The ATT&CK Rainbow of Tactics

Olaf Hartong
Mar 31 · 3 min read
Image for post
Image for post

I’ve been a huge fan of MITREs ATT&CK framework ever since its release. It has been of enormous value to the whole InfoSec community and it will hopefully continue to remain so for a long long time.

We’re on the verge of one of the biggest overhauls since its release, the introduction of sub-techniques, or when you read this they might be out already. I personally believe this is a great step forward. This introduction will cause everyone to do a big overhaul of their detection tagging and improvement of their ruleset.

On the positive side it will also bring a lot more clarity and granularity and it will bring more insight to a lot of people of possible attack techniques they weren’t aware of before.

As some of you know I’m quite a visual person and one of my projects is a Splunk application for ThreatHunting which is heavily ATT&CK focussed.

I’ve been building some new dashboard visualisations like the screenshot below. Soon I realised there was a lack of a proper color scheme that would assist in quickly understanding impact and importance. One way of doing this is would be by tactic.

Image for post
Image for post
Example dashboard panel of an attack timeline

After trying out several colour schemes I ended up with a rainbow scheme like below. Introducing, the rainbow of Tactics ;)

Image for post
Image for post
ATT&CK rainbow of Tactics

Most people will not know the ATT&CK matrix by heart, and this will certainly be the case in the near future with the introduction of the sub-techniques. Having a color tag will help them attribute it to a tactic and thereby providing some additional context.

By adding a color to the tagged events most graphs will become more readable and at the same time show a bit more priority in the investigation of events.

In the timeline below color tagging has been applied. By doing this it immediately adds an additional layer of information and will help focus investigations.

Image for post
Image for post
Example dashboard panel of an attack timeline, with tactic color attribution

What you can quickly spot here is that attacks are not sequential, nor is there a normal flow from left to right across the matrix. Anyone who ever worked with the Lockheed Martin Cyber Kill Chain knows this as well. However it is interesting to track these patterns in order to be able to defend better and partially be able to predict these patterns.

Apart from dashboards, this concept can also be applied to reports, mindmaps, detection content, graphs and so on.

An overview of all colours used can be found below:

Image for post
Image for post

Initial Access:

Execution:

Persistence:

Privilege Escalation:

Defense Evasion:

Credential Access:

Discovery:

Lateral Movement:

Collection:

Command and Control:

Exfiltration:

Impact:

FalconForce

A team of highly specialized security professionals

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store