Working with MITRE ATT&CK’s Navigator 101: Identifying threat areas by creating heatmaps

The MITRE ATT&CK Navigator

Say you’ve been busy trying to understand which tactics and techniques are a potential risk to your organisation (whether you work internally or on a project-base for clients). You may have performed threat modelling exercises, and/or identified relevant threat groups based on your industry, geographical location or the crown jewels your company depends on. You may have created a nice shortlist, but have difficulty getting that simple, clear-cut overview that allows you to see which tactics and techniques are used most, and thus what you need to focus your defences most on. This, my friends, is where the MITRE ATT&CK Navigator comes into play.

MITRE ATT&CK Navigator

MITRE describes the ATT&CK Navigator as a simple tool that everyone can use to visualise:

• MITRE ATT&CK Matrices;
• Defensive coverage;
• The frequency of detected techniques;
• Your SOC assessment(s);
• Red and blue team planning; or
• Anything else you wish to visualise.

The main distinctive aspect of the tool is the ability to work in layers, which constitute a view of the tactics and techniques matrix for a specific technology domain (i.e. Enterprise, Mobile or ICS). By working with different layers, you can e.g. create a mapping that highlights the tactics and techniques most commonly used by threat groups that may be relevant to your organisation.

Layers can be saved as a configuration file to your local computer by:

• Downloading a .json file,
• Exporting the layer to an Excel file, or
• Rendering the layer to an .SVG file

Saved layer configuration files can, later on, be opened again in the ATT&CK Navigator.

Using the Navigator

Sounds good so far, right? But how do we actually use it?

Say you have an organisation that is active in the Critical Infrastructure industry, and you’ve identified the following threat groups which potentially could target your organisation:

• Bronze Butler, a.k.a. Tick, RedBaldNight, Stalker Panda
• Desert Falcons, a.k.a. APT-C-23, Two-tailed Scorpion, Arid Viper, ATK 66, TAG-CT1
• TEMP.Veles, a.k.a. Xenotime, ATK 91
• Whitefly, a.k.a. Mofang, TEMP.Mimic, Bronze Walker, ATK 83, SectorM04, Superman

Please be aware that while these four groups may be identified as relevant threat adversaries for a specific industry at the time of writing, this overview may not be complete or could be outdated relatively quickly. Threat adversaries are ever-evolving, and regularly change their approach and/or the technologies they use. Please do your own research, and make sure to regularly update it.

Downloading Threat Group ATT&CK Navigator Layers

As we want to see if we can map the tactics and techniques used by the threat groups we’re searching for, we need to create a heatmap (a representation of data in the form of a map or diagram in which data values are represented as colours). In order to do so, we first need to check if there are ATT&CK Navigator Layers available on https://attack.mitre.org/ . Navigate to the before-mentioned link, select “Groups” in the menu (1), look for the name of the group you’re searching (e.g. “Bronze Butler”, 2), and check on the page of the threat group if there are ATT&CK Navigator Layers available. If yes, select “download” (3). A .json file will then be downloaded for that particular group.

1. MITRE ATT&CK Threat Group Page | Bronze Butler

Repeat the process for all threat groups you wish to be included in the Navigator heatmap.

Some groups might have multiple names under which they’re known on the internet. If you can’t find information under one name, make sure to also search for information with the other names.

Some groups might not yet have a dedicated ATT&CK Navigator Layer available. It is up to you to choose to not include the group in your heatmap, or to create a layer yourself based on tactics and techniques that you may have found for this specific group in other resources. If you decided to create your own layer, consider sharing back to the community!

Importing Threat Group ATT&CK Navigator Layers

Of the four groups we are using during this exercise, three had ATT&CK Navigator Layers available (Bronze Butler (G0060-enterprise-layer.json), TEMP.Veles (G0088-enterprise-layer.json), and Whitefly (G0107-enterprise-layer.json)), which we can import into the Navigator.

2. Downloaded json files relevant Threat Groups

To do so, open a new browser tab, and go to https://mitre-attack.github.io/attack-navigator/ . You’ll be met with a few prompts:

• Create a new layer Create a new empty layer
• Open existing layer Load a layer from your computer or a URL
• Create layer from other layers Choose layers to inherit properties from
• Create customised navigator Create a hyperlink to a customised ATT&CK Navigator

3. Start screen ATT&CK Navigator

Select “Open existing layer”, and “Upload from local”, and select the first of the three files we will open in the Navigator. (e.g. G0060-enterprise-layer.json for Bronze Butler).

4. Bronze Butler tactics & techniques in the ATT&CK Navigator

To open the second layer file, select the “+” symbol next to the name of the current layer (here: BRONZE BUTLER (G0060)). The same screen with layer creation options will appear; repeat the steps performed above for both remaining groups (TEMP.Veles (G0088), and Whitefly (G0107)).

After importing all three groups, your screen should look as follows:

5. Bronze Butler, TEMP.Veles & Whitefly layers in the ATT&CK Navigator

Assigning a scoring to technique controls

Before we’re able to create a heatmap, we need to ensure that the techniques used by the different threat groups have a scoring assigned. To do so, go to “technique controls” in the layer menu, and select “scoring”. Assign a numerical value (e.g. “1”). Verify in the other layers that this scoring has also been applied. If not, do so.

6. Assigning a scoring to technique controls

Creating a heatmap in the MITRE ATT&CK Navigator

Now that you’ve imported all three threat group layers in the ATT&CK Navigator and provided a scoring to the techniques, it is time to create a heatmap. For this, you once again click the “+” symbol next to the layers that are currently already active. In the newly opened tab, select “Create layer from other layers”. While most options can remain blank for now (but feel free to experiment once you’re a bit more familiar with the navigator), ensure that you enable the following configuration:

• Domain: Enterprise ATT&CK V11
• Score expression: a+b+c

Scroll a little down on the page, and click “Create”.

7. Creating the MITRE ATT&CK heatmap

The heatmap of the three threat groups identified as relevant to critical infrastructure organisations will be created, and appear with the standard colour setup and scoring gradient, both for techniques and sub-techniques.

8. Created heatmap + 9. Zoom-in on heatmap techniques & sub-techniques

Play around with the visualisation options, filters, and scoring, and see what works best for you, your team and your organisation!

If you enjoyed this 101 blog on the MITRE ATT&CK Navigator, let me know!

* Opinions expressed are solely my own and do not express the views or opinions of my employer or clients *