Three ways to use the ATT&CK Navigator for threat-informed decision making — Part 1

Most people interested in Information Security have likely heard of the MITRE ATT&CK framework. It’s a great resource to identify threat actors and their tactics, techniques and procedures (TTP). It’s also a great resource to learn about specific data sources, mitigations and software related to these threat actors. However, in my experience, it remains challenging to derive strategic decisions and priorities for a given situation or company from this wealth of information.

This is where I would like to introduce the ATT&CK Navigator. You can use the ATT&CK Navigator in many different ways, but in this series of articles I want to show you how to use it in three different ways for threat-informed decision making. The goal of these approaches is to help you, your company or your clients in answering questions like “Which TTP should I cover (first)?”, “What TTP can I already detect with the data sources I’m using?” and finally “How does my cloud-native security stack perform against the threat actors my company is facing?”. So let’s get started:

Using layers for different groups of threat actors to identify the coverage goal

The goal of this approach is to help you answering the question of “Which TTP should I cover (first)?” — as most budgets are limited, you will want to know which TTPs to prioritize. Therefore, we will create a heatmap for the TTP used by the threat actors faced by your organization. This heatmap will help you make threat-informed decisions as to where to spend your budget (first).

Start by creating a new layer in the ATT&CK Navigator and choose a matrix of your liking to get started:

Creating a new layer based on the Enterprise matrix

Depending on your settings you should see something like this:

A blank layer based on the Enterprise matrix

Now click the lens icon in the “selection tools” section of the navigation bar, it will open a sidebar:

The “lens” icon is the second one from the left in the “selection tools” section

Go ahead to search for any threat actor you like, I chose “APT29”:

The search tool can be used to search a wide variety of categories

Select the TTP used by APT29 and color them (just for fun):

You can choose any color you want ;-)

In theory, we could repeat this step for every threat actor we are interested in and choose a different color for each group. In most cases we will sooner or later face a situation in which some of the TTP are used by more than one but not all of the threat actors we’re interested in. In that case we are not able to derive a “clean” ranking or prioritization.

For this very reason we assign a numeric value as “score” to the selection of TTP:

The particular value is not relevant, but consider one specific order of magnitude for all scores

Let’s repeat the overall process for another threat actor. For the sake of brevity of this article, I will not post screenshots for the steps above but give you a list of steps to complete:

1. Create a new layer based on the same matrix (in my case “Enterprise”)
2. Search for a different threat actor and select the TTP (I chose “Fox Kitten”)
3. Assign a different score (I assigned a score of “2”)

Finally, we get to do the merging of the two layers (in fact, you can merge many more layers):

Create a new layer from other layers

Create a new layer and select the “Create Layer from other layers” option. Keep in mind to select the domain you have used previously. The important option in this menu is the “score expression” which is also explained on the right.

Let’s enter “a+b” as the expression to tell the ATT&CK Navigator to calculate the sum of all scores assigned to the TTPs in our layers “a” and “b” — have a look at how it automatically assigned these variables to the layers on the top left of the screenshot. You can keep all options as they are and click “create”

The resulting “layer by operation” can be used as a heatmap

You will now get your heatmap 😊
In case the colors don’t fit your use case you can change the gradient by clicking on the “color palette” icon in the “layer controls” section of the navigation bar and select a preset of you liking or create a new color gradient.

You can now use this heatmap to make a threat-informed decision as to which TTP to prioritize and thus where to invest your budget (first).

This is because:

1. Higher scores of certain TTP indicate that they are used by more than one threat actor
2. Lower scores of certain TTP indicate that they are used less
3. TTP without a score are likely not used by the threat actors you selected

Please keep the following limitations of any MITRE ATT&CK based approach in mind:

• The framework is a great resource, but it can only map what has been observed or caught
• You will have to think about all potential threat actors faced by your organization before having a complete picture
• This is not a one-time exercise or silver bullet, you will have to do this in iterations and periodically

I hope this first article helped you in prioritizing the TTP to cover first. If you have any questions or feedback let me know, I’m always eager to improve and learn more.