I’ve been a huge fan of MITREs ATT&CK framework ever since its release. It has been of enormous value to the whole InfoSec community and it will hopefully continue to remain so for a long long time.
We’re on the verge of one of the biggest overhauls since its release, the introduction of sub-techniques, or when you read this they might be out already. I personally believe this is a great step forward. This introduction will cause everyone to do a big overhaul of their detection tagging and improvement of their ruleset.
On the positive side it will also bring a lot more clarity and granularity and it will bring more insight to a lot of people of possible attack techniques they weren’t aware of before.
As some of you know I’m quite a visual person and one of my projects is a Splunk application for ThreatHunting which is heavily ATT&CK focussed.
I’ve been building some new dashboard visualisations like the screenshot below. Soon I realised there was a lack of a proper color scheme that would assist in quickly understanding impact and importance. One way of doing this is would be by tactic.
After trying out several colour schemes I ended up with a rainbow scheme like below. Introducing, the rainbow of Tactics ;)
Most people will not know the ATT&CK matrix by heart, and this will certainly be the case in the near future with the introduction of the sub-techniques. Having a color tag will help them attribute it to a tactic and thereby providing some additional context.
By adding a color to the tagged events most graphs will become more readable and at the same time show a bit more priority in the investigation of events.
In the timeline below color tagging has been applied. By doing this it immediately adds an additional layer of information and will help focus investigations.
What you can quickly spot here is that attacks are not sequential, nor is there a normal flow from left to right across the matrix. Anyone who ever worked with the Lockheed Martin Cyber Kill Chain knows this as well. However it is interesting to track these patterns in order to be able to defend better and partially be able to predict these patterns.
Apart from dashboards, this concept can also be applied to reports, mindmaps, detection content, graphs and so on.
An overview of all colours used can be found below:
Initial Access: #d8031a
Privilege Escalation: #ff8041
Defense Evasion: #ffaf00
Lateral Movement: #01c26d
Command and Control: #075190