MITRE ATT&CK Mapping and Visualization

The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. It documents common tactics, techniques, and procedures that can be used in advanced persistent threats against enterprise networks.

The following phases of an attack are represented in the MITRE ATT&CK framework:

MITRE ATT&CK Tactic	Description
Reconnaissance	Gather information to use in future malicious operations. This tactic displays in the MITRE reports only when the PRE platform is selected in your user preferences.
Resource Development	Establish resources to support malicious operations. This tactic displays in the MITRE reports only when the PRE platform is selected in your user preferences.
Impact	Tries to manipulate, interrupt, or destroy systems and data.
Initial Access	Gain entry to your environment.
Execution	Run malicious code.
Persistence	Maintain foothold.
Privilege Escalation	Gain higher-level permissions.
Defense Evasion	Avoid detection.
Credential Access	Steal login and password information.
Discovery	Figure out your environment.
Lateral Movement	Move through your environment.
Collection	Gather data.
Exfiltration	Steal data.
Command and Control	Contact controlled systems.

Tactics, techniques, and sub-techniques

Tactics represent the goal of an ATT&CK technique or sub-technique. For example, an adversary might want to get credential access to your network.

Techniques represent how an adversary achieves their goal. For example, an adversary might dump credentials to get credential access to your network.

Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.

Workflow for MITRE ATT&CK mapping and visualization

Create your own rule and building block mappings in QRadar Use Case Manager, or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.

Save time and effort by editing multiple rules or building blocks at the same time, and by sharing rule-mapping files between QRadar instances. Export your MITRE mappings (custom and IBM default) as a backup of custom MITRE mappings in case you uninstall the app and then decide later to reinstall it. For more information, see Uninstalling QRadar Use Case Manager.

After you finish mapping your rules and building blocks, organize the rule report and then visualize the data through diagrams and heat maps. Current and potential MITRE coverage data is available in the following reports: Detected in timeframe report, Coverage map and report, and Coverage summary and trend.

• Editing MITRE Mappings in a Rule or Building Block

  Create your own rule and building block mappings or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.

• Editing MITRE Mappings in Multiple Rules or Building Blocks

  Save time and effort by editing multiple rules or building blocks at the same time.

• Sharing MITRE-mapping Files

  Save time and effort when mapping rules and building blocks to tactics and techniques by sharing rule-mapping files between QRadar instances.

• Visualizing MITRE Tactic and Technique Coverage in Your Environment

  Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide in QRadar. After you organize the rule report, you can visualize the data through diagrams and heat maps and export the data to share with others.

• Visualizing MITRE Coverage Summary and Trends

  The MITRE summary and trend reports provide an overview of the different tactics that are covered by QRadar Use Case Manager. You can analyze the summary data in table, bar, and radar charts. Only the number of enabled mappings to enabled rules are counted in the charts because disabled mappings don't contribute to your security posture.

• Visualizing MITRE Tactics and Techniques that are Detected in a Specific Timeframe

  Tune your rules by the MITRE ATT&CK tactics and techniques that are detected in your environment within a specific timeframe. QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe.

• MITRE Heat Map Calculations

  The colors in the MITRE heat maps are calculated based on the number of rule mappings to a tactic or technique plus the level of mapping confidence (low, medium, or high).