Introduction to ATT&CK Navigator

00:03

everyone this is Katy Nichols from The

00:06

MITRE attack team I'm here today to talk

00:08

to you about attack navigator and a use

00:10

case for it

00:11

so navigator is a tool we released last

00:14

year that helps you do basic navigation

00:17

annotation of attack techniques and we

00:19

saw a lot of people doing this kind of

00:21

layer comparison with matrices in Excel

00:24

which is great but we wanted to create a

00:26

tool that is purpose-built for this

00:28

purpose so attack navigator just like

00:31

attack is free and open on github you

00:33

can pull it down you can use it locally

00:36

lots of info here are changelog or

00:39

readme we also have a hosted instance if

00:41

you don't want to have to pull it down

00:43

maybe you're not a developer you just

00:44

want to get started using it cool we

00:46

have a hosted instance for you that is

00:48

linked to from this usage section so

00:53

this is what the attack navigator looks

00:54

like by default you also have a version

00:56

for mobile attack but this is

00:59

automatically displaying enterprise

01:00

attack which you'll recall is kind of

01:02

how the adversaries get in and what they

01:04

do after they've gotten in so you'll be

01:07

pretty familiar with this view right

01:08

it's the attack matrix across the top we

01:10

have these tactics the adversary's

01:12

technical goals and under each of those

01:14

tactics we have techniques right how

01:17

those adversaries achieve the goals in a

01:20

navigator we have this object called a

01:21

lair and right that's just a way that we

01:23

can capture different information about

01:25

these techniques so I'm gonna walk you

01:27

through these different buttons we have

01:29

across the top and then I'm gonna take

01:31

you into a use case for Navigator based

01:33

on threat intelligence so let's dive in

01:36

first control we see is locking multi

01:39

tactic technique selection what's a

01:41

multi tactic technique well you'll see

01:44

an attack some techniques like for

01:46

example access to a manipulation fall

01:48

under multiple tactics it's a multi

01:51

tactic technique and by default

01:54

navigator will select both of those

01:55

techniques across the tactics but you

01:58

might say well I only want to select one

02:00

of them cool navigator gives you that

02:02

option I just care about access token

02:04

manipulation under privileged escalation

02:06

or defense evasion easy enough then we

02:10

have the search menu for example if you

02:12

want to see all techniques that mention

02:14

registry you can do a quick search

02:16

those will pop up you can also do multi

02:21

select so this allows you to select

02:22

either groups or software which you'll

02:25

recall we have pages on our attack sites

02:27

where we go through open source

02:28

reporting and get examples of different

02:31

groups and software using attack

02:32

techniques really important to note that

02:34

this is not all-encompassing right we

02:37

can't possibly map everything these

02:39

groups have ever done we don't have that

02:40

visibility but we take a sampling based

02:43

on limited open source reporting that we

02:45

map and so in navigator you can select

02:48

different techniques that the groups or

02:50

the software pages we have an attack so

02:54

we can go ahead and select for example

02:55

copy kittens or deselect those next up

03:00

the deselect right I have technique

03:02

selected I want them to not be selected

03:04

anymore pretty self-explanatory

03:06

next up we have layer controls right

03:09

navigator thinks in layers of

03:11

information so good analysts always give

03:14

context about what they're doing so you

03:16

know maybe I add a name for this I'm

03:18

gonna call it apt 329 comparison and I'm

03:22

gonna give some awesome description

03:24

about what I'm doing so that other

03:26

analysts who look at this know what I

03:27

mean you can also download layers behind

03:31

the scenes here this is being built in

03:32

JSON so let's say you want to take your

03:35

layer here and export it to another

03:37

structured format or another tool great

03:39

you can download the layer as JSON you

03:41

can also export your layer to everyone's

03:45

favorite analysts tool excel get a lot

03:48

of requests for people who say hey I

03:49

love a matrix in excel this is an easy

