix across the top we
have these tactics the adversary's
technical goals and under each of those
tactics we have techniques right how
those adversaries achieve the goals in a
navigator we have this object called a
lair and right that's just a way that we
can capture different information about
these techniques so I'm gonna walk you
through these different buttons we have
across the top and then I'm gonna take
you into a use case for Navigator based
on threat intelligence so let's dive in
first control we see is locking multi
tactic technique selection what's a
multi tactic technique well you'll see
an attack some techniques like for
example access to a manipulation fall
under multiple tactics it's a multi
tactic technique and by default
navigator will select both of those
techniques across the tactics but you
might say well I only want to select one
of them cool navigator gives you that
option I just care about access token
manipulation under privileged escalation
or defense evasion easy enough then we
have the search menu for example if you
want to see all techniques that mention
registry you can do a quick search
those will pop up you can also do multi
select so this allows you to select
either groups or software which you'll
recall we have pages on our attack sites
where we go through open source
reporting and get examples of different
groups and software using attack
techniques really important to note that
this is not all-encompassing right we
can't possibly map everything these
groups have ever done we don't have that
visibility but we take a sampling based
on limited open source reporting that we
map and so in navigator you can select
different techniques that the groups or
the software pages we have an attack so
we can go ahead and select for example
copy kittens or deselect those next up
the deselect right I have technique
selected I want them to not be selected
anymore pretty self-explanatory
next up we have layer controls right
navigator thinks in layers of
information so good analysts always give
context about what they're doing so you
know maybe I add a name for this I'm
gonna call it apt 329 comparison and I'm
gonna give some awesome description
about what I'm doing so that other
analysts who look at this know what I
mean you can also download layers behind
the scenes here this is being built in
JSON so let's say you want to take your
layer here and export it to another
structured format or another tool great
you can download the layer as JSON you
can also export your layer to everyone's
favorite analysts tool excel get a lot
of requests for people who say hey I
love a matrix in excel this is an easy
way to do that we all have power points
we have to make presentations maybe one
image of the navigator to include in
your presentation you can also render
your layer to SVG an image type and then
you can include it in your presentation
to make yourself look really awesome we
can also filter right maybe we want to
only select Linux techniques or Mac
techniques this is also where if you
want to focus on pre attack techniques
you're called pre attack is left of
exploit what are the adversaries do
before they've gotten in you can select
prepare and then act is Enterprise
attack which is what we have up right
now
next up you can change how you sort the
techniques any of you want to
alphabetically or reverse alphabetically
or in terms of the score ascending or
descending totally up to you you can
toggle that there you can also set up
colors here now for example maybe I want
to change this tactic row background to
a different color because blue is my
favorite color you can do that there
will also dive into this in a little bit
and our threat Intel use case about how
we can make this gradient for different
scoring moving along we have this toggle
View mode you know by defaults you see
the full technique names full tactic
names but maybe I just want to see the
first letters of those or I just want to
see little rectangles but I want to
visualize something you know in a
simpler way so you can toggle that
they're going into the technique
controls we have maybe I want to disable
certain techniques you know I don't want
those to be in my view at the moment I
can go ahead and click toggle state and
little grayed out and it won't be part
of my view at that moment and then
there's a separate button for show and
hide disable maybe I don't want it to be
grade I just want it out of my view
click the show or hide disables and
it'll pop up or back depending on what
you need
next background color let's say access
took a manipulation you know our team
knows that this is a technique we have
no coverage on for defense evasion so we
can go ahead and make that red you can
also give it a score you know let's say
this is high-priority one we have no
coverage maybe we give it a score of
zero or one or two whatever you you've
decided for your team you can also put a
comment so you know maybe we want
everyone to know we need to focus on
this so you can add a comment and when
you do that navigator this yellow
underline is gonna pop up on your
technique so that's how you know there's
a comment in there and then last clear
annotations on your selected techniques
so okay access Tucker manipulation we
want to clear that one easy enough so
that's an overview of the Navigator
controls so now I want to dive into a
use case specifically for threat
intelligence
you know I think attack is a really
useful tool you can use to look at
adversary behaviors kind of look at what
groups and software are doing and then
prioritize based on that so I previously
written a blog post where I showed you
this kind of cool overlay and navigator
with different techniques different
colors and I wanted to dive into how I
actually created that so we're gonna go
ahead and create a new layer click on
this little plus sign create a new layer
and this layer I'm gonna select apt 3
techniques so I'm going to name it apt 3
maybe I would add a little more layer
information in here give some more
context on what I'm doing I'm gonna go
into the multi select menu and I'm gonna
scroll down to apt 3 and select again
remembering these are just the
techniques that the team has mapped
based solely on open source reporting
but it's things that we know apt 3 is
done in the past and I'm gonna go ahead
and give that a score so I'm gonna say
for each of these apt 3 techniques give
that a score of 1 great now I'm going to
create another new layer and I'm gonna
name this apt 29 I'm gonna repeat the
same process going through selecting a
bt 29 techniques and then this time I'm
gonna give these a score of 2 easy
enough ok so now I have two separate
layers with techniques for a PD 3 and a
PD 29 so next I'm going to magically
combine them with the create layer from
other layers option which is one of the
options when you create this little new
tab thick here so create layer from
other layers when I click on that these
yellow rectangles are gonna pop up it's
gonna tell me what navigator is
identifying each of these layers as what
letter so a B and C so in this case I
want to compare B and C so in that score
expression I'm gonna type B plus C I
want to bring in the information from
those two layers lots of different
options you can input here you can check
out the help menu for more on that help
menus up here in the upper right and
once I've entered my logic I'm gonna
just click create so now to help me keep
track of what I'm doing I'm going to
name this write like a good analyst
backing what I'm doing and I'm not
making typos apt 3 + apt 29 and right
now you're kind of like wait these are
all read this is not helpful well if you
scroll over what you'll see is the
scores are actually different right
you'll remember we assigned one for apt
3 2 for apt 29 and then adding together
3 is going to be the score for
techniques that both groups have used so
what we can do is we can go to this
color setup menu and say okay for my
scoring my low value is going to be 1
that's apt 3 my high value is gonna be 3
for both groups and then my middle value
obviously would be 2 because that's half
way between 1 and 3 last time I checked
so let's go ahead and select colors for
these in this case let's choose the
default yellow for apt 3 you can also
specify hex if you have a specific
yellow that your hardest set on let's
choose blue for apt 29 and then yellow
plus blue equals green cool so let's
make green both of those groups so if I
click off of that I can see my apt 3
techniques in yellow my 8 p229
techniques in blue and then the
techniques that both groups have used
based on assent reporting we've mapped
is 3 and those show up in green this is
a quick way and I'd encourage you to add
in you know what you know about
different groups different software or
what they're doing it's a quick way that
you can compare what different groups
are doing and try to prioritize so if
these the two threat groups I care about
I would say these scores of 3 which are
the techniques both have used in green
that's a great place to start you know
pass these to your defenders say hey
guys these the two groups we care about
here are the techniques they're doing if
your defenders have done something like
doing a map of overall attack coverage
you could add that in here too with that
same kind of logic you know let's say
for example accessibility features is a
technique both of these groups have used
and if you didn't overlay with your
environments of you know what attack
techniques you can detect your defenders
tell you we can't detect accessibility
features at all that could be a great
place to start right the threat cares
about they've done this technique and we
don't have visibility
so using the tach navigator you can kind
of visualize different things whether
it's group or software behavior or
whether it's coverage of your
environment the whole idea is it's a
simple tool to help you visualize and
use a tack so we hope that was helpful
as a starting use case for navigator we
hope to bring you more of these videos
in the future so let us know was this
helpful
was it not and as always please reach
out with any questions or feedback you
have thanks all
Посмотреть больше похожих видео
5.0 / 5 (0 votes)