03:51

way to do that we all have power points

03:54

we have to make presentations maybe one

03:56

image of the navigator to include in

03:59

your presentation you can also render

04:01

your layer to SVG an image type and then

04:04

you can include it in your presentation

04:05

to make yourself look really awesome we

04:09

can also filter right maybe we want to

04:11

only select Linux techniques or Mac

04:14

techniques this is also where if you

04:16

want to focus on pre attack techniques

04:18

you're called pre attack is left of

04:20

exploit what are the adversaries do

04:22

before they've gotten in you can select

04:24

prepare and then act is Enterprise

04:27

attack which is what we have up right

04:28

now

04:30

next up you can change how you sort the

04:32

techniques any of you want to

04:33

alphabetically or reverse alphabetically

04:36

or in terms of the score ascending or

04:40

descending totally up to you you can

04:42

toggle that there you can also set up

04:44

colors here now for example maybe I want

04:47

to change this tactic row background to

04:49

a different color because blue is my

04:51

favorite color you can do that there

04:53

will also dive into this in a little bit

04:56

and our threat Intel use case about how

04:58

we can make this gradient for different

05:00

scoring moving along we have this toggle

05:04

View mode you know by defaults you see

05:06

the full technique names full tactic

05:08

names but maybe I just want to see the

05:10

first letters of those or I just want to

05:12

see little rectangles but I want to

05:14

visualize something you know in a

05:15

simpler way so you can toggle that

05:17

they're going into the technique

05:19

controls we have maybe I want to disable

05:22

certain techniques you know I don't want

05:24

those to be in my view at the moment I

05:27

can go ahead and click toggle state and

05:29

little grayed out and it won't be part

05:31

of my view at that moment and then

05:34

there's a separate button for show and

05:35

hide disable maybe I don't want it to be

05:37

grade I just want it out of my view

05:39

click the show or hide disables and

05:41

it'll pop up or back depending on what

05:44

you need

05:45

next background color let's say access

05:49

took a manipulation you know our team

05:51

knows that this is a technique we have

05:52

no coverage on for defense evasion so we

05:56

can go ahead and make that red you can

05:58

also give it a score you know let's say

06:00

this is high-priority one we have no

06:03

coverage maybe we give it a score of

06:05

zero or one or two whatever you you've

06:08

decided for your team you can also put a

06:11

comment so you know maybe we want

06:13

everyone to know we need to focus on

06:16

this so you can add a comment and when

06:19

you do that navigator this yellow

06:21

underline is gonna pop up on your

06:22

technique so that's how you know there's

06:24

a comment in there and then last clear

06:26

annotations on your selected techniques

06:28

so okay access Tucker manipulation we

06:31

want to clear that one easy enough so

06:34

that's an overview of the Navigator

06:37

controls so now I want to dive into a

06:39

use case specifically for threat

06:41

intelligence

06:42

you know I think attack is a really

06:44

useful tool you can use to look at

06:46

adversary behaviors kind of look at what

06:48

groups and software are doing and then

06:50

prioritize based on that so I previously

06:53

written a blog post where I showed you

06:55

this kind of cool overlay and navigator

06:57

with different techniques different

06:59

colors and I wanted to dive into how I

07:01

actually created that so we're gonna go

07:03

ahead and create a new layer click on

07:06

this little plus sign create a new layer

07:08

and this layer I'm gonna select apt 3

07:11

techniques so I'm going to name it apt 3

07:14

maybe I would add a little more layer

07:15

information in here give some more

07:18

context on what I'm doing I'm gonna go

07:20

into the multi select menu and I'm gonna

07:22

scroll down to apt 3 and select again

07:26

remembering these are just the

07:27

techniques that the team has mapped

07:28

based solely on open source reporting

07:30

but it's things that we know apt 3 is

07:33

done in the past and I'm gonna go ahead

07:35

and give that a score so I'm gonna say

07:37

for each of these apt 3 techniques give

07:39

that a score of 1 great now I'm going to

07:43

create another new layer and I'm gonna

07:46

name this apt 29 I'm gonna repeat the

07:49

same process going through selecting a

07:52

bt 29 techniques and then this time I'm

07:55

gonna give these a score of 2 easy

07:58

enough ok so now I have two separate

08:01

layers with techniques for a PD 3 and a

08:03

PD 29 so next I'm going to magically

08:07

combine them with the create layer from

08:09

other layers option which is one of the

08:11

options when you create this little new

08:14

tab thick here so create layer from

08:16

other layers when I click on that these

08:19

yellow rectangles are gonna pop up it's

08:21

gonna tell me what navigator is

08:23

identifying each of these layers as what

08:25

letter so a B and C so in this case I

08:29

want to compare B and C so in that score

08:31

expression I'm gonna type B plus C I

08:34

want to bring in the information from

08:36

those two layers lots of different

08:39

options you can input here you can check

08:41

out the help menu for more on that help

08:43

menus up here in the upper right and

08:45

once I've entered my logic I'm gonna

08:48

just click create so now to help me keep

08:51

track of what I'm doing I'm going to

08:54

name this write like a good analyst

08:56

backing what I'm doing and I'm not

08:57

making typos apt 3 + apt 29 and right

09:03

now you're kind of like wait these are

09:04

all read this is not helpful well if you

09:06

scroll over what you'll see is the

09:08

scores are actually different right

09:09

you'll remember we assigned one for apt

09:11

3 2 for apt 29 and then adding together

09:15

3 is going to be the score for

09:17

techniques that both groups have used so

09:20

what we can do is we can go to this

09:22

color setup menu and say okay for my

09:25

scoring my low value is going to be 1

09:27

that's apt 3 my high value is gonna be 3

09:32

for both groups and then my middle value

09:35

obviously would be 2 because that's half

09:37

way between 1 and 3 last time I checked

09:39

so let's go ahead and select colors for

09:41

these in this case let's choose the

09:43

default yellow for apt 3 you can also

09:46

specify hex if you have a specific

09:48

yellow that your hardest set on let's

09:51

choose blue for apt 29 and then yellow

09:55

plus blue equals green cool so let's

09:58

make green both of those groups so if I

10:01

click off of that I can see my apt 3

10:04

techniques in yellow my 8 p229

10:06

techniques in blue and then the

10:08

techniques that both groups have used

10:10

based on assent reporting we've mapped

10:12

is 3 and those show up in green this is

10:15

a quick way and I'd encourage you to add

10:17

in you know what you know about

10:18

different groups different software or

10:20

what they're doing it's a quick way that

10:21

you can compare what different groups

10:24

are doing and try to prioritize so if

10:26

these the two threat groups I care about

10:28

I would say these scores of 3 which are

10:31

the techniques both have used in green

10:32

that's a great place to start you know

10:35

pass these to your defenders say hey

10:36

guys these the two groups we care about

10:38

here are the techniques they're doing if

10:40

your defenders have done something like

10:42

doing a map of overall attack coverage

10:45

you could add that in here too with that

10:47

same kind of logic you know let's say

10:49

for example accessibility features is a

10:51

technique both of these groups have used

10:53

and if you didn't overlay with your

10:55

environments of you know what attack

10:58

techniques you can detect your defenders

11:00

tell you we can't detect accessibility

11:02

features at all that could be a great

11:04

place to start right the threat cares

11:06

about they've done this technique and we

11:08

don't have visibility

11:09

so using the tach navigator you can kind

11:12

of visualize different things whether

11:14

it's group or software behavior or

11:16

whether it's coverage of your

11:17

environment the whole idea is it's a

11:19

simple tool to help you visualize and

11:21

use a tack so we hope that was helpful

11:25

as a starting use case for navigator we

11:28

hope to bring you more of these videos

11:29

in the future so let us know was this

11:31

helpful

11:32

was it not and as always please reach

11:34

out with any questions or feedback you

11:35

have thanks all